UK Shifts To Opt-Out Model For Cookie Consent


Earlier this year, the UK government announced its plans to legislate against the hordes of cookie banners and pop-ups prevalent across the modern web – but it didn’t say exactly how it planned to do this while still getting users’ permission to drop cookies.

Now the government has revealed its strategy – stop asking for permission.

As part of its post-Brexit Data Reform Bill, the government will switch from an opt-in mandate for cookies to an opt-out model, meaning that publishers can drop cookies on users’ browsers without asking for consent first. However, this rule won’t apply to websites that are likely to be used by children.

Under the opt-out model, users can block non-essential cookies at the browser level or use a similar technology that sets preferences across multiple websites. And they’ll still be able to reject cookies for individual websites. The difference is that they will have to choose to do so actively – and websites will be able to drop cookies until they receive that explicit opt-out signal.

Summary of significant changes

Some of the key headlines:

  • Accountability: An overhaul of the accountability framework and replacement with a privacy management program – although, in practice, organizations that are already compliant with UK GDPR accountability requirements will not be required to make further significant changes, which presents some flexibility for businesses.
  • Cookies Consent: In time, the UK will move away from cookie consent to an opt-out model, along with further exemptions for non-invasive cookies. 
  • DSARs: Introduction of exemption from DSARs where vexatious (ICO guidance on this will be interesting in time).
  • Legitimate Interests: Limited exemptions to the legitimate interests balancing test – details to follow, but it seems that existing rules will continue to apply for most processing.
  • International Transfers: More flexibility in process for UK adequacy decisions of third parties and scope to introduce additional international transfer mechanisms (although no details yet). 
  • ICO governance reforms: A mixed picture here, but certainly more opportunity for the government of the day to influence ICO priorities.

There were also clear developments to support the greater use of AI technologies. This included the right to use special category data to train AI algorithms. However, further details about key elements of regulating AI are to follow in the government’s AI governance white paper due to be published soon.

The UK’s approach is markedly different from that taken by the European Union, which requires specific opt-in consent.

Theoretically, this is a big difference for the UK. While third-party cookies are being deprecated anyway, first-party cookies will still play a significant role in ad personalization and measurement – and the UK publishers will be able to drop these cookies more freely in the future. So potentially, we’ll see a big gap open up between the ability of publishers to target and measure their ads in the UK compared with the EU.

But the difference may not be quite so big for a number of reasons.

Although they seemingly violate the EU’s General Data Protection Regulation, many websites still use cookie consent mechanisms that either use dark patterns to encourage users to opt-in, or simply haven’t switched to a true opt-in model (e.g, still telling users that their continued use of the website is taken as consent for use of cookies).

The EU is cracking down on this with the Digital Services Act. Nonetheless, for the time being, at least, it can be argued that many websites’ opt-in models are closer to opt-out models, at least in terms of the number of users who end up giving consent.

Other forces could end up rendering the UK’s move somewhat obsolete anyway. The government’s proposal says it will only move to an opt-out model once technologies that allow mass blocking cookies are widely available and functional. But web browsers, which are by-and-large pushing into privacy, could choose to set ‘reject all’ as the default option for non-essential cookies within these tools anyway (which is already the case on Safari).