UK Cookie Rules – PECR and GDPR

This article covers the PECR and GDPR rules around cookies on websites.

What are Website Cookies?

Cookies are non-physical objects that make it possible to browse the internet. When a website is visited a cookie is sent and the file is stored for the next time that same site is visited. In some cases, a cookie expires once a browser is closed.

What Do Cookies Track?

Different cookies track different types of information. There are persistent cookies, without this type of cookies every time a website is visited it would be as if the website is visited for the first time again.

Simply put, these cookies last a long time and only expire under the terms of the website.

What Are Examples of Persistent Cookies?

Some types of persistent cookies are:

  • Tracking cookies. These cookies create long term records of multiple visits to the same site.
  • Authentication cookies. These types of cookies track whether the user is logged in and if so under what name.

What are Session Cookies?

Session cookies are a type prevalently seen when actively navigating a website these cookies are used. Once you leave the site these cookies will disappear.

Cookies are useful due to the fact they allow a website to recognise a user’s device or computer.

Are HTTP Cookies the Same?

A cookie is known as an HTTP cookie as well as several other names. It is a packet of data that a computer receives and that is sent back unchanged. Cookies contain and remember information on:

  • What may be left in a virtual shopping basket such as on Amazon.
  • Supports users to log in to a website by remembering to log information on usernames and so forth.
  • Analyses traffic to a particular website.
  • Tracks the users browsing habits to form suggestions on other things based on preferences like tailored advertisements.

What is PECR and GDPR?

Privacy and Electronic Communications (EU Directive) Regulations 2003 (PECR) is an e-privacy directive that works alongside the general data protection laws. It pinpoints specifically privacy rights on electronic communication for users.

With public access to digital mediums, devices, computers etc there are new risks to the public-private data. PECR covers:

  • Marketing by electronic means, marketing calls, texts, emails and faxes.
  • The use of cookies that track information and collect data on websites.
  • Ensure security of public electronic communication services.
  • Ensures the privacy of customers using communication networks in regards to traffic and location data.

GDPR Compliance UK Small Business

PECR and UK GDPR are two sides of the same coin working in tandem to protect electronic data.

As a small UK business, complying with both PECR and UK GDPR is essential for data protection. It is important to note even if the website is not processing personal data the rules are the same.

PECR rules protect companies as well as individuals, and the marketing rules apply even if a person cannot be identified or contacted.

For example, a network or service provider under article 95 of UK GDPR that UK GDPR does not apply where there already specific PECR rules.

This is to avoid repetition and means that if you are a network or service provider you only need apply with PECR rules on security and security breaches, traffic data, location data etc. Although there is some exemption to the rules built-in. 

What is GDPR Cookie Compliance?

Any website is under UK General Data Protection Regulation also known as UK GDPR, which allows users control in order the activate cookies and trackers that are included on websites to collect personal data of users.

Under UK GDPR it is the legal responsibility of the owners and/or operators of the website to make sure the data that is collected is compliant with laws and regulations on data protection.

UK GDPR cookie compliance is a policy that informs users of the internet how their data is stored on any given website and what data it is that is being stored.

UK GDPR states that data can only be stored after cookie consent is received and there are stringent requirements applied to cookie consent.

Typically, UK GDPR cookie compliance is upheld on websites through cookie banners that allow users to tailor which cookies they would like to accept and those they would like to deny manually when visiting a site.

Cookie Auditing for PECR and GDPR

ICO or the Information Commissioner helps websites and businesses to comply using Audits that they can conduct.

An audit will look at the effectiveness of policies and procedures in place in a company and whether they are being followed correctly.

Audits play a key role in helping understand obligations of data protection and other areas. After completing an audit a comprehensive report becomes available by ICO.

Anybody, the person(s) or company that breaches PECR rules can face criminal prosecution and non-criminal enforcement.

The Information Commissioner can serve a monetary penalty notice imposing a fine of up to £500,000 which then can be issued against the organisations and/or its directors.