Legal Compliance, News

What is Cookie Compliance and How Does UK GDPR and PECR Apply?

What are Cookies?

This article explains Cookie Compliance under UK Law. Cookies are non-physical objects that make it possible to browse the internet, when a website is visited a cookie is sent and the file is stored for the next time that same site is visited, or in some cases expires once a browser is closed. Different cookies track different types of information. There are persistent cookies, without these types of cookies every time a website is visited it would be as if the website is visited for the first time again simply put these cookies last a long time and only expire under the terms of the website. Some types of persistent cookies are:

  • Tracking cookies: These cookies create long-term records of multiple visits to the same site.
  • Authentication cookies: These types of cookies track whether the user is logged in and if so under what name.

Also, session cookies are a type prevalently seen when actively navigating a website these cookies are used, once you leave the site these cookies will disappear. Cookies are useful due to the fact they allow a website to recognise a user’s device or computer. A cookie is known as an HTTP cookie as well as several other names, it is a packet of data that a computer receives and that is sent back unchanged. Cookies contain and remember information on:

  • What may be left in a virtual shopping basket such as on Amazon.
  • Supports users to log in to a website by remembering to log information on usernames etc.
  • Analyses traffic to a particular website.
  • Tracks the users browsing habits to form suggestions on other things based on preferences like tailored advertisements.

What are PECR and UK GDPR in Relation to Cookie Compliance?

Privacy and Electronic Communications (EU Directive) Regulations 2003 (PECR) is an e-privacy directive that works alongside the general data protection laws and it pinpoints specifically privacy rights on electronic communication for users. With public access to digital mediums, devices, computers etc there are new risks to the public-private data. PECR covers:

  • Marketing by electronic means, marketing calls, texts, emails and faxes
  • The use of cookies that track information and collect data on websites
  • Ensure security of public electronic communication services
  • Ensures the privacy of customers using communication networks in regards to traffic and location data.

PECR and UK GDPR are two sides of the same coin working in tandem to protect electronic data. Complying with both PECR and UK GDPR is essential for data protection and it is important to note even if the website is not processing personal data the rules are the same. PECR rules protect companies as well as individuals, and the marketing rules apply even if a person cannot be identified or contacted. For example, a network or service provider under article 95 of UK GDPR that UK GDPR does not apply where there are already specific PECR rules. This is to avoid repetition and means that if you are a network or service provider you only need apply PECR rules on security and security breaches, traffic data, location data etc. Although there is some exemption to the rules built-in.

What is GDPR Cookie Compliance?

Any website is under UK General Data Protection Regulation also known as UK GDPR, which allows users control in order the activate cookies and trackers that are included on websites to collect personal data of users. Under UK GDPR it is the legal responsibility of the owners and/or operators of the website to make sure the data that is collected is compliant with laws and regulations on data protection. UK GDPR cookie compliance is a policy that informs users of the internet how their data is stored on any given website and what data it is that is being stored. UK GDPR states that data can only be stored after cookie consent is received and there are stringent requirements applied to cookie consent. Typically, UK GDPR cookie compliance is upheld on websites through cookie banners that allow users to tailor which cookies they would like to accept and those they would like to deny manually when visiting a site.

Cookies and the ICO

ICO or the Information Commissioner helps websites and businesses to comply through the use of Audits that they can conduct. An audit will look at the effectiveness of policies and procedures in place in a company and whether they are being followed correctly. Audits play a key role in helping understand obligations of data protection and other areas. After completing an audit a comprehensive report becomes available by ICO. Anybody, the person(s) or company that breaches PECR rules can face criminal prosecution and non-criminal enforcement. The Information Commissioner can serve a monetary penalty notice imposing a fine of up to £500,000 which then can be issued against the organisations and/or its directors.

How Can We Help?

If you would like help with your policy and procedure documents or legal agreements, contracts or advice, please contact us using the form below.


Office: 01244 342 618

Mobile Numbers

Joanne: 07764 258 001
Shaun:   07908 688 170