News & Insights

Rules on website cookies

King Charles recently delivered his first speech to Parliament since becoming monarch. This referred to government plans to “make the economy more competitive, taking advantage of freedoms afforded by the United Kingdom’s departure from the European Union”. This seems to be a reference to the aims of the Data Protection and Digital Information (No 2) Bill to simplify our data protection legislation which is still heavily EU-based.

The Bill proposes changes to the regime governing “cookie pop-ups” that visitors see when visiting online platforms.


A cookie is a small computer file which is downloaded onto a device when visiting a website. It collects information from the visitor’s device and sends it back to the website so that, for example, the next time they go to the website, the website will recognise them and remember their previous browsing activity. For example, a cookie may remember products that the visitor has looked at before but didn’t buy and then advertise the products against as a prompt to encourage the visitor to make a purchase.

The Privacy and Electronic Communications Regulations (“PECR”) requires website operators to provide their visitors with information about the cookies used on the website, including what information they collect and why and to obtain visitors’ consent to the use of cookies.

Where cookies can identify individuals, or are combined with other information which together allows individuals to be identified, the use of cookies has to comply with data protection legislation, in particular consent to the use of cookies must meet GDPR standards, in other words it must be informed, specific, freely-given and explicit.

Provision of information

When planning to implement an online service, it is important to identify what cookies will be used on the website, what they do and how long they last. This analysis should also look at whether any third-party cookies are placed on the visitor’s device as well as cookies coming from the website itself. The business needs to make sure that this information is provided in a comprehensive but also transparent/easy to understand cookies policy posted on its website. This should give visitors an understanding of what data is being collected and used and a sense that they have some control over this. In turn this ought to reassure visitors and help to foster brand loyalty.


To meet GDPR requirements for consent to be informed, many websites now use “pop-ups” which give a short summary, separate from other terms and conditions, about the cookies being used. To meet requirements for consent to be specific and freely-given (i.e. given on an option-in basis), visitors are invited to select which cookies they agree to accept and have placed on their devices.

The Future

The way websites have developed in recent years in response to consent requirements being tightened up has meant many websites display banners asking visitors to consent to the use of cookies in a way which has become intrusive and repetitive, thereby impairing visitors’ browsing experience. Many internet users find cookie pop-ups annoying and simply click the buttons to get rid of the pop-ups rather than read the detail – which is somewhat counter-productive.

The Bill proposes a new opt-out model for cookies to reduce the need for users to click through consent banners on every website they visit, in particular the current standard of consent will not be required for purposes which are considered to present a “low risk” to people’s privacy. This sounds like a change to welcome and we will monitor developments over the coming months.

In the meantime it is important for website operators to continue to comply with the current rules to enhance customer confidence and avoid complaints and/or possible enforcement action.

If you have any questions as a result of this article, please contact [email protected]