enq@springstep.co.ukHTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user’s computer or other device by the user’s web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user’s device during a session.
Updated 2024
Consent under the combination of the GDPR and e-Privacy Directive has to meet a number of conditions in relation to cookies.[76] It must be freely given and unambiguous: preticked boxes were banned under both the Data Protection Directive 1995[73] and the GDPR (Recital 32).[77] The GDPR is specific that consent must be as ‘easy to withdraw as to give’,[77] meaning that a reject-all button must be as easy to access in terms of clicks and visibility as an ‘accept all’ button.[76] It must be specific and informed, meaning that consent relates to particular purposes for the use of this data, and all organisations seeking to use this consent must be specifically named.[78][79] The Court of Justice of the European Union has also ruled that consent must be ‘efficient and timely’, meaning that it must be gained before cookies are laid and data processing begins instead of afterwards.[80]
The industry’s response has been largely negative. Robert Bond of the law firm Speechly Bircham describes the effects as “far-reaching and incredibly onerous” for “all UK companies”. Simon Davis of Privacy International argues that proper enforcement would “destroy the entire industry”.[81] However, scholars note that the onerous nature of cookie pop-ups stems from an attempt to continue to operate a business model through convoluted requests that may be incompatible with the GDPR.[74]
Academic studies and regulators both describe widespread non-compliance with the law. A study scraping 10,000 UK websites found that only 11.8% of sites adhered to minimal legal requirements, with only 33.4% of websites studied providing a mechanism to reject cookies that was as easy to use as accepting them.[76] A study of 17,000 websites found that 84% of sites breached this criterion, finding additionally that many laid third party cookies with no notice at all.[82] The UK regulator, the Information Commissioner’s Office, stated in 2019 that the industry’s ‘Transparency and Consent Framework’ from the advertising technology group the Interactive Advertising Bureau was ‘insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR [e-Privacy] compliance.'[78] Many companies that sell compliance solutions (Consent Management Platforms) permit them to be configured in manifestly illegal ways, which scholars have noted creates questions around the appropriate allocation of liability.[83]
West London -
Camden, Ealing, Uxbridge