We’ve all seen the pop-up messages asking us if we consent to their use. Handled correctly, cookies and similar technologies can help your company's website and online services run more efficiently. But if you are using cookies, you must remember that they store information about your visitors and track detailed user activity. Here, with the help of leading law firm Harper James Solicitors, who specialise in supporting businesses to comply with GDPR and data protection, we outline the key things you need to know.

What is a cookie?

They collect information about a website visitor’s use of the site. When the visitor returns to a site the information provided by the cookie technology is stored on the user’s device. This means the website recognises the visitor as an existing customer or user, enhancing the effectiveness of the website.

Without cookies a website cannot remember anything about the visitor, so the experience of re-visiting the website would be slower and less personalised.

What types of cookies are there?

  • Session – lasts only while the user is using the website that one time – after they leave, the cookie is deleted
  • Persistent – these are longer-lasting cookies with a set expiry date in the future (e.g. a year) that allow users to return to a website and certain details will be remembered – for example language preference or favourite items
  • First/third party – when the cookie is set within the same domain as the one you’re on, it’s a first-party cookie, but when it is set on a different domain (for example an advert appears on the website you visit) it is a third-party cookie, sometimes known as tracking cookies

Third-party cookies have already been phased out by Safari and Mozilla Firefox. Google is expected to follow suit in 2023. With nearly half the share of the UK web browser market, this will mean a big change for how many websites operate in future.

Is anyone in charge of regulation in this area?

Yes. Cookies are regulated by the Privacy and Electronic Communications Regulations 2003 (PECR 2003).  If you are using cookies or similar technologies you must clearly explain to your users, what cookies you have set up and what the cookies will be used for.

You must also obtain user consent to cookie use (which is why you have the banners). The information you provide on cookies must be in a form that’s compliant with GDPR rules on transparency and processing data. In line with GDPR requirements you must provide information in as user-friendly a way as possible. 

What steps should I take to ensure my website users are happy with the cookies I am using?

There are several. Seek to obtain valid consent for cookies by ensuring individuals have been clearly informed about what cookies you have and how you use them. Your visitor must also take positive and clear action to consent to non-essential cookies. Always seek to explain what third-party cookies you use and don’t rely on pre-ticked boxes.

Why is this important?

Breaches will damage the reputation of your business and hurt you financially – the Information Commissioner’s Office (ICO) can impose financial penalties of up to £500,000 for a PECR breach (and the heavier GDPR penalties may also apply depending on the nature of the breach). 

Anything else I should know?

This guide only provides a snapshot. Businesses would be wise to carry out a cookie audit and seek to answer questions like:

  • What cookies do you currently have? What category do they fall into? – for small sites, a service such as Cookiebot will allow you to check for free
  • What is each cookie used for?
  • What personal information (of website visitors) is linked to each cookie?
  • What information are the cookies storing?
  • Are your cookies processing personal information?
  • Do any cookies fall within the strictly necessary exemption?
  • Are you getting appropriate consent for cookies that are not exempt?
  • Are you providing accurate information to users about each cookie?
  • Is there a clear link to your cookie policy to enable users to encourage transparency and ensure user consent is properly given?

Key takeaways

  • Cookies can help your website run more smoothly and provide a better user experience – but they also store data and track activity, so your website visitors need a say about which ones they will allow
  • The most common types of cookie you will see are session, persistent, first-party and third-party
  • You need to know about the cookies your website uses and to provide clear information to your visitors, allowing them to opt-in to those being used
  • For more information about wider your wider GDPR responsibilities, see our guide:
  • You might want some help with data protection and cookies from your solicitor, who can help you audit and put together policies for your business


Harper James Solicitor's specialist data protection solicitors advise businesses on PECR/GDPR compliance offering bespoke advice as well as training for staff and regular compliance audits

Contributed by Nick Owens
Neina Sheldon
Article by Neina Sheldon
Share Article