“Common sense, not box-ticking”. The UK Government, led by Culture Secretary Oliver Dowden, has recently announced its first plans to depart from the EU’s data protection regulation (GDPR), and the first item on the agenda is cookies. The above quote, given by Mr Dowden, certainly suggests that the UK views the current cookie regime as pointless bureaucracy, and intend to replace current laws with a more light-touch approach.
What are cookies?
A cookie is a small text file that is downloaded onto a computer, smartphone, or other device when a user accesses a website. It allows the website to recognise that user’s device and store information about the user’s preferences or past actions (amongst other things).
The current regime
The current cookie laws are primarily set out in The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The PECR rules regarding cookies are not overly prescriptive, but state that anyone who stores or collects cookies must:
Processing of cookie data is also subject to general data protection rules as set out in the GDPR still in effect in the UK: the UKGDPR.
PECR does not set out exactly what information must be provided or how to provide it. The only requirement is that it must be “clear and comprehensive” information about which cookies are used and their purposes.
The risks of the current regime
The most obvious risk of the current regime is that a majority of businesses are not fully complying with applicable laws (likely because they do not understand their obligations). Whilst most businesses now have a generic cookie pop-up notice on their website, most of those notices (i) do not contain the required information or are inaccurate in the information they provide, (ii) assume pre-approved consent from the user or even begin to collect cookies before consent is given, or (iii) do not provide users with the option to reject cookies at all.
A number of websites collect cookie data without consent (either doing so before consent is given, or continuing to do so even after a user has opted-out) because the right processes are not in place.
Whilst the penalty for doing this on one occasion is relatively minimal, the likelihood is that if a business has committed such a breach once, they will have done so multiple times (for which the potential liability could be much larger).
We have seen an uptick in consumer cases against websites who fail to comply with cookie law, under which consumers are seeking damages for failing to comply with applicable privacy law. The case of Halliday v. Creation Consumer Finance Limited, is oft cited by consumers that they are entitled to nominal damages of £750 for a data protection breach causing distress. This precedent is used by many consumers to claim that placing non-essential cookies on their devices has caused them distress. Regardless of the statements from the Government, the law will take a while to change and in the meantime it is important for businesses to ensure their website is compliant.
A positive change?
Against this background, the more common-sense approach championed by the Government may be welcomed as a positive change.
So how might the Government look to change the cookie regime?
The UK could push for an approach which is more akin to the approach taken in the USA. This could mean, for example, that once collected, cookies could be used for purposes other than those for which they were originally collected, or even for automated processes (both of which would be restricted under current laws). In theory, this could mean that the list of websites a user or device has visited could be transferred (or sold) to third parties, including advertising companies or insurance companies, or even used by AI to make decisions about an individual (for example, whether to accept an individual for certain insurance policies).
In either case, cookie reforms will provide a litmus test for how the UK intends to treat data protection and should be carefully observed by users and businesses alike.
  EWCA Civ 333
New legislation introduced to extend digital connectivity, regulate direct marketing and protect con...Read more
The UK Court of Appeal has recently provided some limited guidance on the fine line between using a ...Read more
Given that most high-profile competition law actions tend to involve the decisions of large-scale re...Read more
Tailored insights delivered to your inbox