The following IP guidance note provides comprehensive and up to date legal information covering:

  • Cookies
  • Types of cookies and similar technologies
  • PECR 2003 and cookies
  • Responsibility for compliance
  • Consent
  • Clear and comprehensive information
  • Exemptions
  • GDPR and cookies
  • Territorial scope
  • Sanctions and enforcement
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

This Practice Note examines the law on the use of cookies and similar technologies:

  1. Types of cookies and similar technologies

  2. PECR 2003 and cookies

  3. Responsibility for compliance

  4. Consent

  5. Clear and comprehensive information

  6. Exemptions

  7. GDPR and cookies

  8. Territorial scope

  9. Sanctions and enforcement

  10. Cookie audits

  11. Reform

  12. Resources and guidance

Cookies are small data files stored on a user’s computer, phone or tablet. They allow an online service, such as a website, to recognise an individual user and store certain information about them such as login details, the contents of shopping baskets and site preferences. They are also commonly used to target advertising at a user based on