Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Not all cookies are necessary. Some are used for the benefit of the company operating the website, or for the benefit of third parties. These cookies include those involved in advertising, tracking and analytics.
While advertising and analytics cookies might be "necessary" from a business perspective, this does not mean they are necessary under the law. Remember that there are many ways to advertise online. Not all types of advertising involve cookies or the processing of personal data.
Even some cookies that are used to improve the functioning of a website are not necessary from a legal perspective. These sort of cookies might feel necessary to the operator of a website. But they aren't necessary from the point of view of the user, whose personal data is being processed via the use of such cookies.
Cookies can be necessary either for maintaining a website's functioning or providing a service to the user.
The Article 29 Working Party, a group which was set up to provide guidance on EU data protection law, considered the following types of cookies to be "necessary" under the EU's ePrivacy Directive:
Consent is not required for these sorts of "necessary" cookies.
Not all cookies require consent. You don't need to ask for consent to set cookies which are:
Where a cookie doesn't meet the criteria above, it will require consent. This includes where a cookie is used for analytics.
The ePrivacy Directive is an EU law originating from 2002. It's sometimes known as the "Cookies Directive" due to a 2009 amendment that clarified the rules around cookies.
One reason that the ePrivacy Directive is important for online advertising is that it requires website and app operators to obtain consent whenever they wish to:
This is what cookies are used for, and so as a result, they require consent (with a few exceptions, as discussed above).
The ePrivacy Directive also regulates direct marketing via email, phone, fax, and SMS. It fulfills some of the same functions as anti-spam legislation like CAN-SPAM in the United States. Therefore, it's a very important law for businesses operating in the EU.
The EU is currently (as of September 2019) in the process of creating the ePrivacy Regulation, which will replace the ePrivacy Directive. This will provide new rules on cookies.
The Privacy and Electronic Communications Regulations 2003 (PECR) is the implementing legislation for the ePrivacy Directive in the United Kingdom (UK).
What do we mean by "implementing legislation?"
The ePrivacy Directive is, as the name suggests, a directive, rather than a regulation. The difference is as follows:
This means that the ePrivacy Directive might be interpreted quite differently from one EU country to another. The PECR is the UK's version of the ePrivacy Directive.
For all intents and purposes, the PECR is not all that different from the ePrivacy Directive. But it is amended regularly, and the latest version took effect in January 2019.
This latest PECR amendment banned "cold calling" from certain types of companies and introduced legal liability for directors of companies that breach the rules on marketing.
It's important for any company engaged in electronic marketing in the UK to be familiar with the PECR.
Somewhat confusingly, an important EU regulation called the General Data Protection Regulation (GDPR) also has implementing legislation, despite being a regulation. This is because the final version of the GDPR left EU countries with some discretion over how to interpret certain parts of the law. The UK's implementing legislation for the GDPR is called the Data Protection Act 2018.
Yes, the GDPR applies to cookies. The ePrivacy Directive sets the "ground rules" when it comes to cookies, i.e. that certain cookies require consent. The GDPR sets the standard of consent. It regulates how you must ask for consent.
The standard of consent under the GDPR is very high - higher than under any other major privacy or data protection law, and higher than under the EU's previous data protection law, the Data Protection Directive.
Article 4 of the GDPR defines consent as:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"
So, to be valid under the GDPR, consent must be:
This adds up to a requirement that consent for cookies can't be assumed ("opt-out"). Consent must be earned via a mechanism that informs the user about the implications of giving consent and requires them to take affirmative action to indicate that they consent.
A "cookie banner," when correctly executed, can achieve this.
Yes, cookies (or at least, some cookies) are considered personal data under the GDPR.
The GDPR only actually mentions cookies once. But EU law has clearly determined that cookies can be used to identify individuals. Therefore, any cookies that could theoretically be used to identify a person should be treated as personal data.
It might sound a little tenuous to say that cookies could be used to identify a specific person. But cookies can be used to track a person's internet activity, including their purchases, searches, and certain social media activity.
This is highly personal information, and if combined with other data it could easily reveal a person's identity.
Cookie consent is the expression of a person's permission for a website or app to place cookies on their device.
Cookies can be used to collect information about a person's internet activity. This information can be used to deliver personalized advertising. These are known as "tracking" or "behavioral advertising" cookies.
Such cookies can interfere with a person's privacy. This is why in certain places, such as the European Union (EU), it is necessary to ask for consent before your website places them. But even beyond the EU, this can be necessary.
A cookie banner is a method that many websites use to request a user's consent for cookies.
Here's an example from Fonetti:
Here's a good example of a cookie banner from the BBC:
When opting to reject cookies on the BBC's website, users are taken to a page offering the following options:
The backend function of a cookie banner is also important.
A cookie banner that appears to request consent might be functionally pointless for the user if cookies have been set by default. Therefore, part of the purpose of a cookie banner should be to trigger the setting of cookies only when a user's consent has been confirmed.
The ICO is the Information Commissioner's Office, which is the UK's Data Protection Authority (DPA). Other DPAs exist in each EU country.
The ICO is responsible for enforcing data protection and privacy law in the UK. This includes the Data Protection Act 2018 (the UK's implementation of the GDPR) and the Privacy and Electronic Communications Regulations 2003 (the UK's implementation of the ePrivacy Directive).
If a person believes that a business (or any other organization or person) has violated data protection or privacy law, they can report that organization to the ICO. The ICO can then investigate the alleged violation and enforce penalties where appropriate.
These penalties vary depending on which law has been violated. But if a company violates the Data Protection Act 2018 (or any other iteration of the GDPR), the maximum penalty is a fine of €20 million or 4 percent of its annual turnover (whichever is greater).
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022