The UK Cookie Law Explained: How to Use Cookies and Similar Technologies According to the ICO

Compliance with the UK cookie laws is required by all businesses operating in the United Kingdom or targeting UK customers from abroad.

Regarding your obligations, we have good and bad news.

The bad news is that you need to comply with three different laws. The good news is that the requirements from the three laws are the same, and compliance would be effortless. If you use a consent management platform like Secure Privacy, it gets even easier.

What is the UK Cookie Law?

The United Kingdom has two laws regulating the use of cookies: the Privacy and Electronic Communications Regulations (PECR), the UK Data Protection Act (DPA), and the UK GDPR.

The PECR regulates electronic communications. The UK DPA and the UK GDPR regulate data protection.

UK PECR: The UK Cookie Law Explained

The UK PECR (Privacy and Electronic Communications Regulations) is the law governing the use of personal data in electronic communications. Among other things, it regulates the use of cookies.

PECR covers the handling of marketing calls, emails, texts, and cookies. The use of cookies and similar technologies requires specific consent, unless they are strictly necessary for a service that the user has requested. To protect individual privacy, the UK GDPR enforces these regulations, which emphasize consent and privacy rights in electronic communication contexts.

Cookie Consent Requirements Under the UK PECR

Under the UK's Privacy and Electronic Communications Regulations (PECR), the requirements for cookie consent are quite specific. Organizations must:

• Inform users. Make sure to clearly explain the purpose and function of cookies. This information must be easily accessible and understandable.
• Obtain consent. Before placing any cookies on a user's device, we must obtain consent, except for those that are strictly necessary for the service the user has explicitly requested (e.g., cookie used to remember what's in a shopping cart).
• Ensure that consent is freely given. Consent must be a freely given choice, meaning users should be able to refuse non-essential cookies without detriment.
• Provide a clear opt-in. The method of obtaining consent must involve some form of clear affirmative action (e.g., ticking a box or clicking a button). Pre-ticked boxes, or any implied consent that interprets inaction as acceptance, are insufficient.
• Allow an easy withdrawal of consent. Users should be able to withdraw their consent as easily as they gave it. This means providing an accessible way to change their cookie settings at any time.
• Keep records of consent. In audits, organizations should keep records of consents as proof that they have complied with the PECR requirements.

The UK Data Protection Act and the Use of Cookies

The UK Data Protection Act of 2018 (UK DPA) was the first UK effort to align with the EU data protection law.

Any online service that sets cookies must obtain explicit consent before doing so. The consent must be:

• Freely given
• Specific to each processing purpose
• Being informed means that you have to provide users with clear and comprehensive information about the use of cookies, usually through a privacy policy or a cookie policy.
• Unambihuous, meaning the user shall take action to grant valid consent
• The user should have the ability to easily withdraw their consent, typically through the cookie preferences center.

Businesses must obtain valid consent before setting non-essential cookies, but they are free to use tags that are essential for the website's functionality. You do not need consent for such cookies to comply with the law.

The UK GDPR and the Use of Cookies and Similar Technologies

The UK GDPR (General Data Protection Regulation) is the UK's response to Brexit. Although the country had aligned its national legislation with the EU GDPR and the UK DPA, leaving the EU made it necessary to pass one more law that is the same as the EU General Data Protection Regulation.

It sets out principles for the lawful processing of personal data and grants individuals various rights concerning their data, such as the right to access, rectify, delete, and restrict the processing of their data. It also imposes strict obligations on organizations that process personal data, requiring them to ensure data security, transparency, and accountability. The Information Commissioner's Office (ICO) enforces the UK GDPR and has the authority to impose fines and sanctions for non-compliance.

One of the requirements for businesses is having a lawful basis for data processing, which leads to the requirement to obtain cookie consent for the use of cookies. Operating there means that you need to present users with a cookie banner and obtain consent.

UK GDPR Requirements for Cookie Consent

The consent request must provide clear information about cookies used on the website or app. You can do so by having a cookie pop up with such information, or you can add links to the cookie policy and the privacy policy.

The request must obtain consent, which is:

• Freely given
• Unambiguous
• Specific to each processing purpose
• Informed, and
• It is easy to withdraw.

As you can see, the Data Protection Act 2018 and the UK GDPR both mandate the same requirements for obtaining consent for the use of cookies.

Do the EU GDPR Rules Apply in the UK?

No, the EU GDPR does not apply to UK companies by default. It only applies when they process EU residents' personal data. Since Brexit, it doesn't apply to UK companies when processing the personal data of people outside the UK.

However, despite the absolute similarity between the EU GDPR and the UK GDPR, Brexit didn't bring any changes in terms of data protection or the lawful use of cookies and similar technologies in the UK.

How to Use Cookies: A UK Cookie Law Checklist

Here's a simple checklist of things you need to do to comply with the UK cookie laws:

• Along with the consent request, provide users with a privacy policy or a cookie policy. Ensure that it contains clear and comprehensive information about the types of cookies, the types of data they collect, whether a cookie is strictly necessary for the website's functionality, for how long they store information, and so on.
• Present users with a cookie pop-up requesting explicit consent. 
• Ensure that your cookie pop-up banner contains buttons for accepting and declining cookies.
• Checkboxes or toggles allow users to choose which cookies to accept and which to decline, but ensure that the checkboxes are not pre-checked.
• Do not set cookies prior to obtaining consent.
• Make sure that your cookie consent solution allows for easy consent withdrawal.

Obtaining Lawful Cookie Consent in the UK with Secure Privacy

Secure Privacy's consent management solution aligns with over 40 data protection laws worldwide, including all three laws applicable in the United Kingdom. All you need to do is install our CMP on your website, choose to comply with the UK laws, and leave the rest to us.

We will set up your cookie banner by default to comply with UK laws, but you can change that at any time. You can also generate a cookie policy and a privacy policy to ensure compliance.