Learn about the UK GDPR requirements for obtaining lawful cookie consent, including the necessity for clear information, unambiguous consent, and easy withdrawal options. Discover how Secure Privacy's consent management solution can help your website comply with UK data protection laws effortlessly.
Compliance with the UK cookie laws is required by all businesses operating in the United Kingdom or targeting UK customers from abroad.
Regarding your obligations, we have good and bad news.
The bad news is that you need to comply with three different laws. The good news is that the requirements from the three laws are the same, and compliance would be effortless. If you use a consent management platform like Secure Privacy, it gets even easier.
Explore more privacy compliance insights and best practices
The United Kingdom has two laws regulating the use of cookies: the Privacy and Electronic Communications Regulations (PECR), the UK Data Protection Act (DPA), and the UK GDPR.
The PECR regulates electronic communications. The UK DPA and the UK GDPR regulate data protection.
The UK PECR (Privacy and Electronic Communications Regulations) is the law governing the use of personal data in electronic communications. Among other things, it regulates the use of cookies.
PECR covers the handling of marketing calls, emails, texts, and cookies. The use of cookies and similar technologies requires specific consent, unless they are strictly necessary for a service that the user has requested. To protect individual privacy, the UK GDPR enforces these regulations, which emphasize consent and privacy rights in electronic communication contexts.
Under the UK's Privacy and Electronic Communications Regulations (PECR), the requirements for cookie consent are quite specific. Organizations must:
The UK Data Protection Act of 2018 (UK DPA) was the first UK effort to align with the EU data protection law.
Any online service that sets cookies must obtain explicit consent before doing so. The consent must be:
Businesses must obtain valid consent before setting non-essential cookies, but they are free to use tags that are essential for the website's functionality. You do not need consent for such cookies to comply with the law.
The UK GDPR (General Data Protection Regulation) is the UK's response to Brexit. Although the country had aligned its national legislation with the EU GDPR and the UK DPA, leaving the EU made it necessary to pass one more law that is the same as the EU General Data Protection Regulation.
It sets out principles for the lawful processing of personal data and grants individuals various rights concerning their data, such as the right to access, rectify, delete, and restrict the processing of their data. It also imposes strict obligations on organizations that process personal data, requiring them to ensure data security, transparency, and accountability. The Information Commissioner's Office (ICO) enforces the UK GDPR and has the authority to impose fines and sanctions for non-compliance.
One of the requirements for businesses is having a lawful basis for data processing, which leads to the requirement to obtain cookie consent for the use of cookies. Operating there means that you need to present users with a cookie banner and obtain consent.
The consent request must provide clear information about cookies used on the website or app. You can do so by having a cookie pop up with such information, or you can add links to the cookie policy and the privacy policy.
The request must obtain consent, which is:
As you can see, the Data Protection Act 2018 and the UK GDPR both mandate the same requirements for obtaining consent for the use of cookies.
No, the EU GDPR does not apply to UK companies by default. It only applies when they process EU residents' personal data. Since Brexit, it doesn't apply to UK companies when processing the personal data of people outside the UK.
However, despite the absolute similarity between the EU GDPR and the UK GDPR, Brexit didn't bring any changes in terms of data protection or the lawful use of cookies and similar technologies in the UK.
Here's a simple checklist of things you need to do to comply with the UK cookie laws:
Secure Privacy's consent management solution aligns with over 40 data protection laws worldwide, including all three laws applicable in the United Kingdom. All you need to do is install our CMP on your website, choose to comply with the UK laws, and leave the rest to us.
We will set up your cookie banner by default to comply with UK laws, but you can change that at any time. You can also generate a cookie policy and a privacy policy to ensure cookie compliance.
