Prevent to Allow This Website to Provide Information Personalized for You Appear Again and Again

In particular

• Who is responsible for compliance?
• How do we plan and make up one's mind what type of cookies to employ?
• How should nosotros conduct a cookie audit?
• How exercise we tell people about cookies?
• What if children are likely to access our online service?
• How should we request consent in practice?
• Tin nosotros use bulletin boxes and like techniques?
• Can we rely on settings-led consent?
• Tin can we rely on feature-led consent?
• Tin we rely on browser settings and other control mechanisms?
• Tin can nosotros utilise 'terms and conditions' to gain consent for cookies?
• Tin can we apply 'cookie walls'?
• Tin we pre-enable whatsoever non-essential cookies?
• What if nosotros utilize third party cookies?
• Are analytics cookies exempt?
• How do the exemptions apply to different types of cookies?
• What if our users modify their minds almost cookies?
• How often should we get consent?
• How should we keep records of user preferences?
• How long should our cookies last?

Who is responsible for compliance?

PECR says that 'a person' shall not store, or gain access to information stored, on user devices. Still, PECR does not define who should be responsible for complying with the requirement to provide information nearly cookies and obtain consent. The key signal is non who obtains the consent just that you provide clear and comprehensive data and obtain valid consent.

Where you operate an online service and any use of cookies will be for your own purposes, information technology is clear that you will be responsible. The person setting the cookie is therefore primarily responsible for compliance with the requirements of PECR, although this is not necessarily the case where multiple parties are involved.

How do we plan and make up one's mind what blazon of cookies to utilize?

If you are planning a new online service, you should take steps to detail what cookies you lot will use, which are strictly necessary, and ensure that yous accept appropriate arrangements in place with any third parties.

For whatsoever pre-existing services, you should already know what types of cookies you utilize but it would be sensible to recheck. This might accept the class of a comprehensive 'cookie audit' of your online service, or information technology could be as simple every bit checking what data will be sent to users and why.

How should we conduct a cookie inspect?

When you conduct a cookie audit, you should:

• for cookies that are already present, place those that are operating on or through your website, using a combination of browser-based tools and server-side lawmaking review;
• confirm the purpose(s) of each of the cookies you use (or intend to use);
• confirm whether cookies are linked to other information held nearly users – such equally usernames – and whether your apply of cookies as well involves (or will involve) processing personal data;
• place what data each cookie holds or otherwise processes;
• confirm the type of cookie – session or persistent;
• distinguish between which cookies are strictly necessary and which ones aren't (and would therefore require clear and comprehensive data and consent);
• ensure that your consent mechanism enables users to control the setting of all non-essential cookies;
• determine the lifespans of whatever persistent cookies and whether these durations are justifiable for the stated purpose;
• make up one's mind whether each cookie is a first or third party cookie, and if it is a tertiary political party cookie who is setting it;
• double check that the privacy information provides accurate and clear information near each cookie;
• confirm what information y'all share with third parties, and what users are told nigh this; and
• document your findings and follow-upward deportment, and build in an appropriate review period.

If your service already uses cookies, you should look at this as opportunity to 'clean up' existing web pages and stop using cookies that are unnecessary or which accept been superseded as your site has evolved.

Don't simply do this one time. Your usage of whatsoever tertiary party content is likely to modify over time, so information technology is good practice to undertake regular reviews of your cookie usage, as well equally whatsoever third party services your website includes that may set cookies.

Once you lot take completed the inspect, the side by side consideration is the all-time methods for providing information and requesting consent.

How practice nosotros tell people about cookies?

To comply with the information requirements of PECR, you demand to make certain users volition see clear information about cookies. In any case, doing so will increase levels of user awareness and control, and likewise assist in gaining valid consent.

Yous as well need to tell people about the purposes and duration of the cookies you use.

You demand to provide information about cookies in such a way that the user volition see it when they first visit your service. This is usually done within the cookie consent mechanism itself.

You lot should likewise provide more detailed data virtually cookies in a privacy or cookie policy accessed through a link within the consent mechanism and at the acme or lesser of your website.

You lot should consider how the design of your online service impacts on the visibility of the link to your policy. For example, a link at the bottom of a concise webpage which has no content "below the fold" will exist much more visible and accessible than a link in the footer of a dense webpage of 10,000 words. In this case a link in the header would be more advisable.

Other ways of increasing the prominence of cookie information include:

• formatting – this might include irresolute the size of the link to the information or using a different font. The primal is whether the link to this of import information is distinguishable from "normal text" and other links;
• positioning – simply moving the link from the footer of the folio to somewhere more than likely to catch attention is an easy only effective matter to endeavor; and
• wording – Making the hyperlink more than than just "privacy policy"; this could involve a link through some explanatory text ("Find out more most how our site works and how we put you in control.")

You as well demand to ensure the data is clear then that your users understand it. Consider tailoring the language to your audition, and not using lengthy and overly circuitous terminology.

What if children are likely to admission our online service?

The rules are no dissimilar if children access your online service. You will need to provide articulate and comprehensive information near your use of cookies and ensure you have consent for any that are non strictly necessary.

Nevertheless, if children are likely to access your service you will need to ensure that both the information you provide and the consent mechanism you use are appropriate for children.

More generally, if your online service is likely to be accessed by a kid and so yous will likewise need to comply with the requirements of the ICO'south code of practice on age appropriate pattern.

How should we request consent in practice?

How you request consent for cookies volition depend initially on what the cookies in utilize are doing and, to some extent, on the relationship you lot accept with your users.

When considering how to provide information about cookies and how to request consent at that place are different techniques you can use to draw users' attention to data and the choices available to them.

Yous may also observe it helpful to expect at the methods other online services already utilize.

You need to ensure that any consent mechanism you put in identify allows users to accept command over all the cookies your website sets, non but your own.

For example, if you want to set third-party content such as tracking pixels and beacons from social networks, you need to ensure that users are given information about these and advisable controls to signify whether or not they consent.

In practice, this can be challenging equally non all consent mechanisms presently enable users to disable cookies from tertiary parties directly. However, designing and implementing a consent mechanism that works merely for some of the cookies would not be compliant with PECR, every bit the user is not provided with any control over these cookies – they must visit unlike websites and take different actions to disable them.

Ultimately, you lot are the one who determines what cookies are assault your website, and in particular the number and blazon of third-party cookies involved. 1 of the considerations earlier incorporating a 3rd-political party cookie should therefore be whether your consent mechanism allows the user to control whether the cookie is gear up or non.

Can we use message boxes and like techniques?

Message boxes such every bit banners, pop-ups, message bars, header bars or similar techniques might initially seem an piece of cake option for you to achieve compliance.

However, y'all need to consider their implementation carefully, particularly in respect of the implications for the user experience. For example, a message box designed for display on a desktop or laptop web browser can exist difficult for the user to read or interact with when using a mobile device, pregnant that the consents you lot obtain would exist invalid. Similarly, long lists of checkboxes might seem similar a way to make your consent mechanism accordingly granular, but this approach carries dissimilar risks in that your users may simply not interact with the mechanism or may not understand the information you're providing.

At the aforementioned fourth dimension, Recital 32 of the UK GDPR is clear that electronic consent requests must non be unnecessarily confusing – and then you need to consider how you go almost providing articulate and comprehensive data without disruptive users or disrupting their experience. Even so, this does not override the need to ensure that consent requests are valid – so some level of disruption may exist necessary.

Consent can withal be sought in this mode provided it makes the position absolutely clear to users. Many websites routinely use pop-ups or 'splash pages' to make users aware of changes to the site or to ask for their feedback. Similar techniques could be a useful way of highlighting the use of cookies and consent.

There are challenges with using these techniques. If users do not click on any the options available and become directly through to some other part of your site, and you go ahead and gear up not-essential cookies on their devices, this would non exist valid consent. This is because users who fail to engage with the consent box cannot be said to consent to the setting of these cookies.

Can we rely on settings-led consent?

Some cookies are deployed when a user makes a option over a site's settings. In these cases, consent could exist sought as part of the process by which the user confirms what they want to exercise, or how they desire the site to work.

For case, some websites 'retrieve' which version a user wants to access, such as a version of a site in a item linguistic communication, or what font size to apply. These cookies are sometimes known as 'preference cookies' or 'user interface' cookies. If this characteristic is enabled by the storage of a cookie, so this should be explained to the user, meaning they needn't be asked every time they visit the site. You can explain to them that by assuasive their choice to be remembered they are giving consent to gear up the cookie. Agreement for the cookie could therefore be seamlessly integrated with the option the user is already making.

This would utilize to any feature where the user is told that a website tin remember settings they take chosen. It might exist the size of the text they want to have displayed, the colour scheme they like or fifty-fifty the 'personalised greeting' they run across each time they visit the site.

You must withal accept intendance that any processing of personal information related to the setting of preference cookies or other personalisation features is express to what is necessary for this purpose.

Can we rely on feature-led consent?

Your site could include video clips or call up what users have done on previous visits in order to personalise the content they are service. Some cookies would then be stored if the user chooses a particular feature of your site.

Withal, you however need to provide clear and comprehensive information and obtain consent.

Where the feature is provided by a third party, users will need to be fabricated enlightened of this, and exist given data on how the third party uses cookies and similar technologies so that the user is able to make an informed choice.

Further reading – ICO guidance

Consent

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Political party (WP29), includes representatives from the data protection authorities of each European union member state. Information technology adopts guidelines for complying with the requirements of the EU version of the GDPR.

The EDPB has published Guidelines 05/2020 on consent.

While these guidelines are no longer directly relevant to the U.k. government and are not binding under the UK regime, they may however provide helpful guidance.

Can we rely on browser settings and other control mechanisms?

You lot cannot assume that each visitor to your online service can configure their browser settings to correctly reflect their preferences in relation to the setting of cookies.

PECR suggests that browser settings may be 1 means of obtaining consent if they can be used in a fashion that allows the subscriber to indicate their agreement to cookies being set. Regulation half-dozen(3)(a) states:

'consent may exist signified by a subscriber who apology or sets controls on the internet browser which the subscriber uses or past using another application or program to signify consent.'

This is where the user or subscriber sets up their browser so that only certain cookies are allowed.

Case

A user visits a website that can place that their browser is set upwardly to allow cookies of types A, B and C only non of type D.

As a result the website owner can exist confident that in setting cookies A, B and C they have the user's consent to do so. They would not set cookie D.

For consent to be clearly signified information technology would need to be articulate that users and subscribers had been prompted to consider their current browser settings. This would require evidence of either a positive action that the subscriber was happy with the default, or otherwise made a decision to change the settings.

Browsers may likewise include other features such as tracking protection options. Depending on the browser, these may be either enabled by default or require the user to configure them. In that location is also a range of browser extensions and add together-ons for various spider web browsers that users tin install to further manage their cookie preferences.

However, you should be aware that not anybody accessing websites will do so with the same version or type of browser, or even use a traditional web browser at all. This is especially important when considering web browsers and apps on other devices such equally smartphones, tablets, smart TVs, wearable technology or other 'Internet of Things' devices.

In hereafter you may well exist able to rely on the user'south browser settings as part, or all, of the mechanism for satisfying yourself that you lot have consent to set cookies. For now, relying solely on browser settings will non be sufficient. Even when browser options are improved it is probable not all users will have the most upwardly-to-date browser with the enhanced privacy settings needed for the settings to constitute an indication of consent.

Can nosotros use 'terms and atmospheric condition' to gain consent for cookies?

No. Consent must exist separate from other matters and cannot be bundled into terms and weather or privacy notices. The key signal is that you lot should be upfront with your users about your use of cookies. Yous should obtain consent by giving the user specific separate information virtually what they are being asked to agree to and providing them with a way to accept past means of a positive activeness to opt-in.

Any attempt to gain consent that is bundled in terms and conditions volition non be compliant.

Can we use 'cookie walls'?

A cookie wall – sometimes called a 'tracking wall' – requires users to 'agree' or 'accept' the setting of cookies earlier they tin can admission an online service's content. This is also known as the 'take it or leave it approach'.

In some circumstances, this approach is inappropriate; for instance, where the user or subscriber has no 18-carat choice only to sign up. This is because the United kingdom GDPR says that consent must exist freely given.

Further, Recital 43 of the U.k. GDPR states that:

'Consent is presumed not to be freely given if information technology does not allow divide consent to be given to dissimilar personal data processing operations despite information technology being appropriate in the private instance, or if the operation of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.'

The ePrivacy Directive refers to conditional admission to website content in Recital 25. This is sometimes used to justify using a cookie wall. It states:

'Access to specific website content may be fabricated conditional on the well-informed credence of a cookie or similar device, if it is used for a legitimate purpose.'

However, when considering Recital 25, you should note that:

• 'specific website content' ways that yous should non brand 'full general access' subject area to conditions requiring users to accept non-essential cookies – y'all can only limit certain content if the user does not consent; and
• the term 'legitimate purpose' refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does non include third parties such as analytics services or online advertizement.

If your use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by y'all or whatever 3rd parties as a status of accessing your service, then it is unlikely that user consent is considered valid.

However, it should exist noted that non all cookie tracking is necessarily intrusive or high risk. Furthermore, the Great britain GDPR is clear that the right to the protection of personal information:

• is not accented;
• should be considered in relation to its part in society; and
• must be balanced against other central rights, including freedom of expression and the freedom to conduct a concern.

The key is that individuals are provided with a genuine free choice; consent should not be bundled upward as a condition of the service unless it is necessary for that service.

Further reading – ICO guidance

Consent

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Commodity 29 Working Political party (WP29), includes representatives from the data protection government of each EU member state. Information technology adopts guidelines for complying with the requirements of the EU version of the GDPR.

For information about the meaning of Recital 25, read WP29's Working Certificate on cookie consent from 2013.

While these guidelines are no longer direct relevant to the UK regime and are not binding under the Britain regime, they may still provide helpful guidance.

Can we pre-enable any non-essential cookies?

No. Simply because users may exist unlikely to select a detail non-essential cookie when given the choice, or because the cookie is non privacy intrusive, is not a valid reason to pre-enable it. Enabling a not-essential cookie without the user taking a positive activity before it is set up on their device does not represent valid consent. By doing this, you are taking the choice away from the user.

Instance

A website sets non-essential cookies on its landing page. Its cookie consent mechanism includes diction such as 'By continuing to apply our website, yous consent to our use of cookies'.

This does not stand for valid consent, fifty-fifty if the mechanism too includes an 'OK' or 'Accept' button.

This is because the website has decided non-essential cookies volition be prepare, and is then seeking the user's agreement afterwards – but is only providing the user with an option to 'keep' rather than a genuine free choice well-nigh whether they want to accept or reject the cookies.

Depending on the circumstances, peculiarly the design of your consent mechanism and the wording you apply in the information you provide, it is likewise likely that predetermining non-essential cookies could be considered as 'nudge behaviour' – ie, you lot are influencing the user to take a particular grade of action.

Example

A consent mechanism that emphasises 'agree' or 'allow' over 'refuse' or 'cake' represents a not-compliant approach, every bit the online service is influencing users towards the 'have' option.

A consent machinery that doesn't allow a user to brand a option would as well be non-compliant, fifty-fifty where the controls are located in a 'more information' department.

Where your online service must also comply with the ICO's code of practice on age-appropriate design – ie because it is probable to exist accessed past a child – 'nudge behaviour' cannot be used.

At all times, the key is that you lot ensure you lot provide clear and comprehensive information to the user, and have an appropriate consent machinery that meets the requirements of the Britain GDPR.

Ultimately, users may exist more likely to give their consent to non-essential cookies where they fully sympathise:

• what you use cookies for;
• how you have gone about seeking their consent;
• how you (and any 3rd party) intends to use their data; and
• that yous have provided them with advisable control over their preferences.

This can also exist a ways of enhancing trust and confidence in your online service.

What if nosotros use third-party cookies?

Your online service may let tertiary parties to set cookies on a user'south device. For case, if you include content from a third party (eg from an advertising network or a streaming video service) this tertiary political party may read and write their own cookies onto users' devices.

Where your website sets tertiary-party cookies, both you and the third party accept a responsibility for ensuring users are conspicuously informed about cookies and for obtaining consent. In practice, it is obviously considerably more difficult for a third political party who has less direct control on the interface with the user to accomplish this. Information technology is also of import to call up that users are likely to address any concerns or complaints they have to the person they can place or have the relationship with – in this case you, as the company running the website. It is therefore in both parties' interests to piece of work together.

If y'all are a third party wanting to set cookies, or you want to provide a product that requires the setting of cookies, you should include a contractual obligation into your agreements with web publishers. This tin can provide assurance that appropriate steps volition be taken to provide information well-nigh the third political party cookies and to obtain consent. However, yous may need to accept farther steps, such as ensuring that the consents were validly obtained.

If you lot design and develop websites or like technologies for other people you lot must as well advisedly consider the requirements of PECR and brand sure the systems you design allow your clients to comply with the law. You must also ensure that when y'all design and develop new online services, or upgrade software, that you have into account both the requirements in PECR and broader data protection requirements, particularly in respect of Commodity 25 of the Great britain GDPR on information protection by design.

This is an approach whereby privacy and data protection compliance is designed into systems and services right from the first, rather than being bolted on afterwards or ignored.

Patently, the procedure of getting consent for third-political party cookies is more circuitous and everyone has a part to play in making certain that the user is aware of what is being nerveless and by whom.

Nevertheless, if your online service allows or uses third-party cookies yous notwithstanding accept to ensure you lot provide advisable information to users and that you are allowing them to consent to what is stored on their device.

This is one of the nearly challenging areas in which to accomplish compliance with PECR. The ICO continues to work with industry and other regulators to aid in addressing the difficulties and finding workable solutions.

Are analytics cookies exempt?

No. Information technology is important to note that PECR does not distinguish betwixt cookies used for analytics activities and those used for other purposes. Analytics cookies do not autumn inside the 'strictly necessary' exemption. This means you lot need to tell people about analytics cookies and gain consent for their apply.

Analytics cookies are used then online services can collect information about how people admission them – for example, the number of users on a website, how long they stay on the site for, and what parts of the site they visit. This is also sometimes known as 'web audience measurement'. This work is often done 'in the background'.

Whilst analytics can provide useful information for yous, they are not part of the functionality that the user requests when they apply your online service – if you lot didn't have analytics running the user could yet be able to access your service. This is why analytics cookies aren't strictly necessary and practise require consent.

There are two types of analytics cookies: showtime-party and third-political party. Consent is necessary for showtime-political party analytics cookies, fifty-fifty though they might not announced to be as intrusive as others that might track a user across multiple sites or devices. You demand to consider how you will explain your policies to users and make that information more prominent.

A number of services exist that provide an analytics role, and information technology could be easier for you to utilise these instead of edifice your own. However, it can exist more hard to obtain consent for tertiary-party analytics cookies as in that location is no directly relationship betwixt the third-political party organisation and the user of your site. In these cases y'all demand to ensure the information you provide to users nearly these cookies is absolutely articulate and is highlighted in a prominent place – for example you can't just include information technology through a general privacy policy link.

If personal information is also processed through your use of a tertiary-political party analytics service, yous demand to take account of data protection requirements.

You lot should put measures in identify to highlight the use of analytics cookies and to obtain understanding to set these cookies.

If the information nerveless nearly website use is passed to a third party this should exist made admittedly articulate to your users. It should also be articulate what this third party does with this information. Depending on the specifics of your service, you may besides offer users the ability to alter the settings of their business relationship to limit the sharing of their information with third parties, including the analytics provider. (The analytics service may also provide this functionality, and yous should consider enabling information technology where advisable to do so.) In whatever case, the controls provided to the user should be prominently displayed and not subconscious abroad.

Ultimately, you have to provide clear data to users virtually analytics cookies and to take steps to seek their consent. This is probable to involve making the argument to testify users why these cookies are useful to them – but you must ensure if you practise this y'all aren't leading the user to one pick over another.

Although the ICO cannot rule out the possibility of formal action in any area, this may not always be the case where the setting of a showtime-party analytics cookie results in a depression level of intrusiveness and low risk of harm to individuals. However you should besides notation that where y'all use first-political party analytics cookies provided by a third party, this is non necessarily going to be the example.

How practise the exemptions apply to different types of cookies?

The exemptions in PECR relate to the purpose for which you store data, or gain access to data stored, on user devices. You are required to be clear with your users about these purposes when providing information and requesting consent, and if yous have undertaken a cookie audit you lot should already know what these purposes are.

This department is not intended to provide an exhaustive list of how PECR'southward exemptions work for all types of cookies. It is an indicative list based on a number of common purposes that yous may use cookies for.

Activity	Likely to meet an exemption?
User input	✓	Yes, depending on purpose limitation. If your online service uses a session cookie to track user input for specific functions of your service (eg a shopping basket or completing a grade), then you can rely on the strictly necessary exemption provided that the cookie is only used for this purpose. This may not employ if the cookie is persistent.
Authentication	✓	Yeah, depending on purpose limitation. If you use get-go-party session cookies for authentication purposes, yous tin can rely on the strictly necessary exemption provided they are merely used for this purpose. However, persistent login cookies are not exempt (as the user may not call back that they are logged in on a subsequent visit) and therefore consent is required in these cases. The cookie must simply be used for authentication. If you lot also apply the cookie for monitoring behaviour or tracking the user then consent is required.
Security	✓	Aye, depending on purpose limitation. Get-go-party cookies used for security purposes tin can rely on the strictly necessary exemption; for example, cookies used to detect repeated failed login attempts. They tin can also have a longer duration than a session cookie. However, cookies that chronicle to the security of other online services also your own require consent. This is because the functionality the user has requested relates to your service, not those of whatever others. If you use device fingerprinting techniques for a specific security purpose and so you can also rely on the strictly necessary exemption. However, as with cookies, if the information is processed for secondary purposes - such as those relating to the security of online services the user has non requested - consent is required. This too applies where the information is processed for the purposes of fraud prevention, peculiarly in cases where multiple online services utilize a single fraud prevention service which processes information from visitors of all of those services.
Streaming content	✓	Yes, depending on purpose limitation. If your service is an online content provider that uses streaming media, and so you lot can rely on the strictly necessary exemption for cookies that relate to the video or sound. This is because the streaming media forms role of the service that the user has requested. Notwithstanding, the exemption does non extend to cases where the cookie processes data that is not strictly necessary for the purposes of the streaming functionality, such every bit personalisation or usage monitoring. Additionally, where an online service just includes streaming content hosted past a third-party online content provider (eg, where a website embeds YouTube videos, fifty-fifty those from its own YouTube channel), the exemption may not apply. If this applies to you, you will need to consider the circumstances advisedly.
Network management	✓	Yes, depending on purpose limitation. If you apply session cookies for load balancing purposes, you tin can rely on the communication exemption. This applies merely where the cookies are for the sole purpose of identifying which server in the puddle the communication will exist directed to. Where you use device fingerprinting techniques for network management, you could besides rely on the communication exemption provided that the utilise is solely for this purpose.
User preference	✓	Yes, depending on purpose limitation. Session cookies used to store a user's preference can rely on the strictly necessary exemption, provided they are not linked to a persistent identifier. The exemption may in some cases likewise employ to persistent cookies but the user must be given sufficient data in a prominent location - for case, cookies used as part of a cookie consent mechanism, which remember the user'south cookie preferences over a menstruation of time (eg ninety days), tin be exempt. Alternatively, the act of interacting with the consent mechanism tin can be sufficient for consent to be obtained for whatever cookies relating to that mechanism, provided the user is given clear and comprehensive data as to the fact that a persistent cookie will be fix on their device for the purpose of remembering their cookie consent preference. Where device fingerprinting techniques process information to optimise the site layout - such as where an online service uses responsive design, so that the site changes depending on the type of device - the strictly necessary exemption can utilise. This would likewise apply to whatsoever tertiary party services that are incorporated. However, the information accessed must be used solely for this purpose. Whatsoever secondary purposes mean the exemption would not employ and consent is required.
Social media plugins	x	Consent required. Where a user of your online service is too logged in to a social media platform, and your service includes plugins and other tools provided by that platform, they might expect to be able to use these plugins as function of their interaction with the social network. In such cases, the cookies that the plugins assault your service could be seen equally strictly necessary for the functionality the user has requested. However, this would non utilise to not-logged in users of that social media platform – exist these users who have logged out, or users that are non members of that network. Consent is therefore required for whatsoever cookies that the social plugins set. Unless the plugins are configured but to set cookies on devices used past logged-in members of the social media platform, consent is probable to exist required in all circumstances as you cannot assume that all of your visitors will likewise be members of whichever social networks you link to.
Social media tracking	ten	Consent required. Where a social media plugin or other technology tracks users, exist they members or non-members of that item platform, for other purposes (including but non express to online advertising, behavioural monitoring, analytics, or market place research) the strictly necessary exemption would not use. Any utilize of web beacons, tracking pixels, JavaScript code or similar technologies from a social media platform or any other third party is not exempt from the consent requirements. Additionally, at that place is no applicable lawful basis other than consent for social media platforms to process information almost non-members of their networks through these technologies.
Online advertising	ten	Consent required. If your service includes cookies used for the purposes of online advertising, y'all cannot rely on the strictly necessary exemption. Online advert cookies are not exempt from PECR'due south consent requirements and never have been. This includes all third-party cookies used in online advertizement, including for purposes such as frequency capping, ad affiliation, click fraud detection, market place inquiry, product improvement, debugging and any other purpose. Utilise of device fingerprinting techniques from advert networks is as well not exempt from the consent requirements. You should also note that your users are often unaware that this processing is taking identify and that it involves creating profiles of users across different services over fourth dimension to serve targeted advertizing.
Cross-device tracking	ten	Consent required. Where you use cookies or device fingerprinting techniques to link a user's business relationship with a particular device or devices (eg, as part of the business relationship profile, to provide a 2nd authentication gene or to track users across multiple devices for any purpose – including advertising), consent is required. This is considering this purpose is not strictly necessary to provide the functionality the user requests.
Analytics	x	Consent required. You are likely to view analytics as 'strictly necessary' considering of the information they provide most how visitors engage with your service. Even so, you cannot use the strictly necessary exemption for these. Consent is required because analytics cookies are not strictly necessary to provide the service that the user requests. For example, the user tin access your online service whether analytics cookies are enabled or non. If you apply device fingerprinting for analytics instead of or alongside cookies, you should notation that doing and so is not exempt from the consent requirements either.

What if our users change their minds well-nigh cookies?

One time consent has been obtained, users or subscribers are able to withdraw that consent at whatsoever time. You lot should therefore ensure that your consent machinery has the technical capability to allow users to withdraw their consent with the aforementioned ease that they gave it, otherwise it will not be compliant with the UK GDPR's consent requirements.

You must also provide information nigh how consent can be withdrawn, and how cookies that take already been set can be removed, eg in your consent mechanism or within your privacy or cookie policies.

The consequences of withdrawing that consent could be made articulate, for example, past explaining the impact on the functionality of the website.

How often should we get consent?

You should ensure that any first fourth dimension visitors to your website are provided with clear information nearly the cookies you utilize and are given choices and controls about any non-essential ones.

There are a range of reasons why you lot may need visitors to 'reconsent' to cookie settings. However, depending on the circumstances you lot may not demand to enquire for fresh consent each time someone visits. A number of factors volition be involved, such as frequency of visits or updates of content or functionality.

An example of where you need to obtain fresh consent is when you are setting non-essential cookies from a new third party. This is because the consent that the user previously gave would employ only to those parties that you lot specified at the original time. When your service sets cookies from a new third party, you would need to ensure that users consent to this.

Importantly, the articulate and comprehensive information you provide in your consent asking should not include ambiguous or unclear references to 'partners' or 'third parties'. This would mean that the consent is invalid, as it is not specific and therefore the user is not fully informed.

How should we proceed records of user preferences?

Some users will visit your website regularly and others will visit rarely, with a spectrum of others in between.

You lot therefore need to decide an appropriate interval between when y'all require users to select their preference (whether that is consent or rejection), and also decide when that preference expires (after which bespeak users are given the option again).

At the same time, PECR isn't intended to inconvenience or unduly disrupt the experience of your users. You are not expected to repeatedly require your users to specify their preference every bit a matter of grade, whether that results in consent for non-essential cookies or refusal.

These are issues that you will need to decide as the service provider.

Example

A website decides to utilize a cookie consent mechanism that enables the user to consent, or to turn down, non-essential cookies. When users consent to the setting of these cookies, the website records this preference in its own persistent cookie, which is stored on the users' devices and set to expire at a certain point in the future.

Provided the user visits again before the expiration appointment, they won't need to 'reconsent' to the cookies, considering the site'due south preference cookie recognises that they consented previously. On the other hand, if the user visits infrequently so the cookie may expire earlier their next visit – meaning that they would need to consent over again in the hereafter.

The exact interval for the expiration a persistent cookie is a matter for yous to consider, in relation to the circumstances of your online service and what you are seeking user consent for.

Additionally, if you utilise a third political party consent mechanism and this records consents in digital form, you volition demand to ensure that this data is appropriately protected (and, if personal data is involved, that you lot have likewise considered any obligations under the UK GDPR – such as whether the tertiary party is a processor or joint controller).

You should note that many 'off-the-shelf' consent mechanisms that utilise preference cookies may default to a certain expiration period, such as 90 days or so. Whilst using the default may be the simplest pick you should nevertheless accept the time to determine whether this interval is appropriate for you lot, and and then document your conclusions.

Our guidance on consent gives more specifics about how you should go nigh recording consent, and how y'all should go about determining how long you should retain those records for.

Farther reading – ICO guidance

Consent

How long should our cookies concluding?

This will depend on the purpose of the cookie. However, it is important that you consider cookie elapsing because this tin affect the application of the exemptions in Regulation six(iv).

This likewise depends on the purpose you use the cookie for – so it is difficult to provide comprehensive guidance for each possible type of cookie. Ultimately, you need to ensure that your use of the cookie is:

• proportionate in relation to your intended event; and
• limited to what is necessary to achieve your purpose.

This is likely to lead you towards a determination of the duration.

Example

An online service features user accounts on its website. To ensure that users are who they say they are, the online service uses an authentication cookie to recognise the user.

In one case the user has logged out of the service (or airtight their browser), the cookie is no longer required and is therefore deleted once this takes identify.

In this case there is no reason for the cookie to be persistent.

If you are incorporating tools into your online service that involve cookies, you should bank check whether these have a default duration. This may be appropriate in relation to the purpose of the cookie, but you should still appraise this and change it if advisable.

Every bit a general dominion, the exemptions in PECR are more likely to apply to session cookies – those that final until the user has airtight their browser, or just slightly subsequently. This isn't always the case, however.

There are some clear cases where the duration of a cookie is wholly disproportionate. For example, whilst it may be technically possible to set up the duration of a cookie to "31/12/9999" this would not be regarded equally proportionate in any circumstances.

sowderswitally.blogspot.com

Source: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/

Share this post