UK

Can you place cookies without consent?

No.

Consent in the UK has a high threshold due to the governing legislation:

  • Privacy and Electronic Communications Regulations (UK PECR);
  • UK GDPR; and
  • Data Protection Act 2018.

These three acts govern the level of consent required to store cookies and online identifiers, under regulation 6 of UK PECR consent is required to store cookies and similar technologies on a device.

Please note potential reform to the above laws in the UK, addressed further below.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes.

However, there are some companies that take a risk based approach and place cookies automatically before or without obtaining consent.

Partly because fines for breach of cookie rules (that don’t relate to personal data) are still covered by UK PECR, and as such are substantially lower than UK GDPR fines. Again, UK reform is looking to address this. Please see below.

This is becoming an increasingly risky approach given the consumer awareness of cookie rules. Further, a well-known privacy activist group called ‘None of Your Business’ or ‘NOYB’ filed multiple complaints across Europe with the regulators about website cookie compliance.

Are there any exemptions if consent is required?

Yes. There is the ‘communication’ exemption and an exemption for cookies that are deemed ‘strictly necessary’ (i.e. it must be essential to provide the service requested by the user, e.g. remembering the contents of a user’s shopping basket).

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

No.

Only strictly necessary cookies can be placed without consent. Any other type of cookie requires consent. Please see horizon scanning below for potential future changes.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No.

Consent must be clearly and actively given (i.e. the user must opt-in). A user just continuing to use the app will not constitute valid consent (i.e. the standard of consent is that of the UK GDPR).

Can you set cookies without a cookie notice? 

No.

You should provide more detailed information about cookies in a privacy or cookie policy accessed through a link within the consent mechanism (see next question) and at the top or bottom of your website.

The placement of this link depends on the volume of content on the page. The denser the page the more likely it would be more appropriate to include the policy link at the top. The ICO’s guidance on cookies sets out the formatting, position and wording are all key to ensuring its prominence and that users can find it easily.

If children are likely to access your site, you also need to ensure you comply with the ICO’s Age Appropriate Design Code when positioning and writing your notices.

Can you set cookies without a cookie banner/ management tool?

No.
Any consent mechanism you put in place should allow users to have control over all the cookies your website sets, i.e., this must include third-party cookies. Practical points to consider:

  • when you are deciding whether to use a third-party cookie, you should first check whether your consent management tool enables users to control these cookies;
  • when you design and implement a consent mechanism, if a user must visit different websites and take different actions to disable cookies placed on your website this is not a compliant approach to PECR. The user needs to be provided with control over these cookies via the consent management tool;
  • when deciding on which type of tool to use, consider how this affects user experience on desktop versus mobile devices; and
  • electronic consent requests must not be unnecessarily disruptive. As such, you need to consider how to provide clear and comprehensive information without disrupting user experience (and without invalidating consent).

Are you able to use cookie walls? 

This is decided on a case-by-case basis, but most likely will not be possible unless it is low risk and unobtrusive.
Examples of where this ‘take it or leave it’ approach will be inappropriate:

  • where the user or subscriber has no genuine choice but to ‘agree’ or ‘accept’ the setting of cookies before they can access an online service’s content, or has to sign up to a service. This is because the UK GDPR says that consent must be freely given;
  • where ‘general access’ is subject to conditions requiring users to accept non- essential cookies. You can only limit certain content if the user does not consent; and
  • if a cookie wall is intended to require, or influence, users to agree to their personal data being used by you or any third parties as a condition of accessing a service, then it is unlikely that user consent will be considered valid.

The ICO set out in their cookie guidance that the key point is that users are provided with a genuine free choice. Consent should not be bundled up as a condition of the service, unless it is necessary for that service.

It could be appropriate if the cookie walls refer to facilitating the provision of the service the user explicitly requests. NB that this does not include third-party services such as analytics services or online advertising.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Yes. There has been a general increase in the number of cookie-related complaints to the ICO in recent years (see here for the exact numbers). ICO cookie-related regulatory priorities are stated as unlikely to cover uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals.  For example, first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services. When reviewing complaints, the ICO will also consider whether users were informed about the cookies in question and provided with clear details of how to make choices.

The ICO announced in November 2023 that it had warned the UK’s top websites to make cookie changes (press release here). in particular, the ICO highlighted that some websites do not provide fair choice to users over whether or not to be tracked for personalised advertising.  The ICO have also provided follow up in January 2024, as promised, and confirmed that the response to their call to action had been ‘overwhelmingly positive’. In terms of numbers, they contacted 53 organisations, 38 of which made the required compliant changes, with a further four making commitments to reach compliance within the next month. The ICO also commented on the ‘ripple effect’ this call to action has had, with other organisations taking compliance steps without receiving a letter. The ICO are now writing to ‘the next 100’ and do not intend to stop there. The ICO also plans to roll out an AI solution to help it identify non-compliant website cookie banners. 

Are there any current consultations relating to ad tech/cookies?

No, although the ICO’s AdTech investigation first launched in 2019 continues.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

Yes.

The new Data Protection & Digital Information (No. 2) Bill (the “Bill”) was introduced on 8 March 2023. It withdrew the Data Protection & Digital Information Bill that was introduced in the summer of 2022, but had been placed on pause.

The Bill introduces exemptions from the cookie consent requirement. These are to be provided for situations deemed to pose a lower risk to user privacy. These include processing:

  • solely for the purpose of analytics, carried out with a view to improve the website or information society service;
  • to optimise content display, or to reflect user preferences about content display. For example, adjusting content to suit screen size;
  • solely to update software, or necessary for security purposes – so long as privacy settings are not altered and there is an ability for the subscriber or user to disable or postpone the update, or to remove or disable the software.

The ICO’s enforcement powers under ePrivacy are currently tied to the 1998 Data Protection Act. Therefore, penalties are capped at £500,000. This anomaly is addressed in the Bill. Enforcement powers under the UK GDPR and the Data Protection Act 2018 will now apply to ePrivacy breaches. As such, breaches could attract the higher maximum penalty cap of £17.5mn, i.e., €20mn, or 4% of worldwide turnover, whichever is higher.