A crackdown on consent cookies is coming - ​Laura Irvine

The law relating to cookies and other tracking tools is found in the Privacy and Electronic Communications Regulations (PECR). These say a website operator shouldn’t store or gain access to information on a user’s device unless it’s been clearly explained how such information will be collected, used and shared. It also requires the user to provide consent for this information to be used.

Under the GDPR introduced in 2018, it became more difficult to obtain valid consent and the same standard applies to the consent that website operators must obtain from users if cookies are being used. Consent to store cookies must be freely given, not implied or assumed or obtained by tricks or nudges. While essential cookies, which enable a website to function correctly, do not require consent, they must be absolutely critical for its operation.

In 2019, the Information Commissioner’s Office (ICO) issued guidance stating that cookie banners used on many websites, platforms, and apps were not fit for purpose as they didn’t obtain the required consent for placing non-essential cookies.

However, it took the UK more than four years to act on this issue. Last August the ICO published further guidance stating that a website’s cookie banner should “make it as easy to reject non-essential cookies as it is to accept them” and promised action against those who do not comply.

The UK Government’s Data Protection and Digital Information Bill is proposing to allow analytics cookies to be deployed without consent, but only where information is used by the website operator and not third parties. The Bill also introduces higher fines for non-compliance with PECRs, increasing the maximum fine from £0.5m to £17.5m.

Website operators should ensure users can reject cookies as easily as they can accept them. While some websites continue to rely on legitimate interests to deploy cookies, this is not lawful and will be another area of focus for the regulator.

While the ICO has yet to take regulatory action for cookie breaches, European supervisory authorities have been more active.

In 2023, France’s regulator CNIL fined TikTok €5m for requiring users to select multiple options to reject cookies but only one to accept. A year earlier, CNIL also fined Microsoft Ireland €60m for failing to provide an easy option to reject cookies on bing.com. CNIL also found user information was being used for advertising purposes without consent.

We are already seeing strong evidence of a tougher ICO approach to non-compliance. It reported that 38 of 53 organisations it recently contacted have updated cookie banners to ensure they are compliant with its 2019 guidance.

In a blog posted in January, the ICO set out its intentions, saying it had monitored the top 100 websites and was preparing to contact the next 100 as well as the 100 after that. This new vigour means that website operators of all sizes must ensure they are compliant with laws governing cookies or face significant penalties.

Laura Irvine heads the Regulatory Team, Davidson Chalmers Stewart