What the current cookie chaos means for UK businesses


Those who follow data protection developments cannot fail to have noticed that the UK rhetoric regarding current data protection law – such as the GDPR – has become somewhat derogatory over the past few months. This comes hot on the heels of the European Parliament’s remonstrations that the UK has been remiss in its own implementation of the GDPR – as demonstrated by the recent vote in favour of a resolution that calls for an action plan to address these deficiencies.

The latest controversy comes in the form of a potential reform of cookie law.

In August, former Culture Secretary Oliver Dowden gave a press interview in which he made it clear that he didn’t think much of current cookie law, which he described as “pointless” and promised to radically overhaul, to ensure that it is “based on common sense, not box-ticking.” This represents yet another potential departure from the UK GDPR, which came into effect as part of Brexit and which is currently an almost exact replica of the EU GDPR.

This was followed in September by a plea by the head of the ICO – Elizabeth Denham – to G7 countries to work together to overhaul cookie consent pop-ups, “so people’s privacy is more meaningfully protected, and businesses can provide a better web browsing experience”.

The ICO has presented a vision for the future, where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, rather than expressing a preference each time they visit a website. This, it is claimed, will:

  • Ensure people’s privacy preferences are respected
  • The use of personal data is minimised
  • Improve users’ browsing experience and
  • Remove barriers to businesses.

The ICO says this approach is already technologically possible and compliant with data protection law, and is encouraging international collaboration.

Whether the G7 will unite and take action, but the likelihood of the EU relaxing its views and agreeing work with other countries – not necessarily just the UK – on a common and less cumbersome approach to data protection law seems slim.

What does this mean for UK companies? For the time being, it’s business as usual when it comes to ensuring that you are fully compliant with cookie law. If you need a refresher, take a look at our handy guide to cookie compliance. We should expect changes to cookie law and other data protection regulations over the coming months and years, and for those organisations with multiple legal entities in different countries these changes may be complex and resource-intensive to implement.

As ever, organisations with a qualified expert in data protection law on hand will be best equipped to deal with these changes with minimum disruption to business operations and the customer experience.

Outsourced services are available such as norm.‘s data protection offerings.

Robert wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.