In a series of articles, IP partner James Tumbridge explains digital concepts and the law associated with them.
There has been a steady growth over the past 25 years in digital regulation. One of the longest standing regulations concerns cookies, but what exactly are they?
What is a cookie?
A cookie is a small digital file that downloads on to a computer when it visits a website. Cookies are used by most websites and have a variety of purposes – for example, remembering preferences, recording the content of a shopping basket, and counting the number of people visiting a website. Common types include persistent cookies that can save data for an extended period of time, such as usernames and password information for users; third-party cookies that seek out data regarding online activity to send back to website owners looking to improve advertisements; and session cookies that delete immediately after closing the browser.
What is the law that governs cookies in Europe?
In the late 1990s there was a growing view that there needed to be more transparency concerning files that gather and share information on a person’s online activity. In Europe this led to the Privacy and Electronic Communications Regulations 2003 (PECR). PECR also covers the use of similar technologies for storing or accessing information, such as ‘Flash cookies’ and device fingerprinting. In addition, the General Data Protection Regulation (GDPR), implemented in the UK via the Data Protection Act 2018, affects the regulation of them. Though the GDPR only briefly mentions cookies in one recital, it is a reminder that they can gather and process personal data.
The more targeted law dealing with cookies is the ePrivacy Directive (EPD), originally passed in 2002 then amended in 2009. The GDPR also updated it. It made provision as to the confidentiality of electronic communications and the tracking of internet users more broadly.
What are the key regulations that govern cookies under GDPR and EPD?
Cookies are fairly harmless to computer operations, very widespread and often key to the function of websites. Cookies can store a lot of data, including personal data, and they are the primary tool that advertisers use to track online activity so that they can target recipients with specific ads. They are not going away, and further regulation is entirely possible.
The key regulations governing cookies under the GDPR and EPD require (note there are other requirements) that you:
- Have a system for users consent to cookies and can only require strictly necessary cookies. This has led to the pop-up approach on websites asking for consent.
- Provide information about the data each cookie tracks and its purpose in plain language before consent is received. This is typically achieved in a cookie policy or more detailed information accessed via the pop-up.
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
With this background understanding, it is important to realise that technology has not stood still, and new ‘tracking’ software has developed. It is also important to keep in mind that PECR includes broad terms as to what it applies to. The relevant law does not talk of ‘cookies’; it talks of ‘traffic data’, meaning any data processed for the purpose of the conveyance of a communication on an electronic communications network and ‘location data’, meaning any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user. Therefore, a wide range of types of ‘cookies’ are caught if they gather or process traffic or location data.
Is Meta’s Pixel a cookie?
The Meta Pixel JavaScript code is an analytics tool which is added to websites to track visitor activity. The tracking of user activity is done by means of collecting information contained in HTTP headers, button click data, form field names, and other specified data. Is it a cookie? Well, arguably yes – at least, it is the kind of file that gathers and processes data and so it is subject to PECR and the laws that cover cookies.
Meta has made the choice to offer something that raises privacy concerns. The aim of the tool is generally for website owners to track activity and help them with website optimisation, improving the user experience, but not everyone realises this is a type of cookie, and it must be consented to.
The tip is to think about what the software does, rather than any focus on what it is called. Otherwise, you might find you have made a misstep and breached the law.
If you have any questions on cookies and whether the software you are using is caught by the regulations, please contact James Tumbridge.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.