More than just Cookies

The Quick Version

An interesting thing to see in the run up to the implementation of GDPR (and since) has been the increase in the number of websites using Cookie Banners and providing their visitors with information about their use of cookies and similar technologies.

While this is great to see, it is a misconcpetion that this has been due to the requirements of GDPR. The use of cookies on your website are governed by the Privacy and Electronic Communications Regulations (PECR) - as is your use of email, sms, voicemail, social media or muti media messages to contact individuals. Again, this means that many of the conversations around consent to send marketing emails which have been solely focused on the requiremnts of GDPR miss the importance of this legislation.

GDPR does not over-ride or replace PECR. Your organisation's privacy obligations include those under PECR and it these important regulations should not be ignored.
Image
0
The ICO received five times more complaints under PECR than it did under the Data Protection Act.

ICO Annual Report 2017/18

The main impacts

If your privacy compliance efforts focus solely on your obligations under GDPR you risk falling foul of the requirements of the Privacy and Electronic Communications Regulations.

Your email and other electronic communications with individuals and businesses are governed by these regulations which are a lex specialis (a law which deals with a specific subject) as well as the GDPR which is a lex generalis (a law governing general matters).

In practice this means your organisation needs to balance the requirements of both when processing personal data - especially when marketing - and needs to understand when your activities fall under one or the other (or both).

This is important as there are currently situations in which the requirements of each currently appear to conflict so knowing how they interact is crucial to ensuring your marketing and use of cookies remain compliant.
The rules of PECR apply to direct marketing by phone, email, text, social media or fax but do not apply to genuine market research which does not contain any promotional material and you will not use the information gathered as part of your market research for future marketing. Despite claims to the contrary, there is nothing in PECR (or GDPR) which prevents you from sending promotional information which has been requested but you need to ensure you follow the rules whether you are marketing to individuals or businesses (although the rules are slightly different for businesses). The rules apply to data gathered pre GDPR - not least because PECR has been around since 2003.
Your use of Cookies (and similar technologies like pixels) falls mainly under PECR. There is a crossover with GDPR in that PECR requires you to obtain consent to the use of 'non essential' Cookies and the standard of consent is set by GDPR. This means that the information you provide about your use of Cookies must be clear and sufficently detailed to allow the user to provide truly informed consent. The use of Cookie banners on most sites is now common but our view is that many of these banners do not comply with the requirements and many Cookies Notices are not clear or detailed enough. Do not forget that if Cookies are used in your applications they are also subject to PECR.

Tell us how we can help

Insights

News & Research