With new data protection legislation coming into effect as early as next year, non-compliance with the rules on cookies could potentially cost businesses a significant amount of money.
The fines for cookie non-compliance are likely to increase to match those for severe breaches of the UK GDPR. It’s therefore more crucial than ever to get your website cookie compliance right. We can help you with such compliance.
What are the rules on website cookies?
Currently, cookies can be split into two camps:
- Necessary Cookies: those which are necessary for the functionality and running of the website; and
- Non-Essential Cookies: those that do not fall under the definition of ‘necessary’, such as analytical tools, social media etc.
Necessary cookies can be automatically switched on, regardless of the website visitors’ preferences. Non-essential cookies and other tracking technologies can only be processed on a user’s device if they have given their explicit consent. Consent must be:
- Freely given
- Specific
- Well-informed (unambiguous); and
- Given by a clear affirmative action such as an opt-in slider or tick box (that is not pre-ticked).
If such consent is not obtained and cookies are processed on the user’s device, you will be in breach of the user’s rights. You will also be in breach if you seek consent, but cookies are processed before, or irrespective of, the user’s consent.
To ensure that your website visitors are well-informed and to fulfill your transparency obligations, you should have a cookie banner (the pop-up that appears when you click on a website to notify you that cookies are used) and a comprehensive cookie policy that details exactly which cookies may be in use, their timeframes/expiry dates etc.
What changes may be coming for website cookie compliance?
At the time of writing, the Data Protection and Digital Information (No 2) Bill is still being considered by Parliament. That said, we can see what it currently looks like. The Bill would make changes to the Privacy and Electronic Communications Regulations 2003 (PECR), relating to confidentiality of terminal equipment (e.g. the rules on cookies), unsolicited direct marketing communications (e.g. nuisance calls), and communications security (e.g. network traffic and location data). For example, the requirement to obtain consent for the use of cookies and other tracking technologies has been removed in circumstances where cookies are used for certain improvement, functionality, and security/emergency reasons.
One change which could be significant is that the monetary fines (one of several methods of enforcement action available for the Information Commissioner’s Office to enforce the regulations) for breaches of PECR could increase to match the fines of a severe breach of the UK GDPR. This could, in extreme circumstances, result in fines of 4% global annual turnover or £17.5m (whichever is highest) for non-cookie compliance or nuisance calls and texts.
Although the value of fines described above may seem unlikely to happen in practice, it does seem inevitable that we will see an increase in the volume and value of the fines currently issued for non-compliance with the rules on cookies.
What next?
Although the enforcement action in relation to non-compliance of the cookie rules is changing, the rules themselves appear to be unaffected. This means that by being compliant now, you will also be compliant when the Data Protection and Digital Information Bill is granted royal assent.
I recommend that any website owner reviews their website compliance, including cookies, to ensure they are getting it right.
How we can help with your compliance
- Website Compliance Audit
- Data Protection Audit
- Virtual Privacy Officer (VPO) retainer offering
If you wish to discuss anything covered in this article please contact our our Intellectual Property, Data Protection and Technology team and we will be happy to help.