Cookies are small text files which are downloaded onto devices such as computers, smart phones, and other connected devices when a website, web browser or app is accessed. They enable websites to work and can allow them to operate more effectively as well as provide information to website owners. Many organisations have been relying on implied consent and default settings switched to ‘on’ to set cookies on people’s devices. This does not comply with the strict definition of ‘consent’ in the GDPR. Organisations must have valid consent to set cookies or leave themselves open to fines.
- been provided with clear and comprehensive information about the cookie; and
- given their consent (which must meet the strict GDPR standard).
However, there are two exemptions to this rule. Read on.
PECR contains two exemptions where consent to set cookies is not required. These are where the cookie is either:
- for the sole purpose of transmitting a communication over an electronic network; or
- strictly necessary for the provision of the service requested by the subscriber or user.
The second exemption is very important but very simple. Only cookies which are essential to provide the service requested by the user are exempt eg. login cookies or those required to remember what’s in an online shopping basket. This is interpreted very narrowly and from the point of view of the user. Although an organisation may regard cookies such as analytics cookies as essential to the operation of its website, they are not essential to provide the service to the user. The service can still be provided without them, therefore they are not ‘strictly necessary’.
All other types of cookies eg. analytics, marketing and advertising cookies, are deemed non-essential cookies and must have GDPR quality consent following the provision of clear and comprehensive information before they are set on a device. The ICO has a useful tool to help determine whether consent is required for cookies.