The UK’s Data (Use and Access) Act has received royal assent. Changes to UK data protection and privacy law will start taking effect over the coming months (the precise dates remain unconfirmed).
The law introduces new exemptions from the UK’s cookie consent rules and a new, stricter penalty regime. Here’s a look at what’s changing, what stays the same, and whether you still need a cookie banner.
Jump to:
The existing law
The UK’s rules on cookie consent come from the Privacy and Electronic Communications Regulations (2003) (PECR).
PECR relates not only to cookies but to any technology used to “store information” or “access information stored” on a person’s “terminal equipment” (device). This includes cookies, pixels, beacons, and other technologies.
Under PECR, using cookies and similar technologies generally requires a website or app operator to provide comprehensive information and obtain consent. The definition of “consent” comes from the UK General Data Protection Regulation (UK GDPR), so it must be freely given and “opt-in”.
There are two exceptions. Consent isn’t required for cookies:
- Used solely to facilitate the transmission of communication over a network, or
- That are strictly necessary for providing a service requested by the user.
These exceptions mean you don’t have to get consent for cookies that enable your website or core services to function properly, or to remember items in a shopping basket.
The three new exceptions
The DUAA maintains PECR’s general consent requirement and the two existing consent exceptions and adds three new exceptions.
The new ‘statistics’ exception
The DUAA introduces a new exception around collecting statistical information via cookies and similar technologies.
This exception will allow the use of cookies without consent to collect statistical information with a view to improving your website or service. For example, cookies for counting page visits, spotting bugs, or identifying popular content.
You can only rely on this exception if you clearly inform users of your purposes and offer a simple, free opt-out. You can only share the information you collect with third parties if you ensure they use it exclusively to help you improve your website or service.
The new ‘appearance’ exception
The DUAA introduces a second exception for cookies used to adapt the appearance or functionality of a website based on a user’s preferences, such as remembering font size or enabling “responsive design”.
As with the “statistics” exception, you can only rely on the “appearance” exception if you clearly inform users of your purposes and offer a simple, free opt-out.
The new ‘emergencies’ exception
The third new exception addresses emergency situations.
The exception will mean that consent isn’t required to access or store information on a user’s device in order to determine that device’s location when responding to a request for emergency assistance.
Unlike the other two exceptions, the “emergencies” exception doesn’t require you to provide information or allow opt-outs.
Do you still need a cookie banner?
The UK’s privacy reforms do not change the consent requirement for marketing cookies, or any other cookies that do not fall under the three limited exceptions explained above.
But if you’re using cookies for the “statistics” or “appearance” exceptions, do you still need a cookie banner?
Even if you’re relying on one of these new exceptions, you still need to:
- Tell people about your purposes for using cookies
- Offer people a simple, free way to opt out.
These changes mean you can place certain cookies by default, but you’ll likely still need a cookie banner or similar mechanism to provide them with a way to opt out.
The new penalty regime
Currently, PECR fines are capped at a maximum of £500,000.
The DUAA puts PECR fines on the same footing as the UK GDPR. As such, maximum fines are increasing to £17.5 million or 4% of annual turnover (whichever is higher).
So, while you may wish to take advantage of the UK’s more permissive cookie rules once they take effect, it might also be a good time to ensure you’re complying with the current rules- by offering people real choice about how you collect their personal data online.
Ultimate guide to first-party data strategy
What you’ll find inside:
- Master the art of gathering rich, valuable insights directly from your customers
- Learn how to navigate the ever-changing landscape of data privacy regulations and build trust
- Get an in-depth overview of the latest tools and technologies available to optimize your data collection
- Follow our proven step-by-step framework to integrate data collection practices into your organization and drive tangible results
