Tracking Cookies: Are They Legal?

TL;DR

Tracking cookies aren’t automatically illegal, but how you use them is. UK law (specifically the Privacy and Electronic Communications Regulations – PECR) requires clear consent before setting non-essential tracking cookies. If you don’t get proper consent, you could face fines.

Understanding Tracking Cookies

Tracking cookies are small files websites store on your computer to remember information about you – things like what pages you visit, items in your shopping basket, or even your location. They’re used for lots of reasons, from showing relevant ads to improving website usability.

Are They Illegal? The Short Answer

No, not all tracking cookies are illegal. However, the rules around them are strict. It depends on whether the cookie is ‘essential’ or ‘non-essential’.

• Essential Cookies: These are needed for a website to function properly – things like remembering login details or security settings. You don’t need consent to use these.
• Non-Essential Cookies: These track your behaviour for advertising, analytics, or other purposes. You absolutely need clear consent before using these.

The UK Law: PECR

The Privacy and Electronic Communications Regulations (PECR) sit alongside the General Data Protection Regulation (GDPR). PECR specifically deals with electronic marketing, cookies, and similar technologies.

How to Get Valid Consent – Step-by-Step

1. Cookie Banner: You need a clear cookie banner that appears before any non-essential cookies are set. It can’t be pre-checked!
2. Granular Control: Users must be able to easily choose which types of cookies they allow (e.g., analytics, advertising). A simple ‘Accept All’ button isn’t enough.
3. Clear Information: Explain what each cookie does in plain English. Link to a detailed cookie policy.
4. Record Keeping: Keep records of when and how users gave consent. This is important if you ever need to prove compliance.
5. Withdrawal of Consent: Make it just as easy for users to withdraw their consent as it was to give it.

Checking Your Website – Practical Steps

1. Use a Cookie Scanner: Tools like CookieBot or Osano can scan your website and identify which cookies are being used, categorising them as essential or non-essential.
2. Browser Developer Tools: You can manually check cookies in your browser:
   • Chrome: Right-click on the page → Inspect → Application → Cookies (under Storage).
   • Firefox: Right-click on the page → Inspect Element → Storage → Cookies.
3. Check Your Consent Management Platform (CMP): If you use a CMP, ensure it’s configured correctly to obtain and manage consent according to PECR requirements.

Example Code Snippet (JavaScript – basic cookie check)

function hasCookie(name) {
  const value = document.cookie.match('(^|;s*)' + name + '=([^;]+)(;|$)');
  return value ? decodeURIComponent(value[2]) : null;
}

if (hasCookie('tracking_consent') !== 'true') {
 // Show cookie banner here
}

Note: This is a very basic example. A proper CMP will handle much more complex consent management.

Penalties for Non-Compliance

The Information Commissioner’s Office (ICO) can issue fines of up to £17.5 million or 4% of your annual global turnover, whichever is higher, for serious breaches of PECR and GDPR.

Resources

• ICO Cookie Guidance: https://ico.org.uk/for-organisations/guidance/cookies
• PECR Regulations: https://www.legislation.gov.uk/uksi/2003/2426/contents