Consenting to cookies on websites
Many websites use cookies and similar technology to access and store information on a user’s computer or mobile device. Cookies can make it easier for a consumer to find what they are looking for on the internet, however, this may come at the cost of allowing a website to have access to their personal information and browsing habits.
In the UK, there are two key pieces of legislation regulating the use of cookies, the UK General Data Protection Regulations (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR).
Regulation on “Consent”
If you operate an online website or mobile app, it is essential to have an understanding of how PERC applies to the use of cookies. Specifically, Regulation 6 of PECR States:
(1) … a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given their consent.
The concept of “consent” under regulation 6 of PECR corresponds to the standard required for consent under UK GDPR, namely in articles 4 and 7. The regulations can therefore be a difficult area to navigate with the co-existing regimes. Some areas correspond, yet the regulations are mutually exclusive and compliance with UK GDPR will not necessarily ensure compliance with PECR.
Focusing on the aspect of consent, the ICO interprets this to mean the following in relation to cookies:
• The website user must take clear and positive action to give their consent to non-essential cookies – the user continuing to use your website does not constitute valid consent;
• The website operator must clearly inform users about what the cookies are and what they do before they consent to them being set;
• If a website uses any third-party cookies, it must clearly and specifically name who the third parties are and explain what they will do with the information;
• A website operator cannot use any pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
• A website operator must provide users with controls over any non-essential cookies, and still allow users access to your website if they do not consent to these cookies; and
• A website operator must ensure that any non-essential cookies are not placed on your landing page (and similarly any non-essential scripts or other technologies do not run until the user has given their consent).
Recent Developments
The Information Commission’s Office (the supervisory body) warns some of the UK’s top websites that they could face enforcement action if they do not make changes to comply with the regulations. In particular, the ICO has noted some websites do not give their users fair choices over whether they wish to consent to be tracked for personal advertisements.
The ICO has previously issued guidance that stated that making certain choices easier to find distorts a customer’s choice. For example, when considering a website’s cookie banner, it should be as easy to reject non-essential cookies as it is to accept them.
The ICO has warned that if they do not see improvements, they will take enforcement action to protect the consumer’s data protection rights. The ICO is set to provide a further update in January 2024, including naming the companies that have failed to address their compliance concerns.
The regulations can be a difficult area to navigate. If you have any queries as to whether your website if compliant, please get in touch with the Commercial Team and we can assist you.