As part of the UK Government’s wide-ranging consultation on data-related reforms, if they are introduced, they are considering withdrawing the requirement for consent by individuals to cookies from UK law.
Cookies are small text files that record internet users' online activity. They are vital to the operation of websites and to digital advertising.
Currently the rules set out in the Privacy and Electronic Communications Regulations (PECR) in the UK prohibit the storing and accessing of information on users' computers - unless those users have given their consent on the basis that they have had access to clear and comprehensive information about the purposes of the processing. An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service explicitly requested by the user.
The suggestion is that an alternative approach is the removal of the requirement for prior consent for all types of cookies. The Government has presented two proposals for reform which would make the consent rules less restrictive.
Under the first proposal, organisations would be able to use analytics cookies and similar technologies without the user’s consent. This would mean that cookies would be treated in the same way as the ‘strictly necessary’ cookies under the current legislation where consent is not required. But further safeguards might have to be considered to make sure that this type of processing poses a low impact on users’ privacy and risk of harm.
This option would not remove the requirement on organisations to provide the user with clear and comprehensive information about the measurement technologies that are active on their device and the purposes behind the use of the technology.
The purposes of the processing would need to be carefully explained. Any list of exceptions to the consent requirement would need to be kept up to date in order to respond to technological advancements. Additional safeguards could also be explored, as appropriate, such as: having a value which does not allow the individual to be directly identified; mandating that information is not used to build a profile of the user; or requiring the use of transparency notices.
More radical proposals to remove cookie consent requirements altogether were also outlined in the Government’s paper. They also said that an alternative approach is the removal of the requirement for prior consent for all types of cookies.
It would make compliance more straightforward for organisations they would continue to be required with UK GDPR principles when using cookies or similar. The Government, in their consultation, is asking for views on how organisations would comply with these principles without the use of cookie pop-up notices.
Even though EU law makers are themselves considering loosening cookie consent rules to enable cookies to be served without the need for consent for web analytics measuring, the UK’s proposals are, potentially, much more radical. If the UK diverges from the EU it will be interesting to see how this flows down to wider interpretative difference with respect to the UK GDPR itself and may call into question the adequacy granted to the UK for in-bound data transfers from the EU.
The Government’s consultation closes on 19th November 2021 and it will be interesting to see how many of these proposals go through or how much change to their original consultation is made.
What are your thoughts on the potential updates to Cookie requirements?