So, what is the EU ‘Cookies Law’ and why should we worry about it?

We’re regularly asked about the ‘Cookies Law’ by our clients and whether they need a pop up about the use of cookies on their website. In fact, the question came up again as recently as a couple of weeks ago! Although we know the main gist of it, we thought it’d be good to understand the finer points a little better, so we asked the experts to tell us more…

(Main image by Slice of Chic)

The ‘Cookies Law’ is a regulation that requires websites within the EU to inform their users that ‘Cookies’ (small data files; not the tasty kind, unfortunately) are being kept to both enhance your browsing experience and allow companies to gather data about your internet browsing habits.

Many people are concerned about the use of cookies storing information about them, as it raises the question of their data protection rights being breached. If a company keeps hold of user data, it has the opportunity to sell that information on to third-parties. Also, with the use of tracking cookies, companies can continue to advertise content to you even when you’re not on their website — somewhat akin to marketing cyber-stalking. The Cookies Law aims to address these concerns and protect people’s online privacy rights.

Whilst this isn’t something we enforce or deal with as a business, we wanted to give you an insight into what exactly the Cookies Law is and how it affects both company websites and the users that frequent them.

Below is a Q&A with Dan Read and Emma Fox of TLT: experts in Technology & Communications law (among other things), they were incredibly kind in answering questions we had and giving us some background into the details and logistics.


Could you explain what the ‘Cookies Law’ actually is (i.e. in laymen’s terms)?

The ‘Cookies Law’ (officially the “Privacy and Electronic Communications Regulations 2003” or “PEC Regs”) is a law that was brought in to make sure that businesses appropriately protect people’s personal information online. The law requires that any person or business using cookies on their websites:

  • tells users that cookies are being used;
  • tells users what the cookies do and why; and
  • gets consent from users to use and store cookies.

The Cookies Law originates from a European law which is currently being reviewed and is due to be updated soon.

*Who does the ‘Cookies Law’ affect? For example, would my personal website need to have a disclaimer or is it for more established companies? *

Anyone operating a website that uses cookies needs to comply with the legal requirements. It doesn’t matter whether you are a large, established company, a start-up or just an individual setting up a personal website; if you set cookies, you have to comply.

Q: What are the allowed mechanisms to register consent? (i.e. do users actually have to click a button or is scrolling past the fold enough to consider it ‘consent’?)

In order to be valid, consent must be freely-given, specific and informed. Having an ‘I accept’ or ‘O.K.’ button is a common way to get consent and one of the safest ways of making sure these requirements are met. However, it’s not necessarily the only way to get consent. In some situations, it can be acceptable to imply consent from a user’s failure to click ‘No’ in a pop-up or failure to change cookies settings. However consent is obtained, website operators setting cookies must always provide a ‘cookies notice’ which tells individuals clearly what cookies are used, what they are used for and how long they are stored.

Q: Who enforces the ‘Cookies Law’?

The Information Commissioner’s Office (ICO) is the UK regulator in charge of enforcing the PEC Regs.

Q: What legal ramifications are there for not having a disclaimer on a website?

If a website does not have a cookies notice and/or a compliant consent mechanism, the ICO can investigate and has the power to take enforcement action. For example, the ICO could require a website operator to take certain steps to comply with the laws or could fine the operator if the breach is considered to be serious. The ICO also publishes enforcement action it takes, so any breach could become public and have serious consequences for their reputation.

Q: Now that the UK will be leaving the E.U., is the ‘Cookies Law’ still relevant?

The Cookies Law will still be relevant after Brexit. Because the European Cookies Law is currently being updated, we will most likely have a new, stricter law by the time we leave. Once the UK has exited the EU, there may be some flexibility in our laws which might mean they could be made less strict.

However, although it’s not currently clear exactly what the UK’s cookies laws will look like post-Brexit, the general concepts of transparency and consent will almost certainly remain.

Q: What about websites based in countries outside of the E.U.? Can they still use Cookies without informing consumers?

The current European law doesn’t apply to websites outside the EU.

However, the new law might mean that if websites outside the EU use cookies to track EU citizens, the operators of those websites will need to comply with the European laws. Of course, there might also be cookies laws in non-EU countries with which those website operators will need to comply.

Q: Is there any other privacy legislation that companies or the general public should be aware of?

The PEC Regs complement the UK’s Data Protection Act 1998, which places more general privacy obligations on businesses. For example, the Data Protection Act requires businesses to tell people what their information is being used for, to hold and store that information securely and to allow people to access their own information on request.

This law is also due to be replaced by an updated, stricter European originating law in the next two years and there will be severe consequences for businesses which do not comply. It will therefore become even more important for businesses to make sure they are meeting their data protection obligations.

A big thank you to Dan and Emma for obliging us and answering all of our questions. If you’d like to know more about their services, have a look at the TLT website to see what areas of law they can advise on.

This article was originally posted at CookiesHQ.