Skip to main content
Hafan

How do we tell people about the storage and access technologies we use?

Contents

In detail

In general, you must provide clear and comprehensive information about the storage and access technologies you use. 

PECR has some exceptions that mean you don’t have to provide this in certain cases. But if your storage and access involves processing personal data, you must provide it anyway.  

You must cover the following information:

  • the storage and access technologies you intend to use;
  • the purposes you intend to use them for;
  • any third parties who store or access information in the user’s device, or process information stored in, or accessed from, the user’s device, including the purposes they will be used for; and
  • the duration for which any information will be stored for, or access to information granted for, such as the duration of cookies.

Providing this is part of fulfilling your transparency requirements under data protection law. These transparency requirements apply whenever you are processing personal data, even if you are making use of a PECR exception that does not require provision of clear and comprehensive information (eg the ‘strictly necessary’ exception).

You must also explain your storage and access technologies in a way that anyone visiting your service can understand. In particular, you must make the information:

  • concise;
  • transparent;
  • intelligible;
  • easily accessible; and 
  • in clear and plain language.

You should provide this information in as user-friendly way as possible.

You must:

  • tailor the language to your audience;
  • avoid complex or lengthy terminology; and
  • ensure that your subscribers and users understand the information you provide.

You must not include ambiguous or unclear references to ‘partners’ or ‘third parties’ in the information you provide. 

You must consider how the design of your online service impacts on the visibility of the link to your information. For example, a link at the bottom of a concise webpage that has no content ‘below the fold’ is much more visible and accessible than a link in the footer of a dense webpage of 10,000 words. In this case, a link in the header would be more appropriate.

Our UK GDPR guidance on 'the right to be informed' outlines methods you can use to provide privacy information.

Equally, the type of device you use to access your service impacts how you inform users about storage and access technologies. The limited, and sometimes non-existent, physical interfaces on some connected devices can make it challenging to provide the right information. You could consider alternative methods of informing users, such as:

  • including clear, simple-to-follow informational materials along with the device;
  • ensuring the setup process for the device includes the necessary information and controls;
  • surfacing the information during its installation process, if the device uses a companion mobile app; or
  • providing privacy dashboards in any associated online account.

Further reading — ICO guidance

How do we tell people about storage and access technologies set on websites that we link to?

For example, if you have a presence on a social media network, you are likely to include a link to it somewhere on your service. When someone clicks this link, they will be taken to your page on the network.  

The operator of the social media network is itself providing an online service that uses storage and access technologies. It may use these for its own purposes, or for purposes that both you and it jointly decide.

Although you may not directly control the storage and access technologies set by the platform, you do decide whether or not to:

  • have a presence on the network in the first place;
  • include links to the network in your service, the specific tracking tools the network provides, or both if appropriate; and
  • use the network’s targeting tools and techniques to reach your users when they visit the platform.

Any use of the tools and techniques of these networks for targeting purposes involves personal data processing. This means that if you decide to use them, then both you and the platform are jointly responsible for determining the purpose and means of this processing of personal data.

Even though these cannot be covered by your service’s own consent mechanism, you should include in your privacy information:
  • references to any social media presence that you may have; and
  • state that the platform may use storage and access technologies once they visit there. 

You should consider that not everyone who accesses your social media presence via your website will be logged-in users of that social media platform. There is no applicable lawful basis other than consent for social media platforms to process information about non-members of their networks through these technologies.

You should provide information about the processing of any personal data within your privacy notice, as well as somewhere on your page on the online platform, even if this is simply a link back to that privacy notice.

Example

A website includes a social media plugin. When a visitor to the website uses the plugin, data is collected and transmitted to the social media provider.

The website operator and social media site are joint controllers for the collection and disclosure by transmission of the visitor’s data to the social media provider.

The website operator must:

  • provide the visitor with the identity of the social media provider
  • explain the purpose of the processing; and
  • obtain consent.

If you have links on your site to other external services that do not relate to your online service (eg useful references or resources related to the content of your website), you could: 

  • provide links to their privacy information; or
  • make it clear to your users that you are not responsible for the use of storage and access technologies on that site.

Can we pre-enable any non-exempt storage and access technologies?

No. You must not pre-enable non-exempt storage and access technologies. This is the case even when: 

  • you think that subscribers and users may be unlikely to agree to them otherwise; or
  • you don’t think that the technology is that privacy intrusive.

Unless the technology meets one of the exceptions, you must seek consent before you use storage and access technologies.

Our expectations for good practice are laid out in the ‘Our expectations for consent mechanisms’ section.

Example

A website uses localStorage for online advertising purposes on its landing page. It has a consent mechanism that includes the wording: 

”By continuing to use our website, you consent to our use of technologies that store or access information on your device”.

This does not represent valid consent, even if the mechanism also includes an ‘OK’ or ‘Accept’ button.

This is because the website has decided to set non-exempt storage and access technologies, and is then seeking the user’s agreement afterwards. It is only providing the user with an option to ‘continue’ rather than a genuine free choice about whether they want to accept or reject. 

How long can we store or access information for?

PECR does not specify how long you can use any storage and access technologies for. For example, whether the appropriate duration of a cookie is the length of the session or a different period, like 30 days.

You should consider the appropriate duration depending on the circumstances of your online service and the purpose you want to use the technology for.

If the technology involves processing of personal data, you must also consider the data protection principles, including purpose limitation and storage limitation.

To help you to determine what is appropriate, you must ensure that the duration is:

  • proportionate in relation to your intended outcome; and
  • limited to what is necessary to achieve your purpose.

In some instances, you may decide a longer duration is appropriate, such as a persistent cookie which stores user preferences for a period of time (eg 90 days, if that is appropriate in the context of your service and its users).

Some storage and access technologies, like cookies, may have a default duration. An expiry limit for persistent cookies may be set by the browser, and in some cases users can remove persistent cookies manually.

Alternatively, if you are storing objects in localStorage, there may be no expiry date.

Whatever technology you are using, you should consider:

  • what the default is;
  • whether this is appropriate; and
  • that it is something you can change if necessary. For example, by automatically removing objects in localStorage where appropriate.

In all cases, the key is ensuring a proportionate approach to the purpose. For example, while it may be technically possible to set the duration of a cookie to ‘31/12/9999’, this could not be regarded as proportionate in any circumstances. 

Example

An online service sets persistent cookies on its website.

The service recognises that the user’s browser may limit the maximum age of a cookie to 400 days. It decides to use the default expiry date for all of its cookies and relies on the user’s browser to adjust the maximum expiry time.

This is not a proportionate approach, because:

  • the service cannot assume that the user’s browser will change the default; and
  • a 400 day expiry date may not be appropriate for the purpose of the cookies on its service.

Further reading 

What is an audit and how can we do one?

You should undertake regular reviews of your online service, as well as any storage and access technologies it includes.

The frequency of your reviews depends on:

  • the specific storage and access technologies you use;
  • the purposes you use them for; and
  • how often you change or update them. 

For example, if you make regular changes, you should carry out reviews more frequently.

You may decide a comprehensive ‘audit’ of your online service is appropriate. For example if the functionality of your website has evolved over time and multiple staff or teams have editing access to the site.

You could take a user’s perspective by visiting your website on a device separate from your network and checking what storage and access technologies are present. You could invite a third party to do this on your behalf.

You should include the following steps in an audit, depending on the nature of your service and how you provide it:

  • identify the storage and access technologies your service currently includes (eg by using a combination of browser-based tools or server-side code reviews);
  • confirm the purpose(s) of each of the storage or access technologies you are using (and any new ones you intend to use);
  • identify any you no longer need and remove them;
  • in any mobile app, identify the installed SDKs and their respective data flows;
  • determine whether any of the purposes you use storage and access technologies for meet an exception (and if so, which one) and any that do not, and take appropriate action; 
  • confirm whether your storage and access technologies are linked to other information held about your users, such as usernames, and whether using them involves (or will involve) processing personal data;
  • identify the data that each technology involves, holds or processes;
  • determine the lifespan of any persistent cookies, and justify their duration in relation to the purpose(s) you use them for;
  • identify whether any third parties are setting storage or access technologies on your site and if so, who and for what purpose; 
  • review any automatic categorisation of storage and access technologies and whether this is correct; 
  • review your consent mechanism and privacy settings to ensure that users can reject the use of any non-exempt storage and access technologies as easily as they can accept them; 
  • review your consent mechanism to ensure that it has the technical capability to allow users to withdraw their consent with the same ease that they gave it; 
  • review your privacy information to ensure that you provide clear and comprehensive information about each technology you want to use;
  • confirm what information you are sharing with third parties and how you explain this to your users; and
  • document your findings and follow-up actions, and decide when you will conduct your next audit.