PECR edit

ICO; UK’s independent body set up to uphold information rights has updated their laws. They published a blog with most common myths about cookies and a full guidance on the use of cookies and similar technologies (pdf).

TL;DR (in short)

Simple Analytics is PECR compliant and does not need consent. We track page views from a script in the browser where we don’t use cookies or similar technologies. We don’t store IPs in any way and don’t use techniques that identify or track a user. Read here what data points we store and or collect.

PECR vs GDPR

Basically the ICO says: “PECR first, GDPR second.”

The simplest way to understand it is that if your cookies require consent under PECR, then you cannot use one of the alternative lawful bases from the GDPR to set them. If you’re setting cookies, this is why you need to look to PECR first and comply with its specific rules, before considering any of the general rules in the GDPR. source

You need consent when cookies are not strictly necessary:

‘Strictly necessary’ means that storage of (or access to) information should be essential, rather than reasonably necessary. It is also restricted to what is essential to provide the service requested by the user. It does not cover what might be essential for any other uses that you might wish to make of that data. It is therefore clear that the strictly necessary exemption has a narrow application.

All cookies that are used for analytics do require a consent. Simple Analytics does not use any cookies and does not require any consent.

Tool

Use ICO’s tool to determine where consent applies for your use of cookies.

We advise you to include us in your privacy policy. Read more on that here.

Sources used: insideprivacy.com.