PECR Regulation 6: Cookies and Similar Technologies
Regulation 6: Confidentiality of communications
Rule
You must not store or access information on a user’s device (cookies, local storage, fingerprinting) unless:
- Clear information is provided about the purposes, AND
- Consent is given
Exceptions
Consent is NOT required for:
| Exception | Example |
|---|---|
| Strictly necessary | Session cookies, shopping basket, security |
| Transmission only | Load balancing, routing |
Source Text
(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment— (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information— (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.