Brexit and the Cookie Law

As the world now knows, the UK has voted to leave the EU, so does this mean the end of cookie consent for UK websites? The question has been asked several times in the Twittersphere in the last few days, so it seems a quick post to clear things up is due.

The short answer is no.  The requirement to get consent for cookies has not changed as a result of Brexit, and won’t even go away automatically following the actual leave date, whenever that may be.

Although the basis of the law is an EU Directive, the rules in the UK (and in every other EU country) have been written into local law. In the case of the UK these are the Privacy and Electronic Communications Regulations (PECR).  As long as PECR remains unchanged in the UK, the cookie consent rules will be in place.

Of course the UK may decide to change PECR at some point, and almost certainly will need to anyway, but it is probably safe to say that this will not be the highest priority of a post-Brexit government. The irony of the situation is in fact that the EU was already in the process of reviewing the ePrivacy Directive, which contains the cookie rules at EU level.  It seems much more likely now that this reform, whatever shape it takes, will be completed before any change in UK law.

However, there is a much bigger issue for cookie consent in the future, and that is the coming in to force of the EU General Data Protection Regulation (GDPR). The GDPR is directly applicable and will be an enforceable law before the UK leaves the EU.  This means is will immediately apply to the UK until the date of any exit.

The GDPR is a much broader legal instrument, and by specifically including cookies in its definition of what constitutes personal data, many of its requirements will almost certainly lead to an effective tightening up of cookie consent – in particular imposing stricter opt-out (or perhaps even opt-in) cookie consent rules.

Of course, after the UK leaves the EU, the GDPR will no longer directly apply.  However, because GDPR protects EU citizens regardless of where information is handled, and because the UK will need to have the ability to freely move personal information out of the EU, we will be required in some way or another to modify UK laws to provide equivalent protection.  Without this the EU could block such data flows, which would be hugely damaging to the UK economy.

The UK Information Commissioners Office (ICO) has already made this clear in its own referendum result press release.

So, cookie consent in the UK is not going to go away, and is in fact likely to become stricter in the future. Something I have written about recently, and will be covering here over the coming months.