Cookies are small files which are stored on a user’s computer.  They collect data specific to the user of the website, eg tracking which websites the user has previously visited and remembering what is in a shopping basket.  Cookies fall into two different categories:

  • Session cookies – These cookies are erased at the end of your browsing session.
  • Persistent cookies – These remain on your computer until the end of the expiry date for that cookie. This could be some years into the future.

The use of cookies is governed by the Privacy and Electronic Communications Regulations (“PECR”), which sits alongside the Data Protection Act 2018 and the General Data Protection Regulation 2016/279 (“GDPR”).  PECR states that if you use cookies, you must (1) say what cookies will be set; (2) explain what the cookies will do; and (3) obtain consent to store cookies on a user’s device.

PECR only allow a website to set a cookie on a user’s computer if either:

  • Strictly necessary – The cookie is used for technical purposes to allow the communication to take place or provide a service the user has requested; or
  • Consent – The user has been given clear information about the purpose of the cookie and has given consent. Importantly, the law was amended at the end of March 2019 to make it clear this consent must meet the high standards in the GDPR.

The ICO has issued guidance as a reminder on the use of cookies and how to go about obtaining consent for the use of cookies:

  • Users or subscribers must give consent prior to cookies being placed or used;
  • When requesting consent, users must have a genuine choice and be provided with sufficient and specific information to make an informed decision;
  • A failure to engage with a cookie request (eg continuing to browse) cannot be used to infer consent; and
  • Acceptance of cookies as a condition for accessing a site (or part of a site) will only be lawful in limited situations. Acceptance of online advertising cookies is not a legitimate purpose (ICO).

To implement the guidance provided by the ICO, consider the following:

  • Ensure that any consent mechanism you put in place allows the user to have control over the cookies your website sets, for example, provide the user with information about what information the cookies collect, and whether these are essential cookies, or non-essential cookies, then allowing the user to disable these cookies should they wish.
  • Consider the use of message boxes, pop-ups or header bars, but be careful that these do not make it hard for a user of a mobile or handheld device to read, otherwise the consent will be invalid. Many websites are using pop-ups or splash pages (including the ICO’s own website).


Charlotte Higgins is a solicitor in the Company Commercial Department and the Civil Litigation Department at Bell & Buxton.