The rules on cookies and similar technologies - Cribb Cyber Security

For many years CRIBB Cyber Security has helped clients in a variety of sectors including travel. Recently, our friends at Profit shared news of a potential phishing / ransomware attempt against travel companies. It seems that some have received messages suggesting they are in breach of the PECR requirements on Cookies. As such, we decided then to ask a simple question today: What are the rules on cookies and similar technologies?

Cookies and similar technologies

The Privacy and Electronic Communications Regulations (PECR) cover the use of cookies and similar technologies to store and access information on a user’s computer or mobile device. Cookies are essentially technology that store information between website visits. They typically consist of letters and numbers provided by online services when users visit them. Software on the user’s device can then store cookies and send them back to the website on their next visit. The purposes of cookies are varied and include:

  • Remembering the contents of online shopping baskets
  • Assisting users to log in to a website
  • Analysing website traffic or tracking browsing behaviour

Cookies can allow websites to work more efficiently, thus enhancing the user experience in some cases. They provide information to website owners including whether or not a user is logged in. One example of a similar technology that PECR applies to is fingerprinting techniques.

PECR requirements

Whilst cookies are not explicitly named, PECR Regulation 6 does state:

(1) … a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment —

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

Therefore, when deploying cookies you must state what cookies will be set and what they will do. You must also obtain consent to store cookies on devices.

Information Commissioner’s Office guidance (ICO)

The ICO website features a comprehensive section that sets out the rules on cookies and similar technologies. It offers in-depth guidance on how to comply and is well worth a read. Below are some considerations and steps to take if you are anxious about your own level of compliance:

  • You are responsible for compliance with the requirements of PECR if you are setting cookies
  • When setting cookies, make sure you detail which you will use and which are necessary
  • Let people know about the purposes and duration of any cookies
  • If you have already set up cookies then consider conducting a cookie audit
  • Ensure that you have appropriate arrangements in place with third parties
  • It is imperative to provide information on cookies so that users will see it when they first visit your website

Important notice: Cookies are changing

Where you are based and then also where your customers are based will take on more importance; more to follow in the weeks ahead.