Computer cookies are small pieces of information made up of letters and numbers, like a code. Online services provide them when you visit their website.
Software on your computer can store cookies, and send them back to the website next time you visit. This allows the website to recognise your device.
Why are they called ‘cookies’?
There are different theories, but many think the term comes from fortune cookies – a cookie with an embedded message. Others believe the name came from the fairytale Hansel and Gretel. They left a trail of cookie crumbs in the forest to find their way back, in a similar way that internet cookies can track your activity.
First party and third party cookies
There are two categories of computer cookies: first party and third party. This refers to who sets up the cookie. Third party cookies are set by someone other than the website you are using – normally for advertising, social media plug-ins and images.
This happens when the website pulls these elements in from other places. First party cookies are set and stored by the website itself, to do anything from data analytics to remembering language settings.
Session and persistent cookies
Within first and third party cookies, there are two further categories: persistent cookies and session cookies. Session cookies expire at the end of the session, usually when you exit the browser. This can be a security feature for sites such as online banking which log you out after each session.
Persistent cookies are stored on your device and may be used to remember preferences or actions next time you visit the same website. They’re also used for targeted advertising. You can manually delete persistent cookies.
Links to data protection
The use of computer cookies is covered under the Privacy and Electronic Communications Regulations 2003 (PECR). This requires websites to tell you about cookies, so you can choose whether or not the information is stored on your device. A website must say what cookies will be set, what they will do, and obtain consent to do this. This includes third party cookies.
The information needs to be “clear and concise”, although what this means isn’t covered within PECR. Consent needs to be obtained for the non-essential cookies. So the ones which are needed for the site to function, not things the provider might deem essential such as analysing traffic.
PECR sits alongside data protection laws and provides specific rules relating to privacy and e-communication. The requirements of PECR apply where information is stored on an online website or a user’s device. It relates to all cookies, regardless of whether they involve personal data or not. Where they do relate to personal data, GDPR also applies.
The requirements of PECA must be satisfied first. The only lawful basis for processing non-essential cookies is GDPR-compliant consent. However where cookies are essential, and therefore exempt, consent is not necessary.
PECR does not give a definition for consent, so the GDPR definition is used. This states “consent must be freely given, specific, informed, and unambiguous. This means the consent must be clear, and not hidden among terms and conditions.
As with GDPR, consent must be easy to withdraw at any time, and websites cannot use pre-ticked boxes. If users don’t provide consent, the website may not have full functionality, but that doesn’t mean they are blocked from using it.
How to comply
If you operate an online service, it is your responsibility to ensure PECR compliance. Whilst your IT provider may be involved with physically setting computer cookies, you as the data controller are responsible for agreeing them and ensuring consent is gained where necessary.