What Is the Cookie Law in the UK?
In 2012, the UK government made an announcement regarding online privacy and data protection. All public websites were required to demonstrate compliance with new EU laws governing the storage of personal data through cookies.
What Exactly Are Cookies?
Cookies are small text files that reside on a user's device, enabling websites to store information about the user or monitor their online activities. Commonly used for remembering browsing sessions or for targeted advertising, cookies play a crucial role in modern web functionality.
The UK has intensified its crackdown on the use of cookies by some of the nation's most popular websites, threatening fines unless they enhance transparency about the nature of their cookies. These small files, stored by websites on users' computers, serve various purposes from collecting analytical data to personalising online advertisements and monitoring web browsing.
However, the Information Commissioner has expressed concern that major sites are not providing users with "fair choices" regarding cookie usage, as required by law. Websites must now ensure that rejecting cookies is as simple as accepting them, within a 30-day compliance window.
While certain cookies are essential for website functionality, others are employed to track users and serve targeted ads, raising privacy concerns. Despite the importance of cookies in advertising revenue for many websites, their usage can feel invasive to users who experience personalised ads across various online platforms. Cookie consent pop-ups, although intended to give users control, often lack clarity, with simply closing the box inadvertently opting users in or out depending on the website's design.
The Information Commissioner's Office (ICO) has emphasised the importance of making it equally easy for users to reject all advertising cookies as it is to accept them. Although websites can still display ads if users reject tracking, these ads must not be personalised based on the user's browsing history.
From targeting gambling addicts with betting offers to distressing women with baby advertisements following a miscarriage, the misuse of personal data has significant implications. While many major websites have complied with cookie regulations, those that have not are urged to make immediate changes or face repercussions.
The Law Around Cookies
Currently, cookie regulations fall under the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR), colloquially known as the "cookie law" due to the prevalence of cookie consent pop-ups.
PECR
In the UK, the relationship between cookies and the Privacy and Electronic Communications Regulations (PECR) is governed by Regulation 6, which addresses the storage and access of information on users' devices. While PECR does not explicitly mention cookies, it outlines strict requirements for obtaining user consent and providing transparent information regarding the use of such technologies.
Regulation 6 says that no information shall be stored or accessed on a user's device unless certain conditions are met. These conditions include providing clear and comprehensive information about the purposes of storing or accessing the information and obtaining the user's consent.
For websites using cookies, compliance involves several key steps. Firstly, websites must clearly state what cookies will be set and provide an explanation of their functionality. This means informing users about how cookies will be used, whether it's for session management, personalisation, or advertising tracking. Secondly, websites must obtain explicit consent from users before storing cookies on their devices. Consent must be freely given, specific, informed, and unambiguous.
It's important to note that PECR's scope extends beyond traditional cookies to include "similar technologies" such as fingerprinting techniques. Therefore, any use of device fingerprinting also falls under PECR. Similar to cookies, the use of fingerprinting requires clear and comprehensive information provision to users and obtaining their consent, unless exemptions apply.
PECR sets out stringent guidelines to ensure that users are fully informed about the storage and access of information on their devices, whether it be through cookies or similar technologies. Compliance with these regulations is essential for businesses operating online in the UK to maintain transparency and uphold users' rights to privacy and data protection.
GDPR
Under the UK General Data Protection Regulation (GDPR), cookie identifiers fall under the category of "online identifiers," which may constitute personal data in certain circumstances. For instance, a cookie used for user authentication would involve processing personal data as it facilitates logging into an online account.
According to Article 4(1) of the UK GDPR, personal data encompasses any information relating to an identified or identifiable natural person. This includes online identifiers such as cookie identifiers, which can indirectly identify individuals when combined with other information.
Recital 30 elaborates on online identifiers, highlighting that they can be associated with devices, applications, and protocols, potentially allowing for the creation of user profiles. Additionally, various other online identifiers like MAC addresses, advertising IDs, and device fingerprints could also contribute to user identification.
It's essential to recognise that while cookies may not always qualify as personal data, the Privacy and Electronic Communications Regulations (PECR) still apply regardless of whether personal data processing is involved in storing or accessing information on user devices.
When assessing whether an individual is identifiable, it's crucial to consider whether online identifiers, alone or in combination with other available information, can distinguish one user from another. This becomes important especially when identifiers are used to create user profiles, even if individuals remain unnamed.
Even in scenarios where cookie regulations don't apply, compliance with the GDPR remains essential. For instance, if information is collected to build individual profiles, individuals must be informed about the data collection, its methods, and purposes in line with GDPR requirements.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.