Cookies are small files which store data on an individual’s device about their use of a website, allowing the website to recognise the individual from their previous visits. This can make websites more efficient and their use more personalised for the user. This storage of data means that the user’s privacy becomes a concern, therefore cookies are regulated under data protection legislation. There is a distinction between essential cookies, which are necessary for a website to operate and for which user consent is not required, and non-essential cookies which may be used to track users’ browsing habits and for which consent is required.

The main legislation governing cookies is the Privacy and Electronic Communications Regulations 2003 (PECR), although the UK GDPR along with the Data Protection Act 2018 both have a role regulating cookies. Under PECR a website operator is obliged to tell users which cookies are in operation and how they will be used, and must obtain the user’s consent to store cookies. Websites typically use a “banner” mechanism that pops up on a user’s visit to a website, which offers information about the cookies used and requests consent in relation to which types of cookies may be used.

If the information stored using cookies is sufficient to identify an individual, the UK GDPR must also be complied with. The UK GDPR requires there to be a legal basis for the processing of personal data. Of the six legal bases available in the UK, “consent” is the most appropriate legal basis regarding cookie data.

Website operators should ensure that they are compliant with the above data protection legislation, and that they keep their data processing under review. Although the UK government wishes to reduce the amount of cookie banners which appear on websites, changes are unlikely to come in the immediate future.