what is data privacy?
data privacy refers to the principle that individuals (known as ‘data subjects’) should have control over their personal data (ie information about individuals from which they can be personally identified, like names and addresses). this includes having control over how their personal data is processed (eg collected, stored or used) by businesses and other organisations.
data protection considerations
the data protection act 2018 (dpa) is designed to regulate the use of personal data by businesses and other organisations. the dpa is the main legislation implementing the uk general data protection regulations (gdpr).
this legislation requires that anyone processing personal data ensures that it is:
-
used fairly, lawfully and in a transparent manner
-
collected for specified, explicit and legitimate purposes
-
adequate, relevant and its collection is limited to what is necessary
-
accurate and kept up-to-date
-
kept in a form that enables identification of data subjects for no longer than is necessary
-
handled according to the data protection rights of individuals, and
-
not transferred outside the uk without adequate protection (eg safeguards)
for more information on data protection, read data protection, data protection principles and data protection for businesses.
what are internet cookies?
internet cookies, often simply referred to as ‘cookies’, are text files placed on devices (eg computers or smartphones) by websites. they are used to collect personal data. most website operators place cookies on the browser or hard drive of their website visitors’ devices for various purposes (eg to remember an individual’s website preferences, personalise their browsing experience, or for marketing purposes by tracking their browsing activity across different websites to show them targeted ads).
to learn more about cookies, including what different types of cookies exist, read different types of internet cookies.
what do cookies have to do with data privacy?
because cookies collect and store information about individuals’ online activities, they are closely related to data privacy. this means that anyone who uses cookies must comply with all relevant rules, including relevant data protection laws.
cookies and the gdpr
the gdpr classifies cookies as a type of online identifier, which, in certain circumstances, is considered to be personal data.
if you use cookies to uniquely identify a device or the individual using that device, this is considered personal data under the gdpr. this means that cookies used for analytics, advertising and functional services come within the ambit of the gdpr.
to be gdpr compliant, you'll need to stop collecting cookies that uniquely identify individuals or find a lawful ground to collect and process the data, for example, consent (more on this below).
privacy and electronic communications regulations
the privacy and electronic communications regulations 2003 (pecr), also known as the cookie law, set out certain online marketing obligations and govern the use of cookies.
pecr sits alongside the dpa and gdpr and, where pecr applies, it takes precedence over the dpa and gdpr. this means that you need to consider pecr compliance before considering the gdpr.
in other words, if you operate a website, you should:
-
comply with pecr first, if your website stores information, or accesses information stored, on individuals’ devices, and
-
comply with the gdpr for any processing of personal data outside of such storage or access
note that failure to comply with pecr can lead to fines of up to £500,000.
consent for cookies
under pecr, websites cannot use non-essential cookies unless the consent of the website visitor is expressly given. in other words, individuals visiting your website must opt-in before such cookies can be used.
non-essential cookies are those which are not necessary for a website to function. they are often used for analytical purposes or to assist with advertising. even cookies that customise a website (such as providing a greeting message) are deemed to be non-essential.
essential cookies (also known as ‘strictly necessary cookies’) are those necessary for a website to function. they are generally those that enable an online checkout process to work properly or that are required for technical or security purposes. using essential cookies does not require a website visitor’s consent, but it is good practice to ensure that information about these cookies is available.
further, pecr sets out information requirements around cookies that you must comply with. this means that, in addition to getting consent, you must:
-
tell individuals about what cookies you use
-
explain what the cookies do, and
-
explain why you are using them
this must be done when an individual first visits your website.
consent standard
pecr uses the gdpr’s standard of consent. this means that consent under pecr has the same requirements as consent under the gdpr.
this means that consent must be:
-
given freely and genuinely, and
-
given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. simply visiting a website doesn’t count as consent
it must also be as easy to decline consent as it is to give it. there should always be a ‘reject all’ option that website visitors can click instead of giving consent, and this should be as obvious and easy to click as the option that grants consent. you must also give people the option to change their minds at a later date, ie by providing an opt-out option.
how is consent collected and information about cookies provided?
a cookie banner on a website’s landing page (ie the page a website visitor lands on) is typically used to collect consent for cookies and provide relevant information about cookie use.
other methods (eg pop-ups, message bars or header bars) can be used. however, you must carefully consider how they will be implemented to ensure their useability and that they clearly communicate the situation regarding cookies to website visitors.
if you are using a cookie banner, this should:
-
inform website visitors about your cookie usage in plain and jargon-free language
-
set out the different categories of cookies (eg strictly necessary, functional and marketing cookies) your website uses
-
not have pre-enabled opt-in consent and instead provide both ‘accept’ and ‘reject’ buttons on the cookie banner
-
provide a granular option to accept/reject different cookie categories (eg under a ‘cookie settings’ button on the banner)
-
link to a compliant website privacy policy with an integrated cookie policy or link to a separate cookie policy on the cookie banner, so website visitors can find out more about the cookies used
-
be separate from other terms and conditions (including website terms of use)
the cookie banner should be displayed every time a given individual visits your website until they accept or reject all cookies or save their customised cookie preferences.
once a website visitor has accepted or rejected cookies, the cookie banner should close (hiding the banner) or show a confirmation message along with a ‘hide’ button to let the visitors close the banner. the website visitor’s cookie preferences should be saved.
how long does cookie consent last for?
you do not need to get website visitors to reconsent to cookies each time they visit the website. how often a website visitor will need to reconsent depends on various factors (eg the frequency of visits or updates of content or functionality). however, you should ensure consent choices have a ‘shelf life’ and that your website asks for website visitors to reconsent to cookies after a certain period of time (eg 1 year).
for more information on data privacy and cookies, read the information commissioner's office’s (ico’s) guidance on the use of cookies and similar technologies. if you have any questions or concerns, do not hesitate to ask a lawyer.