Cookies under the UK's Privacy reforms: What's changing?

The UK government claims that its new data protection and privacy reforms will “reduce annoying cookie pops-up (sic)”, “cut down pointless paperwork”, and “unlock £4.7 billion in savings” over the next ten years.

Legally compliant cookie banners should not be “annoying”—but many websites implement cookie consent intrusively. Will the proposals really make a difference? And how should businesses prepare for the changes?

This article will explain how the UK’s data protection and privacy reforms could change the cookie landscape.

The current state of play

In the UK, two laws regulate cookies:

• Privacy and Electronic Communications Regulations (PECR) 2003. This is the UK’s implementation of the EU ePrivacy Directive.
• UK General Data Protection Regulation (UK GDPR). The UK GDPR is the EU GDPR enshrined in UK law, with some minor (mostly cosmetic) changes implemented since Brexit.

The UK plans to reform PECR and the GDPR via the Data Protection and Digital Information Bill (DPDIB).

The DPDIB was first introduced to the UK’s parliament last summer. The bill was paused, and a new version (the DPDIB No. 2) was introduced on 8 March.

Overview of the current cookie rules

The current cookie rules in the UK are largely the same as in EU member states. Here’s an overview.

• Under PECR, you generally need consent to “store” or “gain access to information stored” on a “subscriber or user’s terminal equipment” (user’s device).
• This covers cookies, pixels, or any other technology that can store or access information on a user’s device. As a shorthand, we’ll generally use “cookies” to cover these technologies.
• You must also provide users with “clear and comprehensive information” about how you use cookies.
• There are two types of cookies that don’t require consent. We’ll call these “essential cookies”. They are:
  • Cookies used “for the sole purpose of carrying out the transmission of a communication…”
  • Cookies that are “strictly necessary (to provide a) service explicitly requested by the user…”
• Other cookies, namely those used for analytics and marketing, generally require consent.
• The UK GDPR sets the standard of consent. Consent must be:
  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Given via a clear, affirmative action
  • Easy to withdraw.

That brings us up to date. Now let’s look at how the UK government proposes to change these rules.

Clarification of the ‘strictly necessary’ exception

The UK’s DPDIB would leave the basic function of PECR intact: cookies would still require notice, and would still require consent unless they fall under an exception.

But the bill adds some examples of activities that might fall under the “strictly necessary (to provide) a service explicitly requested by the user…” exception at PECR Regulation 6(4)(b).

This means that cookies used for the following activities would explicitly not require consent:

• Protecting information provided by the user.
• Ensuring the security of the user’s device.
• Preventing or detecting fraud.
• Preventing technical faults.
• Enabling the automatic authentication of the user.
• Maintaining a record of the “selections made on” or “information put into” a website by the user.

These examples are presented in the bill as non-exhaustive and illustrative.

Note that in each case, the cookie must be “necessary” for an activity relating to the provision of the service requested by the user.

For example, a cookie that authenticates a user who is logging into their online bank account might fall under this exception. But a cookie that authenticates a user’s identity for a service that the user has not requested would not fall under this exception.

New consent exceptions

In addition to the above clarification of the existing cookie consent exceptions under PECR, the DPDIB adds new purposes for which website and app operators can access or store information on users’ devices without consent.

There are four new exceptions that relate to:

• Analytics
• UX
• Software updates
• Emergeny assistance

There’s also a process whereby the government can add new exceptions to the list via regulation.

Here’s a closer look at each new exception.

Analytics

Under the DPDIB, you would not require consent to set analytics cookies under certain conditions.

The bill emphasises that the “sole purpose” of accessing or storing information on a person’s device (e.g. via a cookie) must be to “make improvements” to a service or website.

You may not share information collected from the device, except for the purpose of making improvements to the service or website.

You must give users “clear and comprehensive information” about your analytics programme and allow them to opt out.

UX

The DPDIB does not require consent for certain types of UX (user experience) cookies.

In this case, the “sole purpose” of accessing or storing information on a person’s device must be either:

• Enabling the appearance of a website to adapt to the user’s preference, or
• Enabling the enhancement of a website’s appearance on a device.

You must give users “clear and comprehensive information” about the relevant cookies and allow them to opt out.

This consent exemption is intended to enable features such as “responsive design”, i.e. using cookies that collect device information to enable a website to adapt to different screen sizes, etc.

Software Updates

The DPDIB would enable the auto-updating of apps without consent, under certain conditions. This exception doesn’t relate to cookies per se—like the other exemptions, this is about “storing or accessing information” on a user’s device.

This exemption only covers updates required to ensure a device’s security. The update must not alter a user’s privacy settings.

You must give people “clear and comprehensive information” about the update and enable them to opt out of auto-updates. The user must also be about to postpone the update, and disable or uninstall the update after it has taken place.

Emergency Assistance

If a user sends a communication requesting emergency assistance, the recipient of that communication does not require consent to access the user’s device location to provide emergency assistance.

Again, this exception does not relate to cookies as such, but to “accessing information” on a user’s device.

Automatic consent mechanism

The DPDIB aims to facilitate a “universal consent and opt-out” mechanism that can be installed on a device or browser to signal a user’s cookie preferences across websites automatically.

Similar provisions appear in several of 2023’s new US state privacy laws, and in the EU’s proposed ePrivacy Regulation.

This universal consent and opt-out mechanism does not exist yet—it would be recognized by the government via regulation.