Cookies

The basic rule here is that you must:

• tell people if you set cookies
• explain what the cookies do and why
• get the person’s consent to sort a cookie on their device.

There are exemptions if:

• the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic network; or
• the cookie is strictly necessary for provide a service over the internet requested by the subscriber or user.  Beware of this one! Your perception of ‘necessary’ as opposed to being ‘technically necessary for the function to work’ and not the same.  Helpful, convenient or those deemed necessary or essential to you and your own purposes will still require consent.

Additionally you are unlikely to need consent for:

• cookies used to remember the goods a user wishes to buy when they add goods to their online basket, or proceed to checkout
• session cookies providing security that is essential to comply with data protection security requirements for an online service that the user has requested (online banking services); or
• load-balancing cookies that ensure the content of pages load quickly and effectively by distributing the workload across several computers.

Remember the GDPR requirement that the information should be clear, concise and transparent in order to be lawful and also the Computer Misuse Act 1990 gaining unauthorised access to computer material.

It’s good practice to provide users with the information about all cookies, even the ones you do not need consent for, in order for them to establish their rights under the data protection legislation.

PECR applies to all cookies, even anonymous ones.