Is your cookie banner breaking the law?

What are cookies?

Cookies are text files that are implanted onto a computer, phone or other ‘terminal equipment’ when a user enters an online service provider’s website.

The cookies collect and store information on the habits of the user for a number of reasons, including to enhance the efficiency of the website, tracking preferences, personalisation of content, tailoring of advertising and providing security.

What is the law on cookies consent?

Cookies are regulated by the UK GDPR, the Data Protection Act 2018 and the Privacy Communications (EC Directive) Regulations 2003 (PECR).

The UK GDPR supplements the PECR regardless of whether the cookies constitute personal data, and both sets of regulations operate to impose two main obligations on online service providers:

• Regulation 6(2)(a) PECR: A clear, comprehensive, and visible cookie notice that complies with the UK GDPR’s transparency requirements must be provided; and
• Regulation 6(2)(b) PECR: Consent must be obtained for the use of cookies.

Consent is the foundational lawful basis for processing data for cookies under the GDPR, therefore it is vital that your consent mechanism is compliant, or you may face significant penalties from the ICO, particularly where the information collected constitutes personal data.

The consent requirements under article 4(11) UK GDPR apply to cookie consent, meaning that specific, informed, and unambiguous permission must be freely given by a statement or affirmative action.

The method for obtaining consent for cookies often comes in the form of a ‘cookies banner’, which gives the user the option to accept or reject to the use of cookies on a website.

Non-compliant cookie banners

Stephen Bonner has warned that companies that do not have a ‘reject all’ button on their cookie banners are “breaking the law” and “there is no excuse for that”. Bonner has warned that the ICO is paying close attention to this issue and are ready to issue fines to companies that are not taking serious active steps to compliance.

It is, therefore, important that you comprehensively and frequently review your company’s compliance concerning cookies, as well as its conformity with the UK’s general data protection legislation. The ICO has the power to issue fines of up to £17.5m or 4% of an organisation’s global annual turnover, and so data protection compliance is essential to avoid such enforcement action being taken against your company.

A recent example of enforcement action taken by the ICO against social media platform TikTok can be found in our article: The Information Commissioner’s Office issues £12.7m fine for misusing children’s data | Flint Bishop.

Please note that this information is for general guidance only and should not substitute professional legal advice. If you have specific concerns, we recommend consulting with one of our legal experts.