It's highly likely you've come into contact with cookies within your lifetime - and no, we're not referring to the kind you dunk into tea. For every website you visit, you've likely been hit with a banner asking, "Do you accept cookies?" But what do cookies actually do, and why are they so important in the world of data protection? In this article, we break down the basics of cookies, from their legal obligations to their potential risks. 

What are cookies?

Cookies are small text files which are downloaded to a user’s device when they use the device for certain activities, such as visiting a website. 

Cookies store information about the user’s activities, their preferences and so on, which is used the next time they engage in the same activity. Cookies may be used to track a range of activities, such as browsing a website or using an app. For ease, we'll refer to the use of cookies on websites throughout this article, but you can assume that the same rules apply to other online activities.   

The use of cookies is regulated under the Privacy and Electronic Communications Regulations (PECR), and website owners are required to provide information about the cookies being used on their site. They're also required to obtain consent for the use of cookies in certain circumstances. Many businesses assume that this will be relatively straightforward however, seeking consent, and providing appropriate information can be tricky. Let's explore this further...

Do I need to use cookies? And are all cookies the same?

Pretty much every website will use cookies in some way, shape or form, and they are useful for both website owners and users alike. 

From a website owner’s perspective, they may be necessary to operate the site and can also be used to collate useful information about how the site is being used. From a user’s perspective, cookies remember their preferences and help tailor their experience. However, some people argue cookies are a little ‘big brother-ish’ and don’t like their browsing habits being tracked. 

There are various types of cookies, but there is one main distinction that is useful to be aware of. Very broadly, cookies fall into two categories – those that are "strictly necessary" to provide your service, operate your website or comply with the law (often referred to as ‘essential cookies’), and those that collect information which is not strictly necessary for any of those purposes, but that may otherwise be important or simply useful or convenient (sometimes described as ‘non-essential cookies’). 

What do I need to tell users of my site about cookies?

You’re obliged to provide "clear and comprehensive" information about your use of cookies and to obtain the user’s consent in respect of any non-essential cookies. Where cookies are essential, consent is not required, but it is still good practice to provide information about the cookies. 

In summary, you must:

• make users aware that the cookies are there;
• explain what they are doing and their purpose;
• obtain the user’s consent to store non-essential cookies on their device.

Information must also be given about cookies set by third parties, which are used by you to provide an aspect of your service – for example, cookies used by social media platforms. Third-party cookies have increasingly made headlines over the years, and their reign is expected to end soon.

Information must be easily available, and users need to be able to understand the potential consequences of permitting the use of cookies. Think about the type of user that typically accesses your site and make sure that you pitch the information in a way that's appropriate in terms of language and level of detail.  

I want to use non-essential cookies. How do I obtain consent?

PECR does not set out in detail what is required in terms of ‘consent’ for the use of non-essential cookies. However, the ICO issued guidance in 2019 which clarified that ‘GDPR-level’ consent is required, meaning that consent must be freely given, specific, informed, and unambiguous. 

Positive action is required – that is, users must pro-actively agree to the use of cookies. It is not enough to rely on the idea that if you provide information about the cookies, the user’s continued use of the site equates to deemed consent, though this was standard practice on many websites prior to the issuance of the ICO’s 2019 guidance. 

An important point to note is that non-essential cookies cannot be set on your website’s homepage before the user has had an opportunity to review the cookie's information and consent to them. You may have noticed that a lot of websites have 'cookie walls’ that ask users to consent to the use of cookies prior to permitting users through to their home page. There is an argument that this could, in fact, be a little overzealous as it effectively makes a user’s access contingent on the acceptance of the cookies which would not in itself be compliant. To ensure that consent truly has been freely given, users must be given the opportunity to either permit or disable non-essential cookies. 

Concerned about your use of cookies? Explore how our data protection experts can help.