The new cookie conundrum

19 November 2021

Potential reforms to UK data privacy laws will change the way that cookies work on websites - businesses need to prepare now.

One of the key benefits of Brexit, according to the Government and other supporters of the break with the EU, will be that Britain can diverge from the GDPR and draft its own, possibly less burdensome, data protection laws.  The UK government wants to balance consumer rights with what it describes as “innovation and economic growth”.

In August, the then culture secretary Oliver Dowden told the Daily Telegraph: “There’s an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people’s privacy but in as light a touch way as possible.”  He went on to give an example of churches being prevented from sending parish newsletters which advertised jumble sales because this could be classed as marketing and therefore would require prior consent from recipients.

Mr Dowden also revealed plans to remove, in all but the most sensitive cases, what he described as the “endless” cookie banners that pop up, asking for permission to store personal information about site visitors in order to comply with existing cookie legislation.  Already some UK-based sites are developing their own non-standardised pop-ups.  

Assuming that the UK Government manages to turn its proposals into law, businesses operating in the UK will have more freedom to establish their own cookie settings.  They will be subject to less bureaucracy and should be able to collect more information more easily.  The UK Government is also working to sign data privacy agreements with countries including the US, Australia, South Korea and Singapore, with the aim of reducing the red tape required to transfer personal data to those jurisdictions legally.

However, critics of the Government’s proposals argue that they emphasise the interests of businesses and offer too little to protect the privacy of individuals. “God knows there are some areas of privacy law and data protection regulation we could tweak for the better of everyone involved,” Heather Burns, policy manager at Open Rights Group, a UK campaign group protecting digital privacy, told Wired magazine, recently.  But she added: “This is deregulating privacy laws and data protection safeguards in the commercial interest of industry.”

The UK’s proposals go further in terms of benefit to businesses than those currently under consideration by the EU.  Some commentators believe that this is just the first step in a movement away from the EU data protection regime.  Could this result in such a divergence from EU law that the “adequacy” currently granted to the UK for in-bound data transfers from the EU ends up being challenged?  

This is a valid concern.  When the adequacy deal was agreed, Vera Jourova, the European Commission’s vice-president for values and transparency, said: “We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and, if anything changes on the UK side, we will intervene.”

Confrontation with the EU aside, will consumers be happy to allow analytics cookies to be stored locally, for instance, without their consent and what will their attitude be to marketing cookies?  It’s early days but market research on public attitudes offers some clues.  

In 2018, almost half of UK adults told a survey by Deloitte that they were “very concerned” about the use of personal data.  However, by the middle of last year that number had halved to just 24 per cent.  On the other hand, according to a survey published by Ofcom in 2019, 41 per cent of those asked had tried to stop websites from displaying adverts, even those that were relevant to them, and over a third (36 per cent) had actively deleted marketing cookies in order to do so.

Generally, research shows that consumers are especially willing to share their privacy via cookies if they view the product or service in question to be important, for example if it lies within the healthcare or financial services sectors.

The UK GDPR might well result in a Brexit dividend for UK business and consumers alike or it could simply impose more red tape when doing business with Europe.  One thing is certain – businesses need to start thinking now about their cookie policy and ensure that they receive professional advice, not only to avoid fines, but to make the most of the new opportunities that these changes will offer.


If you would like any further information or advice about the topic discussed in this blog, please contact our Corporate and Commercial team.



David is a partner in the Corporate & Commercial team.  His practice covers all aspects of corporate law, advising owner-managed and venture-backed businesses, investors and management on transactional matters.  He also advises on restructuring, LLPs / partnerships and corporate governance matters.

Andrew is a legal counsel in the Corporate & Commercial team. He has a broad range of expertise in corporate law, regularly advising in respect of share and asset sales, investments and share options (in particular EMI schemes). His commercial practice is focussed on drafting and negotiating technology contracts, although he also advises in relation to a wide range of commercial issues, such as intellectual property, branding, data protection and sponsorship arrangements.


Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Skip to content Home About Us Insights Services Contact Accessibility