In addition to the GDPR, separate legislation applies to the use of cookies. While changes have been proposed, they are still in draft form. For more information, see “Electronic Privacy Legislation”.


What the existing law says

The current key provisions regarding cookies are:

  • Cookies – The current law requires websites to inform users that they set cookies, and to explain what those cookies do and why. Websites must obtain a user’s consent for non-essential cookies, although this can be implied (depending on how intrusive the cookies are).
  • Browser cookie consent choices – While the PECR allows for browser settings as a means of obtaining consent, there is not a requirement for browsers to provide consent choices.


What the draft new law says

The key changes proposed by the new legislation are:

  • Cookies – The consent for the use of cookies will be tightened to meet the same standard required under the GDPR which means that there must be a clear affirmative action. This means that websites which use pop-up banners assuming consent from continuing use of the website will likely need to be amended. The rules on cookies will also apply to the process known as “device fingerprinting” (attributing unique identifiers to users based on their device or browser configurations without actually setting a cookie).
  • Browser cookie consent choices – The draft legislation requires users to be provided with cookie consent choices as part of their browser software set-up. This approach appears to try to move the consent requirement away from individual websites to the browser providers (which could see an end to the need for cookie banners), though there appears to be little appetite from regulators to accept browser settings as sufficient. This provision is also drafted in very broad terms and includes any software that permits electronic communications, potentially capturing a broad range of other devices, which could include the Internet of Things.
  • Increased territorial scope – The proposed ePrivacy Regulation applies to organisations anywhere in the world which provide publicly-available electronic communications services to, or gather data from the devices of, users in the EU.
  • Wi-Fi / device location tracking – The proposals contain new provisions relating to Wi-Fi / device location tracking although there is currently some debate about whether such tracking should require express consent or whether an opt-out mechanism will be sufficient.


The legislation is still being negotiated, and this page will be updated following further developments.