Skip to content

What is a Cookie Policy?

Table of Contents

In our technologically advancing society, digital advertising and user behaviour tracking have become the norm for many tech-savvy businesses. Businesses and service providers use cookies to track user behaviour and customise or enhance user experiences with online advertising. However, strict rules apply for businesses in the UK deploying cookies. One of the critical rules to follow is to provide users with comprehensive information about the use of cookies, most commonly presented in a ‘cookie policy’. This article will explain what cookies are and what a cookie policy is.

What is a Cookie?

A cookie is a small text file that is stored on a user’s device, such as their computer, phone or tablet. Cookies allow businesses to identify individual users and store certain information about them. For example, cookies can store information about a user’s login details or preferences. Cookies are also often used for targeting and advertising purposes, which can be based on the browser history of a particular user.

There are various types of cookies. For example:

  • essential or strictly necessary cookies;
  • performance or analytical cookies;
  • functionality cookies; and
  • targeting or advertising cookies.

Businesses can use cookies in multiple ways. For example, an e-commerce website may use cookies to:

  • remember a customer’s preferences;
  • count the number of visitors to its website; and
  • remember what customers have added to their e-commerce shopping baskets.

In the UK, the key law around the use of cookies is the Privacy and Electronic Communications Regulations (‘PECR’). PECR is the law that governs the use of electronic communications and cookies.

PECR sets our rules around businesses needing to obtain user consent to place cookies on their devices and offers clear and comprehensive information about the use of cookies. Under PECR (unless exceptional circumstances apply), you must tell individuals that you are using cookies and get their consent to use various types of cookies. In any event, the UK ICO (the data protection regulator) still recommends providing cookie information to users as good practice. This is why you often see cookie policies and cookie banners pop up on websites you are browsing.

A cookie policy is a document that provides detailed information about cookies. The policy needs to explain various information about the different types of cookies a business uses and allow users to have control over and change their preferences around the use of cookies.

Therefore, it is vital to carry out a cookie audit to understand what cookies your business uses and how they work. This can be a fairly technical exercise, so it is common to involve website developers to assist with this process.

Businesses using cookies need to provide specific information to users in a user-friendly format. The key is to be extremely transparent and provide clear and comprehensive information so users understand what cookies you use and what they will do. You should also understand the practicalities around how users are able to turn cookies on or off. Many websites have cookie preference centres to give users full control over the use of cookies.

Some of the key information to provide in a cookie policy includes:

  • which cookies will be used;
  • the purposes for which the cookies will be used;
  • the duration for which cookies will be used;
  • information about whether third parties will have access to the cookies; and 
  • information about cookie preferences and how users can opt out of the use of cookies. 

Here are a couple of key additional complications around the use of cookies.

GDPR

If personal data is processed in connection with the cookies, then additional requirements will apply under the UK General Data Protection Regulation (‘UK GDPR’). Suppose your business uses or will use cookies that can identify individuals. In that case, you should seek legal advice on the additional privacy laws and rules you may need to comply with around the use of personal data. Note that in addition to a cookie policy, businesses processing personal data as data controllers will need a separate privacy policy.

Consent

A cookie policy is not itself a way to obtain consent for the use of cookies.

Businesses using cookies need a separate mechanism to obtain consent before cookies are placed on a user’s device.

Unfortunately, many businesses can struggle to comply with the legal requirements in PECR properly. Typical mistakes that businesses tend to make in their cookie policy include failing to: 

  • name what cookies they use;
  • name what those cookies do; or 
  • deal with cookie preferences. 

However, there has been increasing regulatory attention in this area, and businesses must prioritise compliance with the legal rules. If you need clarification about the rules around the use of cookies or how to prepare a cookie policy, you should seek specialist legal advice before using cookies.

Front page of publication
Privacy Notice

This Website Privacy Notice states how a business will deal with the personal information of its users.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Takeaways

Whilst cookies are often used as important tools for many businesses, you should remember that using cookies means you must comply with strict legal rules under the PECR regime. Users must be given clear and comprehensive information about the use of cookies. The most common way to present this information is in a comprehensive cookie policy, laying out full details of the various types of cookies a business uses and how they work.

If you need help preparing a cookie policy, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards