What are the requirements for cookies under the PECR?

What is the PECR? What are the requirements for cookies under the PECR?

The Privacy and Electronic Communications Regulations (PECR) explains the use of cookies and similar technologies for gathering information and accessing information already stored on an individual’s device, equipment or computer.

Fundamentally, cookies are small pieces of information, containing numbers and letters provided by an online service when a user visits them for the first time. There are multiple cookies that are used in various ways. They are useful because they allow a website to recognise a user’s device. Cookies are used in order to run a website more efficiently and to render information to the site owners.

Without cookies, websites do not have a way to ‘remember’ anything regarding visitors, such as whether a user has logged in or not and how many items are there in his or her shopping cart.

What are cookies and similar technologies?

Without the cookie, there are other ways through which similar functions can be achieved for instance, using different characteristics to recognise a device, so that every visit by the user can be analyzed.

PECR infographic

PECR is applicable to every technology that stores or accesses information on a user’s device. This incorporates HTML5 local storage, Local Shared Objects and fingerprinting techniques. Whereas, the majority of electronic marketing is controlled by Regulation 22 under the PECR. On the other hand, Regulation 6 under the PECR applies to track pixels or other means to gain access to information on a user’s device.

Using cookies and similar technologies are not prohibited by PECR. But, it does require you to inform people about cookies and also to inform them about the way information is stored on their devices.
Cookies are not referred by name under the PECR, but Regulation 6 states:

(1) A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph two are met.

(2) The requirements are that the subscriber or user of that terminal equipment:

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

It means for cookies use you should mention what type of cookies are set, what these cookies will do and obtain consent for storing cookies on devices.

As previously stated PECR also applies to similar technologies such as fingerprint techniques. Similarly, until and unless an exemption applies, any use of digital fingerprinting requires clear and comprehensive information.

From whom we must seek consent?

Under the PECRa consent must be obtained from a user or the subscriber (the subscriber being the person who pays the bill for use of the line). In most cases, the user and subscriber will be the same person. However, this is not always the case. It is not specified by the PECR either the user or subscriber’s wishes should take priority if individuals have different preferences. PECR also addresses a subscriber’s ability to make decisions in this area, such as around browser settings, might suggest the subscriber’s preferences take priority, although in some circumstances this will not always be the case.

Under the PECR, browser settings are covered, in which it states a subscriber is capable of making decisions on a user’s behalf. Though there are circumstances in which a user’s wish should take priority. If users complain that your website is setting cookies without taking consent from them, you can demonstrate your compliance with the PECR through the consent you recently received by the subscriber. To overcome such problems, you must provide information to the users regarding cookies and mechanisms by which they can make choices.

Frequently Asked Questions (FAQs)

1) Are cookies personal information?

Personal information can make a person identifiable. Not all information collected by cookies can identify individuals that use a website. However, websites that use cookies are required to have a cookie consent pop-up on their site.

2) Do I need a cookie policy if I don’t use cookies?

It is not compulsory to manifest any lawful basis for setting cookies. But, as cookie use is undeniable so you must mention all those cookies which your website uses, in your privacy policy.

3) Why do sites have cookie warnings?

It helps advertisers to create a basic personal profile about you, even if you haven’t logged into any website. Advertisers show you ads which they think you will like to buy. A cookie file from a browser can make you see the tracking tags from advertisers in the text.