Anyone regularly browsing the web or visiting a website will have noticed a pop up or banner asking you to consent to the use of cookies. Sometimes these banners may say that by continuing to browse you are deemed to consent to the placing of cookies, some require you to tick a box to consent and others give you access to a control panel giving the option to turn on (or off) different kinds of cookies. The more technically minded may be used to applying the settings available in browsers to choose which cookies are set and, of course, there are those websites that do nothing at all.

These different choices are dictated by the changing nature of the law and guidance on cookies. Whether you think that these various banners, or pop-ups are simply getting in the way of the browsing experience or are a necessary weapon in the fight to maintain your privacy in a digital environment, cookie laws have very much become a thing in the digital age.

In this blog we shall consider the position of cookies under the current laws, take a closer look at the recent cases of non-compliance involving tech industry giants, and provide some practical tips for compliance.

What does the law say?

The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Privacy and Electronic Communications Directive (2002/58/EC) (e-Privacy Directive) are the main legal regimes that   regulate the setting of cookies. Each of these regimes has been implemented into the domestic laws of each EU member state or are directly applicable to each member state and are, therefore, fairly uniform across the EU.

The UK is no exception – following Brexit the UK has adopted the EU GDPR into its own domestic law referring to it as the UK GDPR. This is complemented by the Data Protection Act 2018. The e-Privacy Directive, implemented into the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) adds to the general data protection regime and sets out more specific privacy rights on electronic communications.

The main principle of the e-Privacy Directive is that a user’s consent must be obtained before any non-essential cookies are placed on the user’s device. Such request for consent must be accompanied by clear information about the purpose for which the cookies are used and for how long these cookies are going to be in place.

The e- Privacy Directive adopts the UK GDPR’s definition of consent meaning that whenever non-essential cookies are placed on a user’s device, the user’s consent must be specific, informed, unambiguous and given freely. Once valid consent has been given, it must also be easy to withdraw it. In other words, out go pops or banners that simply say that by continuing to browse you are deemed to consent and more of a positive act such as ticking a box or changing a browser setting is now required.

There are two exemptions to obtaining user’s consent, which are when:

  • the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • the cookie is strictly necessary to provide an ‘information society service’ requested by the subscriber or user.

Any variations from the above will require the user’s consent.

Is there any helpful guidance?

To assist organisations with their navigation of the data protection laws, the UK’s Information Commissioner’s Office (ICO) has issued guidance on the use of cookies. It can be accessed here.

Website owners were encouraged to carry out cookie audits to assess the compliance of their cookie practice with applicable law and regulatory guidance.

The French data protection authority, Commission nationale de l’informatique et des libertés (CNIL), has also issued regulatory guidance on cookies. This requires organisations to:

  • Provide two clear buttons of equal prominence labelled “accept all” and “refuse all”;
  • Retain the fact that a particular user has opted out for a certain period of time, with six months suggested as best practice; and
  • Where a cookie allows the user to be tracked on multiple websites, obtain consent on each of the relevant websites to ensure that the user is fully aware what their consent is for.

Guidance from the ICO and CNIL are very useful when assessing your compliance with cookie laws. As we can see from the below examples, non-compliance with cookie laws can be quite costly.

Does it really matter?

Failure to comply with the e-Privacy Directive carries with it a maximum fine of £500,000. Although this may sound like a hefty amount of money, fines for serious breaches of UK GDPR are even higher – up to 4% of a company’s annual global turnover, or £17,500,000, whichever is greater. There have been relatively few examples of enforcement cases around cookie laws, but the data protection authorities are no doubt willing to enforce the laws and will not hesitate to issue fines for failure to comply.

In December 2020, CNIL in France issued fines in excess of €10 million to Google LLC and Meta Platforms, Inc. (formerly Facebook, Inc.) for their failure to obtain the users’ consent before setting advertising cookies, as well as failing to provide users with adequate information about the use of cookies and failure to implement a fully effective opt-out mechanism to allow users to refuse cookies.

Although the issues have been resolved after CNIL’s investigation, the damage had already been done and could have been avoided if adequate measures to obtain valid consent had been put in place.

Any practical tips for complying with the cookie laws?

If your business is using cookies and you want to make sure you are compliant, you should follow these practical steps:

  • Regularly update your cookie policy to include detailed information on the essential and non-essential cookies that you are using. This must include the duration that each cookie is set for, who is setting it and why it is being set.
  • Be aware of what cookies your site is setting by carrying out checks and audits. You cannot get valid consent if you do not know what cookies you are using.
  • Most cookies (including cookies set for marketing, tracking and analytical purposes) will be non-essential and require consent. This consent must be obtained before the user starts to browse your site.
  • Make sure that your consent mechanism you use provides the required information on cookies by linking to a cookie policy and has a clear description of what this is for.
  • Ensure that you obtain the user’s consent by making them tick a box labelled “I accept” or similar. Avoid at all costs having pre-ticked boxes or simply saying that by continuing to browse you are deemed to consent
  • Check that your banners or pop-ups are equally visible from different devices – what works on a laptop may not work on a mobile phone or a tablet.
  • Avoid influencing the user’s decision to accept by using the words “Agree” or “Allow” in more prominent font or making them appear more prominent than “Reject” or “Block”.
  • You can obtain consent through browser settings but you cannot assume that each visitor to your site will know how to do this and generally you can only rely on browser settings where the visitor amended or setting controls (rather than doing nothing or leaving pre-configured settings).
  • The user shall be entitled to “opt out” from using cookies at any time. This can be done in any number of different ways including by using a control panel or through changing browser preferences.
  • Where your website uses both cookies you set (first party cookies) and cookies set by other parties (third party cookies) it is your responsibility to obtain consent for all cookies before they are set.
  • Where your website is collecting personal data (whether through cookies or similar technologies) or because you are asking visitors to input information about themselves or others you will also need to give them certain prescribed information contained in a Privacy Notice or Privacy Policy.
  • There is a huge amount of regulation around operating a web site and different rules will apply whether you are operating your site as an e-commerce site, providing visitors the opportunity to create User Generated Content (UGC) or collecting information that you use for marketing. Our website audit provides more details here.

If you have any questions or would like to discuss this topic further, please contact Nick Phillips, or any member of the Edwin Coe Intellectual Property team.

Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.

Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.

Please also see a copy of our terms of use here in respect of our website which apply also to all of our blogs.

Latest Blogs See All

Share by: