Table of Contents
In Short
- Non-essential cookies, such as those for analytics or advertising, require prior, valid consent under PECR rules.
- Cookie banners must allow users to easily accept, reject, or manage cookies and ensure non-essential cookies remain inactive until consent is given.
- Conduct cookie audits, provide clear cookie policies, and ensure banners meet legal standards to avoid regulatory fines and reputational risks.
Tips for Businesses
Ensure your cookie banner includes an equally prominent ‘reject all’ button alongside the ‘accept’ option. Regularly audit your website to classify cookies as essential or non-essential, and update your cookie policy to keep users informed. For complex compliance needs, consider seeking legal advice to ensure you meet PECR and UK GDPR standards.
Cookies are often a key tool for businesses operating in a digital space. However, their use is tightly regulated by legislation known as the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR, where cookies may reveal personal data. A key requirement for businesses is to obtain valid consent for non-essential cookies. As such, companies often use ‘cookie banners’ with options to ‘reject all’ cookies – and you may wonder why this is the case. This article explores the legal framework for consent for cookies and some practical examples of how your business should obtain valid consent.
How Do Cookie Consent Rules Work?
When visiting a website, cookies are small text files that store information on a user’s device, such as a computer, tablet, or phone. They serve various purposes, from enabling websites to function efficiently to collecting useful data, such as user preferences, browsing history, or shopping cart items.
Businesses often use different types of cookies, including essential and non-essential cookies. Essential cookies are necessary for a website to function correctly and do not require user consent. However, for non-essential cookies (such as those used for analytics and advertising), your business must obtain prior consent under PECR.
Consent must be freely given, specific, informed, and unambiguous and involve an explicit affirmative action by the user. Pre-ticked boxes, inactivity, or continued browsing are not valid consent.
Your business must also provide clear and accessible information about cookies, including their purpose, the types of data they collect, their duration, and whether any third parties are involved.
What is the Role of Cookie Banners?
To comply with PECR, your business can use a cookie banner to obtain valid consent before placing non-essential cookies on users’ devices. A compliant cookie banner should provide clear, plain-language information about cookies and must appear when users first land on the website. A website should not use non-essential cookies absent valid user consent.
Your business must ensure that users can clearly see the options to accept, reject, or manage cookies – this is where a cookie banner can mention ‘reject all’ cookies so the user has an easy way to make their choice. Your banner must also allow users to manage their preferences and withdraw consent easily at any time.
This factsheet sets out how your business can become GDPR compliant.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Which Risks Should Your Business Be Wary Of?
Many businesses may inadvertently breach PECR by failing to meet the legal requirements for cookies.
Your business should ensure it fully complies with PECR rules to avoid these risks. This can help your company avoid enforcement action, fines of up to £500,000 under PECR, and reputational damage.
Your business should take a proactive approach to ensure cookie compliance, and the following steps can help you:
- conduct a full cookie audit to identify all cookies in use and determine whether they are essential or non-essential;
- use a prominent cookie banner to ensure users can easily reject all non-essential cookies, manage their preferences, and withdraw consent;
- ensure non-essential cookies remain inactive until users provide valid, explicit consent; and
- publish a clear and detailed cookie policy, providing users with transparent information about cookie purposes, duration, and any third parties involved.
Should Your Business Seek Advice on Cookie Consent?
Preparing a compliant cookie policy and banner can be challenging, and many businesses may find it tricky to navigate the complex PECR rules in practice.
Given the complexity of PECR and UK GDPR compliance, businesses should consider working with a data protection lawyer and technical experts to ensure all processes are compliant. A lawyer can help draft compliant cookie policies, and technical teams can help you identify which cookies your business uses and implement effective consent management tools.
Key Takeaways
Using cookies creates mandatory legal responsibilities for businesses. PECR requires businesses to obtain valid, active consent before deploying non-essential cookies. Consent must be freely given, specific, informed, and unambiguous, involving a clear affirmative action. Implied consent, pre-ticked boxes, or continued browsing will not meet the legal standard.
You can use a cookie banner to provide users with clear options to accept, reject, or manage cookies, ensuring that non-essential cookies do not activate until consent is given. Including a ‘reject all’ button that is as prominent can help you give your users clear choices. Breaching PECR cookie law rules carries various risks, so your business should seek legal advice if you need clarification on your legal obligations.
If you need help understanding cookie law rules, our experienced data, privacy, and IT lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
These are the Privacy and Electronic Communications Regulations, which, among other matters, regulate how businesses use cookies and similar technologies on users’ devices.
A cookie banner notifies users of cookie usage on a website. Your business can use a banner to provide transparent cookie information and request user consent.
We appreciate your feedback – your submission has been successfully received.