What are cookies?

No, this blog is not about the delicious biscuits many of us will have been attempting to bake during the lockdown. Put simply, in an IT context; cookies are small text files containing small amounts of information that are downloaded or ‘implanted’ onto a user's device (e.g. a computer, a tablet, a smartphone, or other smart devices) when a user visits a website.

What are cookies used for?

Almost all websites and mobile apps will use cookies to recognise a user’s device and information about the user’s previous visits to those websites or mobile apps.  In some cases, this can tailor what you see on your screen if you have visited that website or mobile app before.

There are a number of different types and categories of cookies. They range from strictly necessary cookies (which allow a website to operate), to targeting or advertising cookies (which record user visits to a website, pages visited and links followed from that website) and are often used by companies to monitor consumer behaviour/trends and personalise the user experience making it smoother and more tailored to that individual.

The good…

Cookies can:

  • allow websites to operate fully for user experience and viewing;
  • support user log in to separate areas of websites;
  • record individual preferences for page layouts or page colour schemes;
  • remember what has been added to your online shopping basket.

The bad…

The use of cookies has often generated controversy.

There is a link between the use of cookies and data protection concerns. Although cookies cannot be used alone to identify individuals, they may be linked directly or indirectly to an individual when combined with other information, such as their name, held by the website provider or a third party and therefore considered to be personal data under data protection legislation.

Third-party tracking cookies (cookies which are set by a website other than the one you are visiting) can cause security and privacy concerns since they make it easier for parties you cannot identify to watch where you are going and what you are doing online and can in some cases compile records of a user’s browsing history online.

The rules

If your or your company’s website uses cookies, it is essential to know what the legal requirements are to achieve legal compliance concerning the use of cookies. The Privacy and Electronic Communications Regulations (PECR) covers the use of cookies for storing information and accessing such stored information on a user’s device. A large portion of the law in this area relates to user consent and ties in with data protection law and direct marketing laws.

The Information Commissioner’s Office provides useful guidance on the use of cookies and similar technology, and for further information on the use of cookies, please see our previous blog Use of cookies – legal update which talks through the Cookie Three C’s - Consent, Clear and Comprehensive information, which users must be provided with when cookies are used.

The fines

The ICO has the ability to levy substantial fines for failure to comply with laws relating to cookies, including fines for failing to comply with the PECR of up to £500,000, and up to €20 million EUR or 4% of total worldwide annual turnover (whichever is the higher) for failing to comply with the GDPR and the Data Protection Act 2018.

Future legislation?

On 10 January 2017, the European Commission published the draft E-Privacy Regulation, which is intended to replace the PECR. It is aimed at companies operating in the digital economy and specifies additional requirements they need to meet in relation to the processing of personal data as well as harmonising the practicalities of website operators obtaining consent from website users across EU member states.

The regulation extends the scope of PECR from traditional telecoms service providers to all electronic communications service providers, including WhatsApp, Facebook Messenger, Skype, Gmail, and iMessage. One of the key changes in relation to cookies is that third-party cookies would be blocked by default, and users will have to set their cookie setting options during initial set up of software.

However, it is uncertain if the E-Privacy Regulation, which was originally intended to apply from 25 May 2018 (together with the GDPR), will make it into codified law.

There have been a number of stalled negotiations and disagreement between EU member states, with commentators not expecting the regulation to come into force before 2023, if at all. There remain a number of legal and practical uncertainties in relation to electronic communications and data privacy and protection that the regulation is yet to effectively deal in an ever-changing digital economy.


We're here to help

If you would like any advice in relation to your cookies policy, your cookie use or compliance with the E-Privacy Directive, direct marketing legislation or the GDPR, please contact one of our lawyers on 0161 941 4000 and ask for our Corporate/Commercial Department or email us at lawyers@myerson.co.uk