Under the E-Privacy Directive (2002/58/EC) website operators and other online providers that set cookies on user devices must (unless an exception applies) comply with the Cookie three C’s:
The General Data Protection Regulation’s (GDPR) introduced a higher standard of ‘consent’ with effect from 25 May 2018 which applies to cookies. Consent must be:
This definition of consent to cookies applies regardless of whether personal data is processed.
Consent to cookies cannot be inferred from the following:
In order to be compliant, consent must be obtained separately from terms and conditions and before the cookie is set.
Information on cookies must be in clear and plain language. Users must be told:
Users must be given information on how they can accept all/some or none of the cookies operating on the website and how they can change their user preferences.
The ICO has the ability to levy substantial fines for failure to comply with laws relating to cookies, including fines for failing to comply with the E-Privacy Directive of up to £500,000, and up to €20 million EUR or 4% of total worldwide annual turnover (whichever is the higher) for failing to comply with the GDPR and the Data Protection Act 2018.
If you would like any advice in relation to your cookies policy, your compliance with the E-Privacy Directive or the GDPR, please contact one of our lawyers on 0161 941 4000 and ask for our Corporate/Commercial department or email us.