Why do you need a Cookies policy?

Why do you need a Cookies policy? Woman with laptop scrolling

Why do you need a Cookies policy?

You will have seen plenty of pop-ups mentioning cookies in your time on the internet. However, do you know what cookies are? Or whether your website requires a policy? Are you guilty of just clicking ‘accept all’ just to make pop-ups disappear? Don’t worry, most of us are.

What is a cookie?

A cookie is essentially a memory of a user and their interactions with a website. It’s a small text file created when you browse a website, stored in your browser. It holds basic information including the website URL, the lifetime of the cookie (its ‘use by’, if you like) and a unique ID for each user.

What are the rules with Cookies?

Cookies are referenced in both the Privacy and Electronic Communication Regulations (PECR) and GDPR.

PECR sits alongside the Data Protection Act 2018 (DPA) and the UK GDPR, and provides specific rules in relation to privacy and electronic communications. Where these rules apply, they take precedence over the DPA and the UK GDPR. This is important, because if you are setting cookies you need to consider PECR compliance first before you look to the UK GDPR.

The rules on cookies are in PECR regulation 6. The basic rule is that you must:

  • tell people the cookies are there
  • explain what the cookies are doing and why
  • get the person’s consent to store a cookie on their device.

As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may be used by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals.

You may also need to obtain fresh consent if your use of cookies changes over time

Who needs cookies?

Regulation 6 actually applies to anyone who stores information on a user’s device or gains access to information on a user’s device, in either case by any method.

This means the same rules apply to any similar technologies – such as Local Shared Objects (sometimes called Flash cookies) – and can also cover other types of technology, including apps on smartphones, tablets, smart TVs or other devices.