The GDPR doesn’t contain rules about cookies. Indeed, the Privacy and Electronic Communications Regulations (PECR) which do contain rules, refers to storage and access technologies rather than just cookies. For a long time, almost anything you did with them was covered by consent. There are limited exemptions, but a lot of the modern internet effectively runs unlawfully because of the lack of consent. But let’s not get into that. The least I can do here is tell you what PECR says, including some limited changes from the Data (Use and Access) Act that might help some organisations, but possibly fewer than you might expect. This is a quick one – you’ll probably be surprised by the simplicity.