UAE

Can you place cookies without consent?

Unlike Europe, the UAE does not have separate legislation regulating the use of cookies so general principles of data protection law apply. Therefore, obtaining prior explicit consent will be required.

The federal data protection law in the UAE prohibits the processing of personal data without the consent of the individual and if the cookies process personal data, express consent should be sought prior to the processing as the exemptions to consent are unlikely to apply. Note the conditions for consent:

  • Controller must be able to prove the consent;
  • The consent must be given in clear, simple, unambiguous and easily accessible manner, whether in writing or electronic form;
  • The consent must indicate the right to withdraw and such withdrawal must be easily made; and
  • The individual may withdraw consent at any time and such withdrawal will not affect the legality and lawfulness of the processing made based on the consent given prior to the withdrawal.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

As mentioned above in Q1, there are no specific cookie rules in the UAE and therefore the federal data protection law principles should be applied to the use of cookies which include the processing of personal data.

Are there any exemptions if consent is required?

It is prohibited to process personal data without consent. However, the following cases
are excluded from such prohibition:

  • necessary to protect the public interest;
  • if the personal data that has become available and known to the public by an act of the data subject;
  • necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial or security procedures;
  • necessary for the purposes of occupational or preventive medicine, for assessment of the working capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services;
  • necessary to protect public health, including the protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of health care, medicines, drugs and medical devices;
  • necessary for archival purposes or for scientific, historical and statistical studies;
  • necessary to protect the interests of the data subject;
  • necessary for the controller or data subject to fulfil obligations and exercise legally established rights in the field of employment, social security or laws on social protection;
  • necessary to perform a contract to which the data subject is a party or to take, at the request of the data subject, procedures for concluding, amending or terminating a contract;
  • necessary to fulfil obligations imposed by other laws of the UAE on controllers; and
  • any other cases set by the Executive Regulations (pending publication).

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

The federal data protection law in the UAE does not distinguish between types of cookies. If cookies process personal data, consent is required prior to processing meaning they should not be placed automatically unless they fall within an exemption.

For example, the processing is necessary:

  • to protect the public interest;
  • if the personal data is publicly available;
  • to initiate or defend against any actions or legal proceedings;
  • for the purposes of occupational or preventive medicine;
  • to protect public health;
  • for archival purposes or scientific, historical, and statistical studies;
  • to protect the interests of the data subject;
  • exercise rights in the field of employment or social security;
  • to perform a contract; and
  • to fulfil obligations imposed by other laws in the UAE

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No, implicit consent would not be sufficient. The consent must be a specific, informed and unambiguous indication of the individual’s agreement to the processing of personal data by a statement or by a clear affirmative action. This means implying consent from a user continuing to browse a site would not be considered valid consent.

Can you set cookies without a cookie notice? 

As the UAE does not have separate legislation regulating the use of cookies, we rely on general principles of data protection law instead. For this reason, it is important to provide a notice to the individuals (in addition to obtaining prior explicit consent), which explains the purpose of the processing, the targeted sectors or establishments with which the personal data is to be shared whether inside or outside the UAE and the protection measures for cross border processing. The notice can be in the form of a privacy notice or a separate cookie notice.

Can you set cookies without a cookie banner/ management tool?

There are no explicit laws on this. However, we recommend implementing a cookie banner with a consent functionality to provide individuals with information about the data processing carried out via cookies and/ or other tracking technologies.

Are you able to use cookie walls? 

If the cookie wall constitutes a hybrid approach that obtains general user consent but leaves out any choice for the user to granulate their consent to certain types of cookies, then this would not be permitted as personal data must be collected for a specific and clear purpose and may not be processed at any subsequent time in a manner incompatible with that purpose; meaning bulk consent is not compliant. However, personal data may be processed if the purpose of processing is similar or close to the purpose for which such data is collected.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

The UAE Data Office has not yet been set up. We do not have any information on the timeframe for its establishment as at the date of this publication.

Are there any current consultations relating to ad tech/cookies?

None that we are aware of.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

The executive regulations are expected to provide more guidance and information on the basic data protection principles established in the federal data protection law in the UAE. In terms of timing, the executive regulations were expected to be published within 6 months of the date of promulgation of the data protection law which was in March 2022. However, they were delayed, and no timeframe has been provided for its release as yet.