With new data protection legislation coming into effect as early as next year, non-compliance with the rules on cookies could potentially cost businesses a significant amount of money.
The fines for cookie non-compliance are likely to increase to match those for severe breaches of the UK GDPR. It’s therefore more crucial than ever to get your website cookie compliance right. We can help you with such compliance.
What are the rules on website cookies?
Currently, cookies can be split into two camps:
- Necessary Cookies: those which are necessary for the functionality and running of the website; and
- Non-Essential Cookies: those that do not fall under the definition of ‘necessary’, such as analytical tools, social media etc.
Necessary cookies can be automatically switched on, regardless of the website visitors’ preferences. Non-essential cookies and other tracking technologies can only be processed on a user’s device if they have given their explicit consent. Consent must be:
- Freely given
- Well-informed (unambiguous); and
- Given by a clear affirmative action such as an opt-in slider or tick box (that is not pre-ticked).
If such consent is not obtained and cookies are processed on the user’s device, you will be in breach of the user’s rights. You will also be in breach if you seek consent, but cookies are processed before, or irrespective of, the user’s consent.
What changes may be coming for website cookie compliance?
One change which could be significant is that the monetary fines (one of several methods of enforcement action available for the Information Commissioner’s Office to enforce the regulations) for breaches of PECR could increase to match the fines of a severe breach of the UK GDPR. This could, in extreme circumstances, result in fines of 4% global annual turnover or £17.5m (whichever is highest) for non-cookie compliance or nuisance calls and texts.
Although the value of fines described above may seem unlikely to happen in practice, it does seem inevitable that we will see an increase in the volume and value of the fines currently issued for non-compliance with the rules on cookies.
Although the enforcement action in relation to non-compliance of the cookie rules is changing, the rules themselves appear to be unaffected. This means that by being compliant now, you will also be compliant when the Data Protection and Digital Information Bill is granted royal assent.
I recommend that any website owner reviews their website compliance, including cookies, to ensure they are getting it right.
How we can help with your compliance
- Website Compliance Audit
- Data Protection Audit
- Virtual Privacy Officer (VPO) retainer offering
If you wish to discuss anything covered in this article please contact our our Intellectual Property, Data Protection and Technology team and we will be happy to help.