The ICO exists to empower you through information.

In detail

What are ‘cookies’?

Cookies are small pieces of information, normally consisting of just letters and numbers, which online services provide when users visit them. Software on the user's device (for example a web browser) can store cookies and send them back to the website next time they visit.

How are cookies used?

Cookies are a specific technology that store information between website visits. They are used in numerous ways, such as:

  • remembering what’s in a shopping basket when shopping for goods online;
  • supporting users to log in to a website;
  • analysing traffic to a website; or
  • tracking users' browsing behaviour.

Cookies can be useful because they allow a website to recognise a user’s device. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Without cookies, or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.

What are ‘session’ and ‘persistent’ cookies?

Cookies that expire at the end of a browser session (normally when a user exits their browser) are called ‘session cookies’. Cookies that can be stored for longer are called ‘persistent cookies’. PECR applies to both types.

Session cookies allow websites to recognise and link the actions of a user during a browsing session. They may be used for a variety of purposes such as remembering what a user has put in their shopping basket as they browse around a site.

Cookies can also be used for security purposes, such as when a user logs in to internet banking or their webmail. These session cookies expire after a session ends, so would not be stored beyond this. For this reason session cookies may sometimes be considered less privacy-intrusive than persistent cookies.

Persistent cookies are stored on a user’s device in-between sessions. They can allow the preferences or actions of the user across a site (or across different websites) to be remembered.

Persistent cookies may be used for a variety of purposes including remembering users’ preferences and choices when using a site or to target advertising. The length of time between a cookie being set and expiry is set by the website operator. A user can also delete previously set persistent cookies manually or configure the browser settings to delete cookies at a set interval.

What are ‘first-party’ and ‘third-party’ cookies?

Whether a cookie is ‘first’ or ‘third’ party refers to the website or domain placing the cookie.

First-party cookies are set directly by the website the user is visiting, ie the URL displayed in the browser's address bar.

Third-party cookies are set by a domain other than the one the user is visiting. This typically occurs when the website incorporates elements from other sites, such as images, social media plugins or advertising. When the browser or other software fetches these elements from the other sites, they can set cookies as well.

What are ‘similar technologies’?

Functions usually performed by a cookie can be achieved by other means. This could include, for example, using certain characteristics to identify devices so that visits to a website can be analysed.

PECR applies to any technology that stores or accesses information on the user’s device. This could include, for example, HTML5 local storage, Local Shared Objects and fingerprinting techniques.

Example

Device fingerprinting is a technique that involves combining a set of information elements in order to uniquely identify a particular device.

Examples of the information elements that device fingerprinting can single out, link, or infer include (but are not limited to):

  • data derived from the configuration of a device;
  • data exposed by the use of particular network protocols;
  • CSS information;
  • JavaScript objects;
  • HTTP header information,
  • clock information;
  • TCP stack variation;
  • installed fonts;
  • installed plugins within the browser; and
  • use of any APIs (internal and/or external).

It is also possible to combine these elements with other information, such as IP addresses or unique identifiers, etc.

PECR also applies to technologies like scripts, tracking pixels and plugins, wherever these are used.

Example

An organisation conducts electronic marketing and incorporates a tracking pixel within the emails. The pixels record information including the time, location and operating system of the device used to read the email.

Whilst the majority of electronic mail marketing is governed by Regulation 22 of PECR, where tracking pixels store information, or gain access to information stored, on a user’s device Regulation 6 also applies.

PECR does not prohibit using cookies and similar technologies. However, PECR does require you to tell people about them and give them the choice as to whether or not this information is stored on their devices in this way.

From now on, this guidance uses the single term ‘cookies’ to refer to cookies and similar technologies that PECR applies to, including when used in other contexts such as a mobile app.