Cookies under UK’s data protection law

In the United Kingdom, the Privacy and Electronic Communications Regulations 2003 (PECR) apply alongside the  Data Protection Act 2018 (DPA) and the GDPR.

The Information Commissioner’s Office (ICO), as the UK’s independent body set up to safeguard information rights, is responsible for enforcing the rules.

Requirements for cookie consent

In July 2019, the ICO  published a blog providing stricter guidance on consent and transparency for cookie use, which also provides an understanding of how the PECR applies to the use of cookies with regard to the GDPR (Blog: Cookies – what does ‘good’ look like?).

Consequently, organisations are advised to take immediate action to review their use of web-based technologies and adopt the necessary changes (Guidance on the use of cookies and similar technologies).

If online services, such as a website or a mobile app are operated, a comprehensive understanding of how PECR applies to the use of cookies is essential.

In brief, the PECR does not refer to cookies by name, but requires that a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless:

  1. clear and comprehensive information is provided about the purposes of the storage of, or access to, that information; and
  2. an opportunity is given to refuse the storage of or access to that information (Article 6 PECR).

Basically, individuals must be told about the cookies and given clear and comprehensive information about the way the cookies are used and why they are used. It must be ensured that for any cookie that is not strictly necessary for the website, appropriate means of providing consent to that cookie are put in place.  Consent must be actively and clearly given. This also applies to ‘similar technologies’ like fingerprinting techniques or any other type of technology used to store or gain access to information on someone’s device.

Exemptions to the cookie rules

In accordance with Article 6 of the PECR, there are two exemptions to the cookie rules.  These are the ‘communication’ exemption and the ‘strictly necessary’ exemption.

The communication exemption applies to cookies with the sole purpose  of facilitating the transmission of a communication over an electronic communications network.

The ‘strictly necessary’ exemption applies to cookies that are strictly necessary to provide  ‘information society services’ (ISS) – i.e. services delivered over the internet – provided they are requested by users themselves.


Ultimately, the obligation to provide information about the purposes for which cookies are used must align with GDPR transparency standards, i.e. it must be in an easily accessible form, in clear and plain language and as user-friendly as possible.

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: