No.
Consent in the UK has a high threshold due to the governing legislation:
These three acts govern the level of consent required to store cookies and online identifiers, under regulation 6 of UK PECR consent is required to store cookies and similar technologies on a device.
Please note potential reform to the above laws in the UK, addressed further below.
Yes.
However, there are some companies that take a risk based approach and place cookies automatically before or without obtaining consent.
Partly because fines for breach of cookie rules (that don’t relate to personal data) are still covered by UK PECR, and as such are substantially lower than UK GDPR fines. Again, UK reform is looking to address this. Please see below.
This is becoming an increasingly risky approach given the consumer awareness of cookie rules. Further, a well-known privacy activist group called ‘None of Your Business’ or ‘NOYB’ filed multiple complaints across Europe with the regulators about website cookie compliance.
Yes. There is the ‘communication’ exemption and an exemption for cookies that are deemed ‘strictly necessary’ (i.e. it must be essential to provide the service requested by the user, e.g. remembering the contents of a user’s shopping basket).
No.
Only strictly necessary cookies can be placed without consent. Any other type of cookie requires consent. Please see horizon scanning below for potential future changes.
No.
Consent must be clearly and actively given (i.e. the user must opt-in). A user just continuing to use the app will not constitute valid consent (i.e. the standard of consent is that of the UK GDPR).
No.
You should provide more detailed information about cookies in a privacy or cookie policy accessed through a link within the consent mechanism (see next question) and at the top or bottom of your website.
The placement of this link depends on the volume of content on the page. The denser the page the more likely it would be more appropriate to include the policy link at the top. The ICO’s guidance on cookies sets out the formatting, position and wording are all key to ensuring its prominence and that users can find it easily.
If children are likely to access your site, you also need to ensure you comply with the ICO’s Age Appropriate Design Code when positioning and writing your notices.
No.
Any consent mechanism you put in place should allow users to have control over all the cookies your website sets, i.e., this must include third-party cookies. Practical points to consider:
This is decided on a case-by-case basis, but most likely will not be possible unless it is low risk and unobtrusive.
Examples of where this ‘take it or leave it’ approach will be inappropriate:
The ICO set out in their cookie guidance that the key point is that users are provided with a genuine free choice. Consent should not be bundled up as a condition of the service, unless it is necessary for that service.
It could be appropriate if the cookie walls refer to facilitating the provision of the service the user explicitly requests. NB that this does not include third-party services such as analytics services or online advertising.
Yes. There has been a general increase in the number of cookie-related complaints to the ICO in recent years (see here for the exact numbers). ICO cookie-related regulatory priorities are stated as unlikely to cover uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. For example, first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services. When reviewing complaints, the ICO will also consider whether users were informed about the cookies in question and provided with clear details of how to make choices.
The ICO announced in November 2023 that it had warned the UK’s top websites to make cookie changes (press release here). in particular, the ICO highlighted that some websites do not provide fair choice to users over whether or not to be tracked for personalised advertising. The ICO have also provided follow up in January 2024, as promised, and confirmed that the response to their call to action had been ‘overwhelmingly positive’. In terms of numbers, they contacted 53 organisations, 38 of which made the required compliant changes, with a further four making commitments to reach compliance within the next month. The ICO also commented on the ‘ripple effect’ this call to action has had, with other organisations taking compliance steps without receiving a letter. The ICO are now writing to ‘the next 100’ and do not intend to stop there. The ICO also plans to roll out an AI solution to help it identify non-compliant website cookie banners.
No, although the ICO’s AdTech investigation first launched in 2019 continues.
Yes.
The new Data Protection & Digital Information (No. 2) Bill (the “Bill”) was introduced on 8 March 2023. It withdrew the Data Protection & Digital Information Bill that was introduced in the summer of 2022, but had been placed on pause.
The Bill introduces exemptions from the cookie consent requirement. These are to be provided for situations deemed to pose a lower risk to user privacy. These include processing:
The ICO’s enforcement powers under ePrivacy are currently tied to the 1998 Data Protection Act. Therefore, penalties are capped at £500,000. This anomaly is addressed in the Bill. Enforcement powers under the UK GDPR and the Data Protection Act 2018 will now apply to ePrivacy breaches. As such, breaches could attract the higher maximum penalty cap of £17.5mn, i.e., €20mn, or 4% of worldwide turnover, whichever is higher.