Cookie law faces revamp under UK data reforms

Out-Law News | 10 Sep 2021 | 3:43 pm | 3 min. read

The UK government is considering withdrawing the requirement for consent to cookies from UK law.

The option is being explored by the Department for Digital, Culture, Media and Sport (DCMS) as part of a wide-ranging consultation on data-related reforms. If introduced, it would represent a major change to the way the use of cookies and similar tracking technologies are governed under UK law currently as well as a major departure from EU cookies law.

Cookies are small text files that record internet users' online activity. They are vital to the operation of websites and to the digital advertising ecosystem.

However, current rules, set out in the Privacy and Electronic Communications Regulations (PECR) in the UK, prohibit the storing and accessing of information on users' computers unless those users have given their consent on the basis that they have had access to clear and comprehensive information about the purposes of the processing. An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service explicitly requested by the user.

The government said the current consent rules are “not risk-based and … interpreted very narrowly” and results in users being presented with “pop-up notifications” whenever they visit a website or access a digital service. It said there is evidence that many users “do not engage with privacy information and controls, and simply accept the terms or use of cookies because they want to access the website”.

Department for Digital, Culture, Media and Sport

UK govermment

An alternative approach is the removal of the requirement for prior consent for all types of cookies

The government has presented two concrete proposals for reform to make the consent rules less restrictive.

Under the first proposal, organisations would be able to use analytics cookies and similar technologies without the user’s consent.

“In effect, these cookies would be treated in the same way as 'strictly necessary' cookies under the current legislation for which consent is not required,” DCMS said. “However, further safeguards may need to be considered to ensure that such processing poses a low impact on users' privacy and a low risk of harm. This option would not remove the requirement on organisations to provide the user with clear and comprehensive information about the measurement technologies that are active on their device and the purposes behind the use of the technology.”

A second option the government is considering is to allow the use of cookies without consent “for other limited purposes”.

DCMS said: “This could include processing that is necessary for the legitimate interests of the data controllers where the impact on the privacy of the individual is likely to be minimal – such as when detecting technical faults or enabling use of video or other enhanced functionality on websites.”

“The purposes of the processing would need to be carefully explained. Any list of exceptions to the consent requirement would need to be kept up to date in order to respond to technological advancements. Additional safeguards could also be explored, as appropriate, such as: the use of pseudonymisation; mandating that information is not used to build a profile of the user; or requiring the use of transparency notices,” it said.

More radical proposals to remove cookie consent requirements altogether were also outlined in the government’s paper.

It said: “An alternative approach is the removal of the requirement for prior consent for all types of cookies... Although this would make compliance with PECR more straightforward for organisations, they would continue to be required to comply with UK GDPR principles on lawfulness, fairness and transparency when using cookies or similar technologies. The government would welcome views on how organisations could comply with these principles without the use of cookie pop-up notices.”

Information law expert Claire Edwards of Pinsent Masons, the law firm behind Out-Law, said: “Whilst the two main options contained in the consultation would certainly assist to reduce some of the cookie consent requirements in place today, they would not act to remove cookies for marketing or real-time bidding or building profiles of users, where much of the tracking activity is focused today.”

“We note the government is also keen to hear options to entirely remove pops up all together and encourages responses with ideas to do this. Certainly, a solution which looks to centralise consent and set preferences at a device or browser level would help to achieve this. However, this may raise competition issues and potentially undermine the real-time bidding market as we know it,” she said.

Jonathan Kirsop, also of Pinsent Masons, said: “Though EU law makers are considering loosening cookie consent rules to enable cookies to be served without the need for consent for web analytics measuring, the UK’s proposals are, potentially, much more radical. If the UK diverges with the EU in this regard it will be interesting to see how this flows down to wider interpretative difference with respect to the UK GDPR itself in a way which – as threatened by European regulators – may call into question the adequacy granted to the UK for in-bound data transfers from the EU.”

“With its other proposals for reform of data protection law, the government is suggesting it is at least prepared to explore a different route and weigh up the risks and benefits of that adequacy status against reforms to data protection law,” he said.