Consenting to cookies on websites
Regulation on “Consent”
(1) … a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given their consent.
The concept of “consent” under regulation 6 of PECR corresponds to the standard required for consent under UK GDPR, namely in articles 4 and 7. The regulations can therefore be a difficult area to navigate with the co-existing regimes. Some areas correspond, yet the regulations are mutually exclusive and compliance with UK GDPR will not necessarily ensure compliance with PECR.
Focusing on the aspect of consent, the ICO interprets this to mean the following in relation to cookies:
• The website user must take clear and positive action to give their consent to non-essential cookies – the user continuing to use your website does not constitute valid consent;
• The website operator must clearly inform users about what the cookies are and what they do before they consent to them being set;
• If a website uses any third-party cookies, it must clearly and specifically name who the third parties are and explain what they will do with the information;
• A website operator cannot use any pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
• A website operator must provide users with controls over any non-essential cookies, and still allow users access to your website if they do not consent to these cookies; and
• A website operator must ensure that any non-essential cookies are not placed on your landing page (and similarly any non-essential scripts or other technologies do not run until the user has given their consent).
The Information Commission’s Office (the supervisory body) warns some of the UK’s top websites that they could face enforcement action if they do not make changes to comply with the regulations. In particular, the ICO has noted some websites do not give their users fair choices over whether they wish to consent to be tracked for personal advertisements.
The ICO has previously issued guidance that stated that making certain choices easier to find distorts a customer’s choice. For example, when considering a website’s cookie banner, it should be as easy to reject non-essential cookies as it is to accept them.
The ICO has warned that if they do not see improvements, they will take enforcement action to protect the consumer’s data protection rights. The ICO is set to provide a further update in January 2024, including naming the companies that have failed to address their compliance concerns.
The regulations can be a difficult area to navigate. If you have any queries as to whether your website if compliant, please get in touch with the Commercial Team and we can assist you.