The government has recently announced that the UK’s new Information Commissioner will have the responsibility of bringing in a post-Brexit “shake-up” of UK data protection laws with Culture Secretary, Oliver Dowden, stating that the aim is to introduce “proportionate” new rules balancing privacy rights and promoting “innovation and economic growth”. As part of the announcements, Oliver Dowden specifically targeted cookies and recommended the removal of “endless” cookie pop-ups asking for permission to store a user’s personal information, except on high-risk sites.
What is the law now?
Regulation 6 of PECR states as follows:
“a person shall not use an electronic communications network to store information or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment—
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) is given the opportunity to refuse the storage of or access to that information.”
- the website visitor must take clear and positive action to give their consent to non-essential cookies – continuing to use a website does not constitute valid consent;
- a business must clearly inform users about what the cookies on their website are and what they do before the visitor expressly consents to them being set;
- if a business is using any third party cookies, the business must clearly and specifically name who the third parties are and explain what they will do with the information;
- businesses cannot use any pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
- businesses must provide website visitors with controls over any non-essential cookies, and still allow the visitors access to the website if they don’t consent to these non-essential cookies; and
- businesses must ensure that any non-essential cookies are not placed on the website’s landing page (and similarly that any non-essential scripts or other technologies do not run until the visitor to the website has given their consent).
If businesses do not comply with all of the above, they are likely to be breaching PECR.
The Information Commissioner’s Office (ICO) could (if it became aware of the breach investigate the intrusion, the efforts made by the business to provide clear information and obtain consent and deal with any concerns the website visitor has regarding an invasion of their privacy. If an infringement is found, the sorts of enforcement action that the ICO could take include sending information notices asking for information, issuing an enforcement notice, asking website holders to implement changes or issuing a penalty notice. The ICO has, however, stated that they look at all of the facts rather than levying fines immediately.
What are users’ remedies?
We have discussed the regulatory implications of not complying with PECR but businesses should also bear in mind that individual users may also have certain financial remedies if a business does not comply with PECR and UK GDPR. Whilst it would be usual to have to prove actual loss suffered when making a claim, in a recent Court of Appeal decision (Google Inc. v Vidal-Hall and Lloyd v Google LLC) it was confirmed that damages are capable of being awarded for loss of control of data under the Data Protection Act 1998 s.13, without the claimant proving pecuniary loss or distress. There have been suggestions that the Vidal-Hall case may be overturned.
With the prospect of informed users being familiar with their rights under PECR and UK GDPR, businesses should be aware that if they are not compliant in all respects, they are potentially exposed to small claims being brought by visitors to their websites if cookies are placed on their devices without proper user consent, and collectively such small claims can prove costly. This is therefore an issue to take seriously for any businesses using cookies currently on their website to ensure they are compliant with PECR and the UK GDPR.
Going forward, it seems the UK is likely to see a new approach to cookies under the post-Brexit ‘shake-up’ of data protection laws. However, any legislative change is going to take time to plan and integrate. Therefore, it is still important to “have your house in order” and avoid any unwelcome liability pending any changes to the law. It will certainly be interesting to see the further announcements that will follow, but in the meantime, all businesses should check their approach to cookies under the current UK GDPR and PECR laws and regulations.
This article was co-written by Ruth Chornolutskyy, Punam Tiwari and Benjamin Kerley.