“Common sense, not box-ticking”. The UK Government, led by Culture Secretary Oliver Dowden, has recently announced its first plans to depart from the EU’s data protection regulation (GDPR), and the first item on the agenda is cookies. The above quote, given by Mr Dowden, certainly suggests that the UK views the current cookie regime as pointless bureaucracy, and intend to replace current laws with a more light-touch approach.
What are cookies?
A cookie is a small text file that is downloaded onto a computer, smartphone, or other device when a user accesses a website. It allows the website to recognise that user’s device and store information about the user’s preferences or past actions (amongst other things).
The current regime
Everyone is familiar with the notices that seem to be thrown up whenever you visit a website, asking for agreement to use cookies.
The current cookie laws are primarily set out in The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The PECR rules regarding cookies are not overly prescriptive, but state that anyone who stores or collects cookies must:
- inform individuals that cookies are being collected;
- provide clear and comprehensive information about the purposes of the storage of, or access to, those cookies; and
- get the individual’s consent to store a cookie on their device (for which pre-ticked consent boxes are prohibited).
Processing of cookie data is also subject to general data protection rules as set out in the GDPR still in effect in the UK: the UKGDPR.
PECR does not set out exactly what information must be provided or how to provide it. The only requirement is that it must be “clear and comprehensive” information about which cookies are used and their purposes.
The risks of the current regime
The most obvious risk of the current regime is that a majority of businesses are not fully complying with applicable laws (likely because they do not understand their obligations). Whilst most businesses now have a generic cookie pop-up notice on their website, most of those notices (i) do not contain the required information or are inaccurate in the information they provide, (ii) assume pre-approved consent from the user or even begin to collect cookies before consent is given, or (iii) do not provide users with the option to reject cookies at all.
A number of websites collect cookie data without consent (either doing so before consent is given, or continuing to do so even after a user has opted-out) because the right processes are not in place.
Whilst the penalty for doing this on one occasion is relatively minimal, the likelihood is that if a business has committed such a breach once, they will have done so multiple times (for which the potential liability could be much larger).
We have seen an uptick in consumer cases against websites who fail to comply with cookie law, under which consumers are seeking damages for failing to comply with applicable privacy law. The case of Halliday v. Creation Consumer Finance Limited[1], is oft cited by consumers that they are entitled to nominal damages of £750 for a data protection breach causing distress. This precedent is used by many consumers to claim that placing non-essential cookies on their devices has caused them distress. Regardless of the statements from the Government, the law will take a while to change and in the meantime it is important for businesses to ensure their website is compliant.
A positive change?
Against this background, the more common-sense approach championed by the Government may be welcomed as a positive change.
So how might the Government look to change the cookie regime?
- There is unlikely to be radical reform. If the Government wishes to maintain an open data border between the UK and the EU, then the UK is reliant on the EU granting an adequacy decision in favour of the UK. This means that individuals’ rights must be (in the view of the EU) at least as protected under UK data laws as they are under EU law.
- An end to the cookie consent pop-ups appearing on most websites. Mr Dowden confirmed this in his comments, stating that "high risk" sites would still need similar notices, but that many of them are "pointless".
- Other proposals could see users selecting certain cookie preferences on their device, which are then automatically applied on each website they visit.
The UK could push for an approach which is more akin to the approach taken in the USA. This could mean, for example, that once collected, cookies could be used for purposes other than those for which they were originally collected, or even for automated processes (both of which would be restricted under current laws). In theory, this could mean that the list of websites a user or device has visited could be transferred (or sold) to third parties, including advertising companies or insurance companies, or even used by AI to make decisions about an individual (for example, whether to accept an individual for certain insurance policies).
In either case, cookie reforms will provide a litmus test for how the UK intends to treat data protection and should be carefully observed by users and businesses alike.
[1] [2013] EWCA Civ 333