For many years CRIBB Cyber Security has helped clients in a variety of sectors including travel. Recently, our friends at Profit shared news of a potential phishing / ransomware attempt against travel companies. It seems that some have received messages suggesting they are in breach of the PECR requirements on Cookies. As such, we decided then to ask a simple question today: What are the rules on cookies and similar technologies?
Cookies and similar technologies
- Remembering the contents of online shopping baskets
- Assisting users to log in to a website
- Analysing website traffic or tracking browsing behaviour
Cookies can allow websites to work more efficiently, thus enhancing the user experience in some cases. They provide information to website owners including whether or not a user is logged in. One example of a similar technology that PECR applies to is fingerprinting techniques.
Whilst cookies are not explicitly named, PECR Regulation 6 does state:
(1) … a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Therefore, when deploying cookies you must state what cookies will be set and what they will do. You must also obtain consent to store cookies on devices.
Information Commissioner’s Office guidance (ICO)
The ICO website features a comprehensive section that sets out the rules on cookies and similar technologies. It offers in-depth guidance on how to comply and is well worth a read. Below are some considerations and steps to take if you are anxious about your own level of compliance:
- You are responsible for compliance with the requirements of PECR if you are setting cookies
- When setting cookies, make sure you detail which you will use and which are necessary
- Let people know about the purposes and duration of any cookies
- If you have already set up cookies then consider conducting a cookie audit
- Ensure that you have appropriate arrangements in place with third parties
- It is imperative to provide information on cookies so that users will see it when they first visit your website
Important notice: Cookies are changing
Where you are based and then also where your customers are based will take on more importance; more to follow in the weeks ahead.