Online data protection under British law

All EU directives on online trade have been implemented in national law. This legal matter has been regulated under various UK laws. The following laws apply for online trade:

  • The Electronic Commerce (EC Directive) Regulations 2002 (ENG)
    • This law implements EU Directive 2000/31/EC (“Directive on electronic commerce”) in national legislation.
  • The Privacy and Electronic Communications (EC Directives) Regulations 2003) PECR) (ENG)
    • This the UK cookie law.

The Information Commissioner’s Office (ICO), monitors compliance with the PECR and receives complaints from consumers against electronic service providers.

Information requirements for website operators

In accordance with the UK E-Commerce Act, all providers of “information society services” must adhere to a variety of information requirements.

The term “information society services” (also: electronic services) is broadly interpreted and covers, for instance, e-mails (newsletters & adverts), electronic search engines (Google, Yahoo etc.) and social media (Facebook, Twitter, etc.). What is significant for these electronic services is the fact that they are automatically sent and, at the same time, accessible everywhere, i.e. they are cross-border services.

In accordance with Section 6 para. 1 of the UK E-Commerce Act, the following general information must be made available to the users of electronic services.

  • the name of the service provider;
  • the physical address where the service provider is registered;
  • email and any address and other information that allow contact to be quickly made with the service provider;
  • trade register number if the service provider has been entered into the trade register;
  • if permission is required for the activity, the details to the competent supervisory authority;

In the case of regulated professions, the following information must also be provided:

  • Information on the professional association, the chamber or a similar institution that the service provider belongs to;
  • the professional title and the Member State in which it was awarded;
  • a reference to the application professional rules and information on how they are accessible.

In cases in which the service provider carries out activities subject to VAT:

  • the identification number in accordance with Article 22 paragraph 1 of the sixth directive, 77/388/EEA of the Council dated 17th May 1977 on harmonising the legal provisions of member states on VAT – Common system of value-added tax: uniform basis of assessment.

If information society services relate to price:

  • these must be clearly and unambiguously displayed and specifically show if any taxes or shipping costs are included in the price.

The information listed above must be easily recognisable, directly reachable and available at all times.

Web tracking

It is possible, by means of a small text files (i.e. cookies) to draw conclusions on a natural person and also to save data, depending on the type of the file.

The PECR governs the usage of cookies and similar tracking tools (i.e. spyware, web bugs, etc.), which can be stored on the user’s device. For the purposes of simplifying the depiction below, only the term cookie is used. The legal provisions do apply, however, to all tracking tools.

The PECR implements EU cookie directive 2009/136/EC in national legislation.

Information obligation

The PECR prescribes exactly which information must be made available to the user. In addition, the user must receive clear and comprehensive information about the purposes of the storage of, or access to, that information (see Section 6(2)). The declaration is to be complied in such a way so that the user can understand the types of cookies used as well as their purposes.

There are no technical requirements that prescribe how this information must be allocated to the user. Therefore, it is up to the website’s owner to develop suitable solutions that meet the above-mentioned obligations.


In accordance with PECR Section 6(1), implied consent (in other words the user’s presumed consent) is sufficient for setting cookies.

The user’s „consent“ has the same meaning as in the Data Protection Act (DPA) 1998 (ENG), i.e. consent means every statement of intent for the specific instance and in awareness of the state of affairs, without duress, and with which the data subject accepts that personal data, which concern him/her, are processed (cf. Section 3 of the Act).

The ICO recommends using pop-ups or banners. Apart from that, consent can be obtained, in principle, by means of a declaration included in the Terms and Conditions. The technical capabilities of the browser settings are not sufficient in the views of the national data protection authority.


PECR Section 6(3) contains exceptions to the above-mentioned rules:

  • saving information or access to information solely for the purpose of carrying out the transfer of a message over an electronic communication network;
  • this is absolutely necessary so that information society service provider, which was explicitly desired by the participant or the user, can make this service available (i.e. in connection with internet commerce).

A precondition for these exceptions applying is that the use of cookies is technically necessary. Technically necessary means that the service cannot be provided without the help of cookies. At the same time, there must be a clear connection between the required cookie and the service explicitly desired by the user. Cookies stored on the user’s device without consent may only be used for the above-mentioned purposes. As soon as the information acquired is used for another purpose, the user’s consent must be obtained.


Furthermore, the ICO has published a guide on the use of cookies on its website:

Guidance on the rules on use of cookies and similar technologies