UK Cookie Law explained

What is UK Cookie Law?

Cookies and GDPR in the UK

After Brexit, the UK Data Protection Act, together with the UK GDPR and Privacy and Electronic Communications Regulations (PECR), governs the data protection landscape of the UK, including cookie law.

Except for national intelligence and security regimes, as the UK GDPR almost mirrors word-for-word the EU version, cookie-related requirements for businesses dealing with the personal data of UK individuals remain the same as the EU GDPR.

Provisions about cookies under the Data Protection Act are the same as those under the UK GDPR and EU cookie laws.

PECR contains clauses similar to its EU counterpart (the ePrivacy Directive). It requires websites to provide users with clear and concise information about cookies and explain what they do and their purposes. Additionally, websites must obtain prior consent from users before placing cookies on their devices. The consent given by users must be freely given, explicit, and withdrawable.

For failing to comply with PECR, the Information Commissioner’s Office can impose a fine of up to £500,000.

Respecting the privacy rights of individuals is critical, and that’s why cookies are not something to get away with easily. Penalties by enforcement agencies can serve as a valuable reminder to follow the rules related to cookies. It’s important to note that the above list is not exhaustive, and the data protection landscape is ever-changing. It’s crucial for organizations to; stay updated on the laws governing cookies in the territories in which their business operates, follow the best practices to develop trust with customers, and carry out operations with integrity and respect.

What is the UK Data Protection Act 2018?

The UK Data Protection Act 2018 is a key piece of legislation governing the processing of personal data in the UK. It aligns with the EU’s GDPR and sets out principles for fair and transparent data processing.

The Act defines individuals’ rights regarding their personal data, outlines responsibilities for data controllers and processors, mandates the appointment of Data Protection Officers in certain cases, and establishes enforcement measures through the Information Commissioner’s Office (ICO).

Its main aim is to protect individuals’ privacy while ensuring the lawful and responsible handling of personal data by organizations.

Who does the UK Data Protection Act 2018 apply to?

The UK Data Protection Act 2018 applies to a wide range of entities involved in the processing of personal data within the United Kingdom. This includes:

• Businesses and organizations based in the UK
• Overseas entities processing data in the UK
• Data controllers
• Data processors
• Public authorities and government agencies
• Employers

Overall, the UK Data Protection Act 2018 applies broadly to any entity that processes personal data within the UK, regardless of its size, sector, or location. It aims to ensure the protection of individual privacy rights and the responsible handling of personal data by organizations.

What does the UK Data Protection Act 2018 cover?

The UK Data Protection Act 2018 covers various aspects, including;

• defining personal data
• outlining data protection principles
• specifying data subject rights
• delineating responsibilities of data controllers and processors, requiring the appointment of Data Protection Officers in certain cases
• regulating legal bases for processing, overseeing international data transfers
• establishing enforcement measures through the Information Commissioner’s Office (ICO).

Overall, the Act aims to ensure individuals’ privacy rights are protected and that organizations handle personal data lawfully, fairly, and transparently.

The UK Data Protection Act 2018 and the Use of Cookies

The UK Data Protection Act 2018 plays a significant role in regulating the use of cookies on websites operating within the United Kingdom. Under the Act, cookies are considered personal data if they can be used to identify an individual directly or indirectly.

Website operators must comply with data protection principles when using cookies, including obtaining users’ consent before setting non-essential cookies via a cookie banner. This requirement aligns with EU cookie law (ePrivacy Directive), which mandates informed consent for the use of cookies.

The Act requires website operators to provide clear and comprehensive information about the types of cookies used, their purposes, and how users can manage their cookie preferences. Additionally, users must have the option to give or withdraw consent easily.

Failure to comply with cookie consent requirements can result in enforcement actions by the Information Commissioner’s Office (ICO), including warnings, fines, or other sanctions.

How to comply with the cookie law?

What does the cookie law require?

The Privacy and Electronic Communications Regulations (PECR) 2003, amended by the UK Data Protection Act 2018, established stringent requirements regarding the use of cookies on websites and digital platforms. Under these regulations, website operators are mandated to adhere to several key principles governing the use of cookies.

Website operators must obtain explicit consent from users before setting non-essential cookies on their devices. This consent must be fully informed, freely given, specific, and based on clear affirmative action from the user. Additionally, operators are obligated to provide transparent and comprehensive information regarding the types of cookies utilized, their intended purposes, and instructions on how users can manage their cookie preferences. This information must be easily accessible and presented in a user-friendly manner to ensure clarity and understanding.

Accessible mechanisms are also required for users to control their consent for cookies. This may involve implementing a cookie banner or pop-up to allow users to accept or reject cookies, as well as providing settings or preferences pages where users can easily manage their cookie preferences.

While certain types of cookies may be exempt from the requirement to obtain explicit consent, such as those strictly necessary for website functionality, operators must still provide users with information about these cookies. Enforcement of cookie consent requirements falls under the purview of the Information Commissioner’s Office (ICO), which has the authority to take enforcement actions, including warnings, fines, or other penalties, against non-compliant operators.

Who needs a cookie policy?

Having a clear and comprehensive cookie policy is crucial for anyone operating a website or digital platform in the UK that utilizes cookies or similar tracking technologies. This requirement extends to businesses of all sizes, including corporations, SMEs, startups, non-profit organizations, government agencies, and even individual website owners.

This policy serves as a vital tool for informing visitors about the types of cookies employed, their purposes, and how users can manage their cookie preferences. A well-crafted cookie policy helps build trust with users and demonstrates your commitment to safeguarding their privacy rights.

Which cookies do you need consent for?

Obtaining consent for the use of certain cookies is a fundamental aspect of UK website compliance. Specifically, consent is required for non-essential cookies, which are cookies that aren’t strictly necessary for a website’s basic functioning. These cookies can serve purposes like analytics, advertising, and personalization.

They play a vital role in enhancing user experience and providing valuable insights for website operators. However, their usage must be transparent and subject to user consent.

Examples of cookies that typically necessitate consent include:

• Analytics cookies
• Advertising cookies
• Personalization cookies
• Social media cookies

While these cookies offer valuable functionalities, their use requires explicit consent from users to ensure transparency and respect for their privacy rights.

Conversely, cookies that are strictly necessary for a website’s core functionalities, such as those used for authentication and session management, generally do not require consent. Website operators must still provide clear information about these cookies in their cookie policies to ensure transparency.

By understanding the distinctions between essential and non-essential cookies and obtaining informed consent for the latter, website operators can foster trust with users while ensuring compliance with data protection regulations.

Is cookie consent by scrolling allowed under UK law?

In short, cookie consent by scrolling alone is generally not considered sufficient to demonstrate valid consent for the use of non-essential cookies in the UK.

As per the requirements from PECR and GDPR, scrolling through a webpage or website content does not typically meet the standard of clear affirmative action required for valid consent. Instead, users must actively opt-in or take some other deliberate action to indicate their consent to the use of cookies.

Failure to obtain valid consent for the use of non-essential cookies may result in enforcement actions by the Information Commissioner’s Office (ICO) or other regulatory authorities, including fines or other sanctions. Therefore, it’s essential for website operators to ensure that their cookie consent mechanisms comply with the requirements of UK data protection law. You can access a free cookie audit via Cassie here.

Identify and understand your visitors with Cassie’s cookie solution

If you have multiple websites and digital platforms, then Cassie is the cookie management system for you.

Cassie specializes in cross-domain and cross-device consent, so you can collect visitors’ consent across multiple subdomains.

Choose Cassie for the most flexible cookie solution on the market and get a deeper insight into your visitors.

Flexible for global operations

Cassie’s multi-lingual and jurisdictional cookie module will ensure you always align with the various regulations.

Why clients choose Cassie for their compliance needs

We are experts at helping global businesses achieve compliance while building long-term customer relationships.

We ensure we always stay current with any and all legislation changes. Our unparalleled knowledge of global legislation gives us the ability and confidence to anticipate if and how any new legislation could impact you.

Cassie makes sure that when you are compliant, you stay compliant.

You might also like to read: