ICO’s guidance on cookie consent and the PECR

You may have come across many explanations and descriptions of the Privacy and Electronic Communications Regulation (PECR) and cookie consent.

Every organization under the territory of the European Economic Area (EEA) is under a legal obligation to obtain consent for the use of cookies and similar technologies.

It is established under the ePrivacy Directive, which was implemented in the UK by the Privacy and Electronic Communications Regulation (PECR).

PECR audit covers the information requirements of cookies.

Additionally, cookies are related to the processing of personal data.

The General Data Protection Regulation (GDPR) applies to every organisation based in the EEA and non-EEA that are processing EEA citizen’s data, providing them with various services or monitoring their behaviour

Preventing the EU from updating the ePrivacy Directive as anticipated. However, the most important revision to the cookie law is made. With the implementation of the GDPR, the PECR’s definition of “consent” has been expanded.

This suggests that consent should be freely given. And is informed, and precise, regardless of whether it is granted under PECR or the GDPR.

Now, PECR cookie consent is almost like GDPR cookie consent.

However, the updated definition of consent has brought many compliance-related issues for businesses.

ico pecr cookie consent guidelines

The development

Guidance published by the Information Commissioner’s Office (ICO).

The guidance has stressed how important consent is under both the Privacy and Electronic Communications Regulation (PECR). and General Data Protection Regulation (GDPR). Because both pieces of legislation focus on the appropriate lawful basis for use of cookies which includes processing of personal data.

“There are innumerable issues in current market practices. Nevertheless, it is unlikely to always come-up with rational compliance suggestions and provide an answer to every question.”

For companies, carrying out an audit by implementing this guidance is vital. Because necessary changes are possible to make.

PECR infographic

The ICO’s message is: “start working towards compliance now – undertake a cookie audit, document your decisions and you will have nothing to fear”.

Key points under guidance

Key points mentioned in the guidance:

  • There is no way to infer consent to cookies.
  • Analytics cookies are not necessary and require consent under PECR.
  • You cannot utilize cookie walls until you have received authorization where it is necessary.
  • For consent under PECR, you can’t rely on legitimate interests for non-essential cookies that involve the personal data processing as a lawful basis under the GDPR.
  • Cookie compliance will be a priority for the ICO, but any action will be proportionate to the failure.
  • “Start working towards compliance immediately. Do a cookie audit, document your decisions, and you will have nothing to fear. It is the advice for organizations.

PECR takes precedence over GDPR, so we must discuss the PECR first. If the setting of cookies includes personal data processing, you must comply with the GDPR’s additional requirements. On the other hand, PECR is applicable where storage or access to information on a user’s device includes personal data processing.  The GDPR and especially PECR cookie consent are significant because where cookie rules don’t apply, compliance with GDPR is compulsory.

Cookie consent and the lawful basis

ico pecr cookie consent guidelines

Personal data requires consent.

“Regulators including the ICO have previously stated that, however, you will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing data with third parties”. In certain cases, the processing of personal data that follows or depends on the setting of cookies is highly likely to require consent as its lawful basis.” “

It is not mainly because the personal data originates by the use of cookies but because of the nature, scope, context, and purposes of the processing operations themselves.

Frequently Asked Questions About PECR cookie consent (FAQs)

1) What does consent to cookies mean?

The Cookie Law under General Data Protection Regulation (GDPR)states that every user must provide informed consent. So, you should provide details on how and why you use cookies. It is important to give your visitors the opportunity to provide, withdraw or refuse consent at any time.

2) What is the Privacy and Electronic Communications Regulation (PECR)? 

Under the Privacy and Electronic Communications Regulation (PECR), it is unlawful to transmit an automated recorded message for direct marketing purposes via a telephone, without the prior consent of the user.

3) When did PECR come into force?

In 2003, the Privacy and Electronic Communications Regulation (PECR) went into effect. Since then, it has undergone changes.