Once regarded as an afterthought by website operators, cookies are being pushed up the risk agenda of businesses across the world, including in the UK.

The price of getting cookie compliance wrong can be costly: in early 2022, for instance, Google and Facebook were together fined over €200 million by the French data protection regulator for cookie-related infringements.

What are cookies?

Cookies are small text files made up of letters and numbers, and which are downloaded onto the devices of visitors to a website. They enable the website to remember information regarding those visitors’ activities on the site (such as remembering the contents of shopping baskets or identifying a visitor who has navigated to the site previously). They are also commonly used to target advertising at website visitors depending on browsing history or other preferences.

What are the essential cookie requirements to be aware of?

The law on cookies as it stands in the UK currently derives from 2011 amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Under PECR, a website may only automatically place onto users’ devices cookies that are ‘strictly necessary’ – this means those cookies that are essential for that website’s core functionality. Any other cookies can only be set if a website user gives consent, which must be freely given and easy to withdraw.

Many cookies commonly set by websites (such as analytics or tracking cookies, social media plug-ins, and advertising cookies) will therefore need a user’s consent before they can be set onto that user’s device. Once that consent has been obtained, the user must be able at any time to withdraw that consent as easily as it was given. This means that pre-ticked boxes or sliders defaulted to ‘on’ in respect of non-essential cookies, pop-up banners that imply consent is given if visitors continue to browse, or ‘cookie walls’ requiring visitors to agree certain cookie settings before they can access content will likely not be compliant.

The UK’s regulator on cookie practices, the Information Commissioner’s Office (ICO), additionally takes a dim view of ‘nudging’ techniques where, for example, an ‘accept all cookies’ button is much larger or brighter than one that allows visitors to reject certain cookies.

What are the consequences of not meeting these requirements?

If the ICO becomes aware of a breach of PECR, it can impose a fine of up to £500,000 against the organisation in breach or its directors. Breaches of PECR can also result in criminal prosecution, non-criminal enforcement, and audits.

On top of this, failure to meet applicable data protection requirements could contravene the EU General Data Protection Regulation (EU GDPR) and its UK equivalent, the UK GDPR. Many commonly-used tools that are reliant on cookies and other tracking technologies commonly are offered by US-based companies, which means personally identifiable data of website users in the UK and EU (such as their IP addresses) could be sent to the US. If the complex rules on transfers from the UK and the EU to the US (as mandated under the UK GDPR and EU GDPR) are not met, then this carries a risk of a fine of up to 4% of worldwide turnover or £17.5m/€20m (whichever is greater) by each relevant data protection regulator.

It is worth noting that cookie compliance has moved up the enforcement agenda for regulators in the UK and the EU. In late 2020 CNIL, for example, the French privacy watchdog fined the supermarket chain Carrefour and its banking division over €3 million for failing to obtain users’ consent before setting advertising cookies.

Private individuals are also becoming more savvy about developments in this area and taking action against website operators. For example, the European Centre for Digital Rights (headed by Max Schrems – famous in the data protection world as the name behind some of the most important recent court actions) is investigating cookie banner implementation. In March 2022, the Centre launched a second round of action against deceptive cookie banners, targeting 270 organisations.

While the UK government has recently announced proposals to reduce the burden of cookie compliance (for example, by moving to a one-time ‘opt out’ model whereby cookies may be stored without users having to provide consent each time they access a website), these are still under review, and several interest groups have raised concerns with this approach over fears that it may open the door to easier ‘digital spying’. Opposition politicians have also signalled that their preference is for the UK’s data protection regime to remain closely aligned with the EU’s in order to reduce the risk of the EU withdrawing its decision of ‘adequacy’ in respect of the UK’s data protection framework, which currently allows for the free flow of personal data between the UK and the EU.