Call us now 

0344 967 0793

Related Services

Data Protection & GDPR

Many businesses use cookies on their websites. A cookie is a small file of letters and numbers that is downloaded onto your computer when you visit a website. Cookies can do things like counting the number of people visiting a website, remembering visitors’ preferences and what they added to their shopping basket.

Whilst many cookies are safe, they can feel like an invasion of privacy and in the wrong hands, can be used for more sinister purposes. It is, therefore, very important for businesses to notify visitors to their website that cookies are being used, tell visitors what those cookies are and give the visitor options to either give their informed consent to the website’s use of cookies, customise the cookies (i.e. to not allow the use of non-essential cookies) or to leave the website if they are not happy with the site using the cookies.

The government has recently announced that the UK’s new Information Commissioner will have the responsibility of bringing in a post-Brexit “shake-up” of UK data protection laws with Culture Secretary, Oliver Dowden, stating that the aim is to introduce “proportionate” new rules balancing privacy rights and promoting “innovation and economic growth”. As part of the announcements, Oliver Dowden specifically targeted cookies and recommended the removal of “endless” cookie pop-ups asking for permission to store a user’s personal information, except on high-risk sites.

The view was expressed that too many alerts are being sent to website users seeking consent for the use of cookies and therefore spoiling users’ enjoyment of the internet. Oliver Dowden also suggested that needless bureaucracy and box-ticking should be replaced with a lighter touch to protecting data privacy, with the UK being able to build “data adequacy” partnerships to enable personal data to be sent internationally more easily. It seems there is a clear intention of the UK, post-Brexit, to steer away from the European GDPR laws which were introduced to protect data subjects’ personal data. It is a bold reform which is proposed and it has been met with resistance from people who welcome more stringent data protection laws and regulations. It is not yet known how the UK will move forward with data protection and the use of cookies, but it will be interesting to see how the proposed reforms progress.

What is the law now?

Currently, the Privacy and Electronic Communications Regulations (PECR) governs the use of cookies.

Regulation 6 of PECR states as follows:

“a person shall not use an electronic communications network to store information or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment—

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) is given the opportunity to refuse the storage of or access to that information.”

In order to comply with PECR, a business must therefore clearly provide information about the cookies used and seek express consent from a visitor to their website to the use of cookies. ICO guidance confirms that consent under Article 4(11) of the UK GDPR means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” It is therefore not sufficient for a visitor to be presumed to consent by their use of the website or the presence of a cookie policy amongst the website’s legal documentation, (silence or inactivity does not constitute consent). Recital 32 of the UK GDPR also specifically bans pre-ticked boxes. The visitor must consciously tick the box to agree to the use of cookies.

As the law currently stands, we would advise businesses to therefore consider how their website uses cookies and bear in mind, in particular, the following points:

  1. the website visitor must take clear and positive action to give their consent to non-essential cookies – continuing to use a website does not constitute valid consent;
  2. a business must clearly inform users about what the cookies on their website are and what they do before the visitor expressly consents to them being set;
  3. if a business is using any third party cookies, the business must clearly and specifically name who the third parties are and explain what they will do with the information;
  4. businesses cannot use any pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
  5. businesses must provide website visitors with controls over any non-essential cookies, and still allow the visitors access to the website if they don’t consent to these non-essential cookies; and
  6. businesses must ensure that any non-essential cookies are not placed on the website’s landing page (and similarly that any non-essential scripts or other technologies do not run until the visitor to the website has given their consent).

If businesses do not comply with all of the above, they are likely to be breaching PECR.

The Information Commissioner’s Office (ICO) could (if it became aware of the breach investigate the intrusion, the efforts made by the business to provide clear information and obtain consent and deal with any concerns the website visitor has regarding an invasion of their privacy. If an infringement is found, the sorts of enforcement action that the ICO could take include sending information notices asking for information, issuing an enforcement notice, asking website holders to implement changes or issuing a penalty notice. The ICO has, however, stated that they look at all of the facts rather than levying fines immediately.

What are users’ remedies?

We have discussed the regulatory implications of not complying with PECR but businesses should also bear in mind that individual users may also have certain financial remedies if a business does not comply with PECR and UK GDPR. Whilst it would be usual to have to prove actual loss suffered when making a claim, in a recent Court of Appeal decision (Google Inc. v Vidal-Hall and Lloyd v Google LLC) it was confirmed that damages are capable of being awarded for loss of control of data under the Data Protection Act 1998 s.13, without the claimant proving pecuniary loss or distress. There have been suggestions that the Vidal-Hall case may be overturned.

With the prospect of informed users being familiar with their rights under PECR and UK GDPR, businesses should be aware that if they are not compliant in all respects, they are potentially exposed to small claims being brought by visitors to their websites if cookies are placed on their devices without proper user consent, and collectively such small claims can prove costly.  This is therefore an issue to take seriously for any businesses using cookies currently on their website to ensure they are compliant with PECR and the UK GDPR.

Going forward, it seems the UK is likely to see a new approach to cookies under the post-Brexit ‘shake-up’ of data protection laws. However, any legislative change is going to take time to plan and integrate. Therefore, it is still important to “have your house in order” and avoid any unwelcome liability pending any changes to the law. It will certainly be interesting to see the further announcements that will follow, but in the meantime, all businesses should check their approach to cookies under the current UK GDPR and PECR laws and regulations.

If you would like more tailored advice on the use of cookies or any other data protection matters, please do get in touch with our Corporate & Commercial team by emailing or calling 01202 786188.

This article was co-written by Ruth Chornolutskyy and Benjamin Kerley.