Toggle mobile menu visibility

Cookies and Personal Data

GOSS understand there is a degree of concern and confusion around the use of cookies on client sites specifically in relation to collecting personal data, as such GOSS have looked to provide some clarity on the use of cookies. The use of cookies in the UK is controlled by Privacy and Electronic Communications Regulations (PECR) and Data Protection Act 2018. It is important to understand that not all cookies contain personal data. With that in mind, each organisation who use cookies on their site will need to be aware of the type of cookies they are processing and whether any of them actually do collect personal data. Organisations will need to ensure their compliance against PECR before they look into data protection legislation.


It is only when it comes to processing cookies which actually contain personal data, the requirement of Data Protection Act 2018 would apply, the ICO have further guidance on this. However key points to note are as follows:

  • Is it necessary for the organisation to collect personal data via cookies?
  • Do they have lawful basis to process personal data (consent, contractual, legal obligation, vital interest, public task, and legitimate interest)?


Depending on the lawful basis of processing selected, the data controller will need to follow the requirement of data protection legislation such as informing the data subjects via their privacy notice in relation to what personal data being collected, how the data will be used, etc. If consent is chosen as the basis of processing then the data controller will need to make sure that consent is given through a clear affirmative action. The ICO has provided a tool to help organisations decide whether consent applies to the use of cookies on their sites. In terms of cookies compliance for PECR, organisations would need to decide which cookies are considered to be "strictly necessary" i.e. those that are essential to providing the service requested by the user. For non-essential cookies, consent from the end users will be required.


GOSS can provide support to our clients to implement an appropriate cookie banner as required. Alternatively clients may wish to utilise 3rd party cookie control providers, of which there are a number available. An example is Civic Cookie Control, provided here simply as an example of this type of cookie control provider and not an endorsement of it. GOSS would also like to remind clients to undertake all necessary and appropriate supplier due diligence when considering any third party providers. 


However it must be remembered that in order to effectively and legitimately use any type of cookie banner or cookie control provider, the organisation must be already be aware of the type of data they want or are already collecting.


Please Note: This article is not to be perceived as legal advice, please contact your legal advisor or Data Protection Officer for detail advice.