Cookies, Consent, and Compliance in the UK

Cookies, Consent, and Compliance in the UK

The EU’s 2009 e-Privacy (“Cookie”) Directive is spreading across member states. To date, twenty out of twenty-seven member states have implemented some form of the cookie law. One of the countries currently grappling with cookie law is the UK with its Privacy and Electronic Communication Regulations (PECR), which were amended in 2011 and came into force on May 26 2012. The new cookie law, which combines the ‘consent principle’ from the Data Protection Directive (DPD) with the technical purview of the e-Privacy Directive, forces website operators to obtain “consent in order to store a cookie on a user or subscriber’s device.”

Previously, online actors in the UK were merely required to provide users and subscribers with the ability to opt-out of cookies, without having to provide much information about those cookies. Now, companies will have to provide clear and separate (from the existing privacy policy) information about cookies as well as solicit consent for their use. The new amendments have, however, led to debates about what constitutes “consent” and how to solicit it from online users.

Under PERC, online companies can rely on implied consent. This means that online companies are merely required to provide users with information about the cookies being used on the site, without requiring explicit action. Consent under PERC may diverge from the DPD, which seems to require that consent is communicated by the user, such as ticking a box. To be clear, continued use of a website after a user or subscriber is given information about the cookies used on that site can constitute implied consent. This is closer to an opt-out consent strategy.

Online companies in the UK have been working to implement their new cookie-consent strategies ahead of enforcement by the Information Commissioner’s office (ICO), which officially began this past weekend. While the responsibilities for online companies as set out in PERC have been criticized as being vague, the ICO and other actors have provided significant guidance on the matter. The ICO for example, has released its “Guidance on the Rules on the Use of Cookies and Similar Technologies,” which helps define “consent,” responsibilities that online companies now face, and “practical advice for those trying to comply.”

Despite the push to assist companies in implementing a cookie-consent strategy, many UK companies have found it difficult to contend with the new regulations. Difficulty stems from the legal subjectivity of PERC and technical obstacles, which include the large number of cookies used on most websites and the varying applications of each cookie (some of which are essential for website functionality).

The ICO, which has the ability to impose penalties as high as £500,000, has taken an openly lenient approach to enforcement because of the difficulties that UK companies are facing to ensure compliance. According to Dave Evans, group manager at the ICO, if a company can show that it has “taken some steps already” or that “they’ve got a realistic plan at the end of which they’ll be able to say they’ve achieved compliance” the ICO will not pursue monetary penalties.

It will be interesting to follow how UK companies work to comply with the new cookie law and develop their consent policies and cookie notices over the next few months.


-Julian Flamant

Leave a Reply

Privacy Calendar

all-day 6th Biannual International Surveillance & Society Conference
6th Biannual International Surve…
Apr 24 – Apr 25 all-day
The 6th Biannual International Surveillance & Society conference hosted by the University of Barcelona and supported by the Surveillance Studies Network is currently calling for [...]
12:00 pm Data Privacy in Education: Ensuring Student Security while Encouraging Innovation in K-12 Education @ Rayburn House Office Building, Room B-354
Data Privacy in Education: Ensur… @ Rayburn House Office Building, Room B-354
Apr 24 @ 12:00 pm – 1:00 pm
The Congressional E-Learning Caucus in cooperation with Into and the National Coalition for Technology in Education and Training presents a luncheon to discuss “Data Privacy [...]
all-day IAPP Europe Data Protection Intensive 2014
IAPP Europe Data Protection Inte…
Apr 29 – May 1 all-day
The IAPP Europe Data Protection Intensive features timely programming centred on the top issues impacting the European data protection community, with a focus on addressing [...]
5:30 pm InSecurity: Race, Surveillance and Privacy in the Digital Age @ New America Foundation
InSecurity: Race, Surveillance a… @ New America Foundation
Apr 30 @ 5:30 pm – 7:30 pm
Now more than ever, digital tools sit at a precarious tipping point, and many question whether they will be used to address pre-existing disparities, [...]
all-day Foreign Intelligence Surveillance in an Era of “Big Data” @ Jacob Burns Moot Court Room, George Washington Law School
Foreign Intelligence Surveillanc… @ Jacob Burns Moot Court Room, George Washington Law School
May 2 all-day
Discussions: Panel 1: Why Do We Conduct Foreign Intelligence Surveillance? What Are the Requirements? Panel 2: Making the Trade-Offs Between Surveillance and Civil Liberties Panel [...]
all-day IAPP Canada Privacy Symposium 2014
IAPP Canada Privacy Symposium 2014
May 7 – May 9 all-day
The IAPP Canada Privacy Symposium is the leading conference for education, debate and discussion of issues that matter most to Canadian privacy and data protection [...]
all-day Privacy Law Scholars Conference (7th Annual) @ The George Washington School of Law
Privacy Law Scholars Conference … @ The George Washington School of Law
Jun 5 – Jun 6 all-day
  UC Berkeley School of Law and The George Washington University Law School will be holding the seventh annual Privacy Law Scholars Conference (PLSC) on [...]
all-day Computers, Freedom, and Privacy 2014 Conference @ Airlie Center
Computers, Freedom, and Privacy … @ Airlie Center
Jun 8 – Jun 10 all-day
Mark your calendars! The 2014 Computers, Freedom, and Privacy Conference will be held June 8-10 at the Airlie Center in Warrenton, Virginia. The Airlie Center [...]

View Calendar