Brexit and The Cookie Law
As the world now knows, the UK has voted to leave the EU, so does this mean the end of cookie consent for UK websites?
The short answer is no. The requirement to get consent for cookies has not changed as a result of Brexit, and won’t even go away automatically following the actual leave date, whenever that may be.
Although the basis of the law is an EU Directive, the rules in the UK (and in every other EU country) have been written into local law. In the case of the UK these are the Privacy and Electronic Communications Regulations (PECR). As long as PECR remains unchanged in the UK, the cookie consent rules will stay in place.
Of course the UK may decide to change PECR at some point, (and will almost certainly need to anyway) but it is probably safe to say that this will not be the highest priority of a post-Brexit government. The irony of the situation is in fact that the EU was already in the process of reviewing the ePrivacy Directive, which contains the cookie rules at EU level. It seems much more likely now that this reform, whatever shape it takes, will be completed before any change in UK law.
The bigger issue for cookie consent in the future is the imminent EU General Data Protection Regulation (GDPR). The GDPR is directly applicable and will be an enforceable law before the UK leaves the EU, which means it will immediately apply to the UK until the date of any exit.
The GDPR is a much broader legal instrument, and by specifically including cookies in its definition of what constitutes personal data, many of its requirements will almost certainly lead to an effective tightening up of cookie consent – in particular imposing stricter opt-out (or perhaps even opt-in) cookie consent rules.
Of course, after the UK leaves the EU, the GDPR will no longer directly apply. However, because GDPR protects EU citizens regardless of where information is handled, and because the UK will need to have the ability to freely move personal information out of the EU, we will be required in some way or another to modify UK laws to provide equivalent protection. Without this the EU could block such data flows, which would be hugely damaging to the UK economy.
The UK Information Commissioners Office (ICO) has already made this clear in its own referendum result press release.
Cookie consent in the UK isn’t going away, and is in fact likely to become even stricter in the future.