In the UK and EU, cookie law – which incorporates several pieces of data protection legislation – means that you must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent – except for cookies that are ‘essential’. Consent must be actively and clearly given. The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.
In practice, many websites do not comply with cookie law and those that do (or attempt to) present users with cookie pop-ups that invite them to ‘accept’ cookies, but without any meaningful engagement or understanding of the consequences. This has resulted in confusion, frustration and widespread cookie fatigue.
Both the ICO and the government agree that the current approach to regulating cookies doesn’t work very well, either for website users or businesses, and both have recently put forward proposals to tackle the problem.
The ICO’s proposals
In September 2021 the ICO suggested that web browsers, software applications and device settings should allow people to set their own privacy preferences, rather than them having to express a preference each time they visit a website. The ICO says this would help to improve the user experience, minimise the use of personal data and ensure people’s privacy preferences are widely respected.
This approach is already technologically possible and compliant with data protection law. However, it is likely to require co-operation among different standards organisations and/or tech firms. The ICO is therefore encouraging international collaboration in this area via an appeal directly to G7 nations.
UK government proposals
The Department for Digital, Culture, Media and Sport (DCMS) has launched a consultation proposing changes to the UK’s data protection rules which includes the reform of cookie law.
The DCMS proposes a “browser-based solution” whereby, on a one-time basis, users decide upfront which data they consent to being collected through cookies. This is then respected and applied across all the online services those users access.
The DCMS also proposes allowing websites to use analytics and other cookies without first needing to obtain consent.
Finally, the DCMS proposes to increase cookie law fines to the same level as those under the UK GDPR – which would raise the fine limit from £500,000 to £17.5m or 4% of global turnover.
In its response to the DCMS proposals the ICO has expressed support for the government’s browser-based solution. This isn’t surprising as it is strikingly similar to its own proposal to the G7. However, it is not supportive of the idea of expanding the categories of cookie that can be used without consent.
In addition, the ICO has recommended that the government considers legislating to ensure that cookie pop-ups always have a ‘reject’ option in addition to an ‘accept’ option.
Whatever happens, it seems very likely that cookie law will be changed in the UK. What is less certain is what those changes will be. In general, cookie law is good in theory but bad in practice as it struggles to strike a balance between protecting the individual’s right to privacy without making it a cumbersome exercise to do so. While the ICO’s solution is an admirable one with no doubt good intentions, it depends on international agreement which has been sadly lacking in this area so far.
What does this mean for organisations in the UK? For now, it’s business as usual and they must still abide by existing cookie law. However, change is most definitely on the horizon with regard to this and other areas of data protection law in 2022. As always, the best advice is to ensure that you are fully up-to-date with data protection developments, and that you have the necessary expertise – either in-house or through an external specialist – to interpret and implement any new legal requirements.
If you’d like to learn more about how to comply with existing cookie law, read our recent guide here.
Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection services and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.