POL-603 Cookie & PECR Compliance Policy
Document code: POL-603
Owner (role): Operational Owner — Data Protection
Approver (role): Data Protection Officer
Effective date: 8 June 2026
Applies to: Monek Group Limited and its subsidiaries (collectively, "Monek")
Supersedes: Nothing — new document. Phase 1 Discovery found no formal cookie / PECR policy in the existing documentation set.
Implements: POL-601 Data Protection Policy §18; fills the placeholder referenced from POL-503 §11
Role mappings: Allocated Roles — Data Protection (UK GDPR)
1. Purpose
This policy sets out how Monek complies with the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), as amended by the Data (Use and Access) Act 2025 ("DUAA"), in two areas:
- Cookies and similar technologies placed on user devices via the Monek website and any other Monek-operated digital service
- Electronic direct marketing by email, SMS, telephone or other electronic means
PECR sits alongside UK GDPR. UK GDPR governs the underlying processing of personal data; PECR governs the means of access to user devices and the medium of direct marketing. Many activities engage both regimes, and Monek must comply with both.
A substantial change at 5 February 2026: under DUAA, the maximum fine for PECR breaches is now aligned with UK GDPR at the higher of £17.5 million or 4% of global annual turnover (previously capped at £500,000). PECR enforcement has materially more bite.
2. Scope
This policy applies to:
- The Monek website (www.monek.com) and any sub-sites or microsites operated by Monek Group entities
- Any Monek-operated digital service that places cookies or similar technologies on a user device — including merchant portals, hosted payment pages, support portals, customer apps
- All electronic direct marketing sent by Monek to individuals or to corporate subscribers (B2B)
- All Monek personnel who originate or commission electronic marketing, or who configure digital services
It does not apply to:
- Electronic communications that are not direct marketing (e.g., transactional emails, security alerts, regulatory notices)
- Cookies and similar technologies placed by Merchants' own websites through their use of Monek payment products (Merchants are independently responsible for PECR compliance on their own surfaces — Monek's role is limited to ensuring Monek-supplied technologies behave correctly when integrated)
3. Definitions
| Term | Definition |
|---|---|
| Cookie | A small text file stored on a user's device by a website, used for many purposes including session management, preferences, analytics, advertising |
| Similar technologies | Other client-side storage or device-access mechanisms — local storage, session storage, pixel tags, fingerprinting, SDK identifiers, etc. — that engage the same PECR Reg 6 consent requirement as cookies |
| PECR | Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended (including by DUAA in 2025/2026) |
| PECR Reg 6 | The provision that requires consent (or one of the recognised exemptions) for storage of or access to information on a user device |
| PECR Reg 22 | The provision that governs unsolicited direct marketing by email or SMS |
| PECR Reg 21 | The provision that governs unsolicited direct marketing by telephone |
| Consent | A freely given, specific, informed and unambiguous indication of agreement — to UK GDPR Article 4(11) standard |
| Strictly necessary cookie | A cookie without which the service requested by the user cannot be delivered (PECR Reg 6(4)) |
| Soft opt-in | A narrow exception under PECR Reg 22(3) for marketing to existing customers about similar products / services — see §6.3 |
| Suppression list | A list of contacts who have opted out of marketing; honoured indefinitely (POL-508 §7.6) |
| TPS / CTPS | Telephone Preference Service / Corporate Telephone Preference Service — registers of telephone subscribers who have indicated they do not want unsolicited marketing calls |
4. The PECR Framework After DUAA
DUAA's substantive provisions took effect on 5 February 2026. For PECR, the key changes are:
| Change | Detail |
|---|---|
| Fines aligned with UK GDPR | Maximum PECR fine now £17.5m or 4% of global annual turnover (previously £500k cap under PECR) |
| Narrow new cookie consent exemptions | A small set of additional purposes for which storage / access to a device no longer requires consent — see §5.2 |
| Regulator rename | The ICO is being renamed the Information Commission during 2026 — same body, same enforcement powers, transitional period applies |
| Otherwise unchanged | The PECR Reg 22 marketing rules and the Reg 21 telephone marketing rules are unchanged in substance |
The default PECR position remains the same: consent is required for storage of or access to information on a user device, unless an exemption applies, and consent is required for direct marketing to individuals by email or SMS, unless the soft opt-in applies.
5. Cookies and Similar Technologies
5.1 Default Position — Consent Required
Monek requires freely given, specific, informed and unambiguous consent before placing any non-essential cookie or similar technology on a user's device. Consent must be:
- Opt-in — pre-ticked boxes or implied consent (e.g., continued browsing) do not constitute valid consent
- Granular — separate consent per category (functional, analytics, marketing) where these are used
- As easy to withdraw as to give — the user can revisit and change their preferences at any time
- Auditable — Monek captures and retains evidence of the consent given (or refused), per POL-508 §7.6
5.2 Recognised Exemptions (Consent Not Required)
Consent is not required for cookies and similar technologies that fall into one of the following narrow categories. These are the categories that survive PECR Reg 6 and DUAA together:
| Exemption | Examples |
|---|---|
| Strictly necessary for a service the user has explicitly requested (PECR Reg 6(4)) | Session cookies needed to keep a user logged in; cookies needed to remember items in a checkout flow; CSRF tokens; load-balancer routing |
| Network and information system security (DUAA-codified recognised legitimate interest, PECR exemption) | WAF and DDoS protection cookies; bot detection; fraud-prevention session signals |
| Auto-authentication (DUAA narrow exemption) | A cookie that completes a multi-factor authentication step on a return visit, where the user has previously consented to the underlying authentication flow |
| Statistical analysis with opt-out (DUAA narrow exemption — first-party only, no profiling) | Aggregated first-party page-view analytics, where the user is offered a clear and accessible opt-out, and the data is not used for any other purpose |
| Emergency assistance | Cookies necessary to deliver an emergency response (rare in Monek's context) |
A cookie that could be argued to fall under "strictly necessary" but in fact serves additional purposes (e.g., analytics dressed as essential) does not qualify. The test is the user's perspective: would they consider the cookie strictly necessary for the service they asked for?
5.3 Cookie Categories Used by Monek
Monek's cookie inventory is maintained operationally in the cookie banner configuration on the Monek website and is updated whenever a cookie is added, removed or has its purpose changed. The categories Monek uses:
| Category | Consent required? | Examples |
|---|---|---|
| Essential / strictly necessary | No (exemption) | Session, checkout, security |
| Functional | Yes | Language preference, accessibility preferences |
| Analytics | Yes (unless qualifying for the §5.2 statistical-analysis exemption with opt-out) | First-party analytics, performance measurement |
| Marketing / advertising | Yes | Retargeting pixels, advertising network cookies, third-party social media pixels |
5.4 Consent Mechanism
Monek's cookie banner:
- Appears on first visit and on the first visit after consent has been withdrawn or has expired
- Presents the user with three primary actions: "Accept all", "Reject all", and "Manage preferences" — each requires equal effort (no dark patterns)
- Provides granular controls for each non-essential category under "Manage preferences"
- Provides a link to this Cookie Policy and to the Privacy Notice (POL-503)
- Does not block access to the service while the user makes a choice — except where access depends on a function that strictly requires a non-essential cookie (rare)
- Honours the user's choice — non-essential cookies are not set or read until consent has been given for the relevant category
5.5 Withdrawal of Consent
Users can change their cookie preferences at any time through:
- A persistent "Cookie preferences" link in the website footer
- The same banner re-opened from the link
- Browser-side controls (Monek's site respects browser cookie deletion / blocking)
When consent is withdrawn for a category, Monek stops setting further cookies in that category. Cookies already set are not actively removed from the user's device by Monek; the user can delete them via their browser, and they will expire per the lifetimes in §5.7.
5.6 Cookie Wall Prohibition
Monek does not operate a "cookie wall" — Monek does not condition access to the website (or any non-paid service) on the user accepting non-essential cookies. The "Reject all" option is fully functional.
5.7 Cookie Lifetimes
Cookie lifetimes follow POL-508 §7.5:
- Essential cookies: session or per cookie banner's defined lifetime; not extended beyond strict need
- Analytics / optional cookies: maximum 26 months from last user activity
- Web server logs (separate from cookies): 12 months
Where Monek uses a third-party cookie or pixel (e.g., a retargeting platform), Monek satisfies itself that the third party's cookie lifetimes are within these parameters and that the user has consented to the third-party processing.
5.8 Third-Party Cookies and Pixels
Where Monek uses third-party cookies or pixels (e.g., social network conversion pixels, advertising network cookies), Monek treats the third party as a recipient of personal data. The relationship is governed by:
- Consent obtained at the banner (no third-party non-essential cookie is set without it)
- Article 28 contractual obligations where the third party processes Monek-supplied data on Monek's behalf (POL-507)
- An entry on the Sub-processor Register where the third party qualifies as a processor
5.9 Browser DNT / "Do Not Track"
DNT is not a binding standard and is not consistently implemented across browsers. Monek's cookie banner is the authoritative mechanism for capturing user preferences. Monek does not rely on DNT alone but does not override an explicit user preference where one has been signalled.
6. Electronic Direct Marketing
6.1 Email and SMS Marketing — Individuals (PECR Reg 22)
Direct marketing to individuals by email or SMS requires prior consent, except where the soft opt-in in §6.3 applies. Consent must be:
- Specific to Monek's marketing (not buried in general terms and conditions)
- Informed — the user knows what they are signing up to
- Granular — separately captured from any consent for other processing
- Auditable — recorded with the date, source, channel and wording of the consent ask (POL-508 §7.6)
- Withdrawable — through a one-click unsubscribe in every marketing email or a clear reply mechanism in every marketing SMS
6.2 Email and SMS Marketing — Corporate Subscribers (B2B)
Direct marketing to corporate subscribers (limited companies, LLPs, PLCs, Scottish partnerships; sole traders and unincorporated partnerships are treated as individuals under PECR for this purpose, with some nuance) is subject to lighter requirements under PECR — but Monek nevertheless:
- Provides a clear opt-out in every B2B marketing email
- Honours opt-out requests within a reasonable time and adds the contact to the suppression list (§6.5)
- Identifies itself clearly as the sender, with a valid reply address
- Does not contact corporate subscribers who are on the CTPS for telephone marketing (§6.6)
6.3 Soft Opt-In (PECR Reg 22(3))
The soft opt-in allows Monek to send marketing email or SMS to an individual without prior consent, where all of the following are true:
- Monek obtained the contact details in the course of a sale, or negotiations for a sale, of a product or service to that individual
- The marketing is for similar products or services to those sold or negotiated
- The individual was given a simple and easy way to opt out at the time the details were collected and in every subsequent message
- The individual has not opted out
This is a narrow basis and Monek does not rely on it speculatively. Where the soft opt-in does not clearly apply, Monek seeks consent.
6.4 Right to Object — One-Click Unsubscribe
Every marketing email Monek sends contains:
- A one-click unsubscribe link (no login, no multi-step process)
- An identification of the sender (Monek Group Limited, with its registered address)
- A reply-to address that is monitored
Every marketing SMS contains a clear reply mechanism (typically replying "STOP" or similar) which Monek monitors and acts on.
Unsubscribe requests are processed within 3 working days as a working target (PECR / UK GDPR Article 21 set "without undue delay" with no fixed period).
6.5 Suppression List
When a contact opts out (or is otherwise excluded from marketing), Monek adds them to the suppression list:
- The suppression list is retained indefinitely (POL-508 §7.6) — removing a contact from the suppression list would defeat the purpose of the opt-out
- The suppression list contains the minimum data necessary to honour the opt-out: name, contact identifier (email / phone / postal), opt-out date, channel(s) opted out of
- The suppression list is screened against every marketing send, before the send goes out
- Contact details on the suppression list are not marketing data — they are anti-marketing data, used only to ensure marketing is not sent. They are not used for any other purpose.
6.6 Telephone Marketing (PECR Reg 21)
Live (non-automated) telephone marketing to individuals and corporate subscribers is permitted only where:
- The number has been screened against the TPS (for individuals) and CTPS (for corporate subscribers) and is not registered; and
- The recipient has not previously told Monek not to call
Monek refreshes its TPS / CTPS screening at appropriate intervals (TPS guidance is 28 days). Automated marketing calls (recorded message calls) require prior specific consent — Monek does not currently make automated marketing calls.
6.7 Children
Monek's services are not directed at individuals under 18. Monek does not knowingly send direct marketing to anyone under 16. If Monek inadvertently obtains contact details for a child, those details are removed from any marketing list without undue delay (POL-508 §7.9) and added to the suppression list.
7. Other PECR Areas
7.1 Security Communications
Monek's transactional and security communications (e.g., breach notifications, security alerts, password resets) are not direct marketing and are not subject to PECR Reg 22. They are sent as required to operate Monek's services and to meet Monek's UK GDPR obligations.
7.2 Confidentiality of Communications (PECR Reg 5)
Monek does not intercept or monitor electronic communications other than as permitted in the Acceptable Use Policy (POL-122) and the Employee Privacy Notice (POL-602).
7.3 Itemised Billing, Calling Line Identification and Other Reg 7–18 Areas
Not applicable in Monek's current operating model — Monek does not provide a public electronic communications service.
8. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Operational Owner — Data Protection | Maintains this policy; owns the cookie banner configuration and inventory; coordinates the quarterly PECR compliance check |
| Data Protection Officer | Approves this policy; advises on cookie / marketing questions; signs off any change to the consent or unsubscribe mechanisms |
| Marketing Lead | Operates Monek's direct marketing — owns the consent capture, the suppression list, the one-click unsubscribe and the TPS / CTPS screening processes; provides marketing volume statistics to the DPO |
| Information Security / IT Lead | Implements the technical controls behind the cookie banner; ensures cookies are not set before consent; verifies third-party cookies and pixels |
| All Monek personnel | Do not send Monek-branded direct marketing outside the channels and lists governed by this policy; do not introduce new cookies, pixels, or third-party SDKs to Monek surfaces without DP / Security review |
| Sub-processors | Where they process Monek marketing data, operate consistently with this policy and POL-507 |
9. Audit and Review
9.1 Quarterly PECR Compliance Check
The Operational Owner — Data Protection (or their delegate) conducts a quarterly check:
- Cookie banner displays correctly on the Monek site (and any other surfaces in scope)
- Cookie inventory matches what is actually being set
- No cookie set before consent
- One-click unsubscribe works on every marketing send sampled
- Suppression list is screened against every marketing send
- TPS / CTPS screening is current
- Consent records are complete for the sampled period
The outcome is recorded as a footer comment on this page or in the ISMS Management Review minutes.
9.2 Annual Review
Annually, the Operational Owner — Data Protection reviews:
- Changes in PECR or related legislation (e.g., further DUAA secondary legislation)
- Changes in ICO guidance on cookies and electronic marketing
- New cookie technologies introduced (pixel, fingerprinting, server-side analytics, etc.)
- New marketing channels (e.g., push notifications, in-app messaging) — these are added to scope as they are introduced
- Sub-processor changes (e.g., new marketing platform, new analytics provider)
The annual review is signed off by the DPO.
9.3 Board Reporting
The DPO reports PECR compliance to the Board annually as part of the data protection report. Material PECR events (any enforcement, any material complaint, any cookie banner outage) are reported at the next Board meeting.
10. Related Documents
| Document | Relationship |
|---|---|
| POL-601 Data Protection Policy | Master policy — §18 referenced this policy as forthcoming |
| POL-503 Privacy Notice | §11 references this policy; customer-facing transparency on cookies |
| POL-602 Employee Privacy Notice | Employees as marketing list subjects and as employer-monitored users |
| POL-508 Personal Data Retention Policy and Schedule | §7.5 cookie retention; §7.6 marketing consent and suppression list retention |
| POL-507 Personal Data Sub-processor Policy | Governance of marketing and analytics sub-processors |
| Sub-processor Register | MailChimp and any other marketing / analytics sub-processors |
| POL-122 Acceptable Use Policy | Personnel rules — including on use of personal devices, internet, email |
| PRO-601 Data Subject Rights Procedure | Right to object handling (Article 21); right to withdraw consent |
| PRO-603 DPIA Procedure | DPIA trigger if a new marketing technology or new cookie purpose materially changes processing |
11. Document Control
11.1 Version History
| Version | Date | Author (role) | Summary of change |
|---|---|---|---|
| 1.1 | 8 June 2026 | Operational Owner — Data Protection | Approved and put live (DPO sign-off). Removed the "-2026" suffix from sibling references, repointed the Privacy Notice, Retention Policy and Sub-processor Policy links to the canonical pages, and hyperlinked PRO-601 and PRO-603 in §10. |
| 1.0 | 12 May 2026 | Operational Owner — Data Protection | Initial issue. Closes the Phase 1 finding that Monek had no formal cookie / PECR policy. Implements POL-601 §18; fills the placeholder referenced from POL-503 §11. DUAA-aware: includes the £17.5m / 4% fine ceiling, the narrow new consent exemptions (security, fraud, auto-auth, statistical analysis with opt-out), and the Information Commission rename. Group-wide. |
11.2 Review Cadence
Annually, or sooner upon material change in legislation, regulatory guidance, marketing practice, cookie technology, or sub-processor arrangements.
11.3 Approval
| Role | Name | Date |
|---|---|---|
| Data Protection Officer | Gareth Berry | 08/06/2026 |
| Operational Owner — Data Protection | Gareth Berry | 08/06/2026 |