Out-Law Guide | 05 Feb 2019 | 1:18 pm | 4 min. read
This guide was last updated in January 2019. It previously appeared on the AboutCookies.org site, which like Out-Law.com was run by Pinsent Masons.
We provide that here and many organisations link to our guidance rather than increase already-lengthy privacy policies. You can too, there is no charge for this and you don't need our specific permission. We used to provide this at AboutCookies.org, but now provide it here instead.
The EU's E-Privacy Directive of 2002 required that website visitors be given certain information about cookies. From 26 May 2011 the law changed meaning that in addition to the provision of certain information visitors must give their consent to the placing of cookies.
In the UK the laws that give effect to the EU legislation are the Privacy and Electronic Communications (EC Directive) 2003 as amended by the Regulation of 2011 (PECR).
When EU cookies law changes were implemented in 2011 there was some confusion about how websites should seek and get cookie consent. Most sites used a notice for first-time visitors which sought to obtain consent and assumed consent if someone continued to use the site without expressing a preference.
From 25 May 2018 the General Data Protection Regulation (2018 Act) came into force. It says that consent for data processing has to be given by users through a "clear affirmative action" and it must be freely given, specific, informed and unambiguous. It is harder to satisfy these consent requirements and means that the user should be given a real choice about which cookies, other than strictly necessary cookies, are used when they browse the website.
Obtaining users' consent to the placing of a cookie is technically more difficult. The ICO guidance suggests a number of different ways to obtain consent. This guidance has yet to be updated by the ICO so the suggestions below are a starting point, as any mechanism used will also need to satisfy the requirements of consent under the 2018 Act:
All of the above mechanisms are used to varying degrees of success across websites. Whichever method you choose, cookies should not drop until the user takes some form of positive action on the website.
To try to satisfy the new consent requirements under the 2018 Act, a number of companies have developed cookie tools and privacy management software which allow an individual to set their cookies preferences by enabling them, for example, to reject the use of analytical, marketing or advertising cookies. Such tools are also a mechanism through which the website owner can seek to obtain and record the individuals' consent so that they can evidence such consent at a later date. These tools also allow an individual to change their preferences. This is important as an individual has the right to withdraw their consent as easily as they have given it. As such tools and software are relatively new to the market they have not as yet been given any regulatory or supervisory authority approval.
Very few sites do this as it could place them at a competitive disadvantage to competitors and sites outside the EU. A non-cookie site may lose revenues from advertising meaning that it is not cost effective to run such a site, and the site would not be able to measure traffic or learn about its users via tools such as Google Analytics, which is cookie-dependent.
Website owners/businesses should consider what would work for them by looking at their business and how they use their website.