skip to main content

The way the cookie crumbles: your guide to cookies and the law

7th Jan 2025 | Data Protection | Data Protection Audit for Businesses | Data Protection Round-up | Direct Marketing Training
Three chocolate chip cookies lying on a laptop keyboard

Cookies are an essential feature of the internet as we know it, but they’re still misunderstood by many, especially where the law is concerned. 

If your organisation has a website, you will likely have heard of ‘cookies’ (and not the chocolate chip kind).

Cookies play an important role in the digital ecosystem and can have massive benefits to your organisation’s digital marketing efforts. However, to make sure you’re leveraging cookies without breaking the law, you first need to understand what cookies are, how they work, and the legislation that applies.

What is a cookie?

A cookie is a small file of letters and numbers that is stored on a person’s browser or computer hard drive after they view a website page.

Cookies store certain information about your website’s users and, as a result, enable your organisation to better understand customer preferences, optimise your website’s functionality, and target adverts more effectively.

Which laws govern cookie use?

The use of cookies in the UK is primarily governed by the Privacy and Electronic Communications Regulations (PECR), which sits alongside the Data Protection Act 2018 and UK GDPR.

Depending on what type of cookies you collect and their purpose, you will need to meet requirements from both PECR and UK GDPR.

How many types of cookies are there?

Although there is no definitive list of the different types of cookies, cookies can be categorised in various ways. Some of the most common are:

  • Essential and non-essential
  • First-party and third-party

What are essential and non-essential cookies?

Essential cookies, sometimes referred to as ‘strictly necessary’, are required for your website and its services to work properly. An example of an essential cookie is storing a user’s login information to keep them logged in whilst browsing different pages of your website.

Non-essential cookies include:

  • Performance or analytical cookies provide useful information about how people use your website, for example the most popular pages or products
  • Targeting or advertising cookies allow you to show adverts tailored to a particular user based on their online activity, such as browsing history

Essential cookies are generally exempt from PECR and GDPR rules, whereas non-essential cookies are not.

What are first and third-party cookies?

First-party cookies are created and stored by your website server only. Examples of first-party cookies include storing and remembering login details or remembering items in a customer’s shopping basket. These are often seen as the ‘good’ types of cookies, as they can be helpful to both businesses and service users.

Third-party cookies are set by a site other than the one you are visiting which enables, for example, the creation of a browsing history.

As a result, users can be targeted with bespoke information based on this browsing history, usually advertising.

How can I ensure my organisation is cookie-compliant?

The main issue we see is that many organisations do not realise that they must identify the cookies they use, their purpose and retention period to their website users.

In addition, websites should enable users to set their cookie preferences (as consent under PECR is consent for UK GDPR). Consent is required for all but a few essential cookies, but many websites do not allow proper preference setting.

However, there is no cookie-cutter approach to compliance. Although the rules and regulations are simple in principle, how they are applied is very much up to organisations.

This, coupled with ever-changing data protection laws, means it’s essential to get the right legal advice.

For more information on data protection law, including cookies, contact Alex Craig using 0191 211 7911 or [email protected].

Share this story...