UK cookie law explained

In July 2019, after admitting non-compliance with the previous guide, the UK Information Commissioner Officer (ICO) published updated guidance to provide greater clarity to businesses grappling with how the EU General Data Protection Regulation (GDPR) applies to cookies. The focal point of cookies is consent, for which not only the ICO but also the European Union Court of Justice (CJEU) put more stringent requirements in place. This article attempts to provide a clear summary for UK businesses of what must be respected when setting cookies on websites.

What is cookie law?

In the UK, the so-called cookie law comprises the Privacy & Electronic Communications Regulation (PECR), which implements the EU e-Privacy Directive (2002), and the complementary data protection rules envisaged in the UK Data Protection Act (DPA) and the GDPR. A UK business that intends to set cookies has to consider the PECR first but must not disregard the privacy rules of the GDPR. The law requires companies to seek consent from users before they set cookies and store or retrieve personal data. Likewise, it gives users the right to refuse the use of cookies for which businesses must make technically possible.

As prescribed by UK cookie law, businesses must have a sound legal basis to process data concerning cookies online. Accordingly, a possible legal basis for setting cookies is either obtaining the user’s valid consent or a legitimate interest (Art. 6 (1) GDPR). However, the ICO emphasises that in most circumstances, a legitimate interest is not the appropriate lawful basis. It repeats that cookies that are merely helpful or convenient, but not essential ─ or only essential for your own purposes ─ will still require consent. Therefore, businesses must be aware that they are required to obtain consent for almost all cookies, unless an exception to the consent requirement applies, as provided by Regulation 6 (4) PECR.  The two exceptions to consent, in which a legitimate interest can provide a sufficient legal basis, are the following situations.

  • Firstly, the consent requirement does not apply to the technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic network. This exception refers to the “communication exemption”, meaning that for a communication to take place over a network, the communication “endpoints” must be identified to enable information routing over a network. The communication must be impossible without the use of the cookie.
  • Secondly, no consent is required where storage or access is strictly necessary for the provision of a service requested by the user, i.e., “strictly necessary” cookies that are essential for the technical functioning of a website. For instance, a cookie is used to remember the goods a user wishes to buy when they go to the checkout or add goods to the shopping basket. In this case, the use of cookies is considered strictly necessary from the user’s perspective.

How to comply with cookie law?

Generally speaking, when a business wants to use cookies, it must explain the type of cookie, provide information about the purpose and obtain the data subject’s consent to use them.

UK cookie law does not provide for a definition of consent on its own and hence adopts what is provided in the GDPR. Accordingly, consent means any freely given, specific, informed and unambiguous indication of a data subject, by way of statement or clear and affirmative action, that he or she agrees to the processing of personal data related to him or her.

Explicitly, valid consent means that it must be freely given, which implies giving people genuine choice and control over how businesses use their data. As affirmed by the ICO, companies must be aware that a full cookie wall, requiring users to “agree” or “accept” the setting of cookies before they can access the website’s content, is unlikely to represent freely given consent. The key is that users must be provided with a genuinely free choice. For that reason, consent should not be bundled up as a condition of the service unless it is considered necessary.

Furthermore, consent should be distinct and requires a positive action to opt-in, for instance, ticking a box or clicking a link. So-called “implied consent”, namely to interpret the continued use of a website as consent, cannot be considered valid as it does not amount to a clear and affirmative action. For the same reason, “pre-checked boxes” are invalid, as confirmed by the CJEU and the ICO.

Individuals must be informed comprehensively and clearly about the cookies in advance. Specifically, the information must cover the controller’s name, the purposes of the processing and the types of the processing activity. Most importantly, users should be able to understand the potential consequences of consenting to cookies. Among other things, businesses must explain the storage duration and who has access to which information. The language and level of details must be appropriate to be fully comprehensible. If third party cookies are used, they must be named and the processing purposes elaborated.

Recommendations for UK businesses

Businesses must take some conscious steps to ensure compliance with cookie regulations. Firstly, it must ensure that for all cookies placed on the website that do not fall within the scope of the “strictly necessary” or “communication” exemption, valid consent exists before personal data is processed. Businesses are recommended to further follow the guidelines and developments on the ICO’s website. Please also note Art. 5 (2) in the GDPR that refers to accountability and requires businesses to demonstrate compliance with data protection rules. Therefore, we advise companies to keep evidence of the measures taken to comply with the GDPR and put in place technical and organisational measures to guarantee compliance.

Make data protection your competitive advantage. Our UK data protection support will help you!

Leave a Reply

Your email address will not be published. * Required fields.

Netiquette: We do not tolerate grossly unobjective contributions or advertising on our own behalf and will not publish corresponding entries but delete them. I have been informed about the processing of my data according to the privacy policy of