October 21, 2022
It's highly likely you've come into contact with cookies within your lifetime - and no, we're not referring to the kind you dunk into tea. For every website you visit, you've likely been hit with a banner asking, "Do you accept cookies?" But what do cookies actually do, and why are they so important in the world of data protection? In this article, we break down the basics of cookies, from their legal obligations to their potential risks.
Cookies are small text files which are downloaded to a user’s device when they use the device for certain activities, such as visiting a website.
From a website owner’s perspective, they may be necessary to operate the site and can also be used to collate useful information about how the site is being used. From a user’s perspective, cookies remember their preferences and help tailor their experience. However, some people argue cookies are a little ‘big brother-ish’ and don’t like their browsing habits being tracked.
There are various types of cookies, but there is one main distinction that is useful to be aware of. Very broadly, cookies fall into two categories – those that are "strictly necessary" to provide your service, operate your website or comply with the law (often referred to as ‘essential cookies’), and those that collect information which is not strictly necessary for any of those purposes, but that may otherwise be important or simply useful or convenient (sometimes described as ‘non-essential cookies’).
In summary, you must:
Information must also be given about cookies set by third parties, which are used by you to provide an aspect of your service – for example, cookies used by social media platforms. Third-party cookies have increasingly made headlines over the years, and their reign is expected to end soon. Discover more about the death of third-party cookies here.
PECR does not set out in detail what is required in terms of ‘consent’ for the use of non-essential cookies. However, the ICO issued guidance in 2019 which clarified that ‘GDPR-level’ consent is required, meaning that consent must be freely given, specific, informed, and unambiguous.