The Information Commissioner’s Office (ICO), as the UK’s independent body set up to safeguard information rights, is responsible for enforcing the rules.
Requirements for cookie consent
In brief, the PECR does not refer to cookies by name, but requires that a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless:
- clear and comprehensive information is provided about the purposes of the storage of, or access to, that information; and
- an opportunity is given to refuse the storage of or access to that information (Article 6 PECR).
Basically, individuals must be told about the cookies and given clear and comprehensive information about the way the cookies are used and why they are used. It must be ensured that for any cookie that is not strictly necessary for the website, appropriate means of providing consent to that cookie are put in place. Consent must be actively and clearly given. This also applies to ‘similar technologies’ like fingerprinting techniques or any other type of technology used to store or gain access to information on someone’s device.
Exemptions to the cookie rules
In accordance with Article 6 of the PECR, there are two exemptions to the cookie rules. These are the ‘communication’ exemption and the ‘strictly necessary’ exemption.
The communication exemption applies to cookies with the sole purpose of facilitating the transmission of a communication over an electronic communications network.
The ‘strictly necessary’ exemption applies to cookies that are strictly necessary to provide ‘information society services’ (ISS) – i.e. services delivered over the internet – provided they are requested by users themselves.
Ultimately, the obligation to provide information about the purposes for which cookies are used must align with GDPR transparency standards, i.e. it must be in an easily accessible form, in clear and plain language and as user-friendly as possible.