Ashurst Data Bytes 4: How the UK's Data (Use and Access) Act will change marketing practices, cookie use and the PECR fining regime

Rhiannon:

Hello, I am Rhiannon Webster, Partner and Head of Data and Cyber Security at Ashurst. Welcome back to our Ashurst Data Bytes Podcast, and the next in our episode of our Data (Use and Access) Act series, where we'll be talking about what changes the Act makes to marketing and cookies.

As we mentioned in our very first episode, the UK data protection regime is now a patchwork of different pieces of legislation. We've got the UK GDPR, the Data Protection Act 2018, and now the Data (Use and Access) Act. But to make that web even more complex, we also have the Privacy and Electronic Communications Regulations, which we refer to as PECR, which govern electronic communications, so things like cookies, similar technologies and electronic marketing in the form of live and automated calls, texts and emails. And the Data (Use and Access) Act amends some provisions of PECR. So practically, that means that when you are using cookies or carrying out marketing, you need to ensure compliance with that piece of legislation.

Without giving too many spoilers right off the bat, the changes to PECR made by the Data (Use and Access) Act will have considerable impact on your risk appetite to marketing and on the ways in which you approach cookies and need to collect content. Therefore, I would recommend that you share this episode with your marketing teams or any other teams that are responsible for categorising cookies and operationalizing the cookie opt-ins.

Today, I am delighted to be joined by Nicolas Quoy, a Partner in our Digital Economy practice in Paris, and a new guest to the podcast, and to welcome back Shehana Cameron-Perera from our London Data Protection Team.

So, to set the scene, Shehana, can you outline what key changes the Data (Use and Access) Act makes to PECR?

Shehana:

Of course. And just to start and open with, marketing cookies has always been, it's been one of those areas which from my many secondment experiences can often lead to tension between the privacy legal teams and the marketing teams. And it's that balance between the legal position of what is or isn't allowed versus the business's risk appetite, acknowledging that the marketing and the cookie side is the revenue-building side which generates  analytics insights. Frankly, I'm glad to be back talking about this topic, Rhiannon.

And just to open it all up, there are a flurry of amendments to the definitions of PECR:

• Starting with the definition of a call is amended to include calls which attempt to establish a connection, thereby not just answered calls.

• Similarly, the definition of a communication is amended to be information that's been transmitted rather than just being exchanged or conveyed. And that means that they now cover texts and emails that have been sent but may not have been necessarily received.

• Dovetailing with those amendments is the amended definition of a recipient of a communication, which includes intended recipients.

The takeaway from those changes is that PECR will now apply to communications and calls that aren't received but are intended to be.

Other change that I wanted to touch on:

• we've got the definition of direct marketing in the Data Protection Act 2018. That's now been brought into PECR.

• Charities have a new soft opt-in rule;

• we've also got the alignment of notification of PECR security breaches, and that applies to public electronic communication service providers and it essentially aligns the notification timeframe to that of the UK GDPR on the 72-hour timeframe.

Rhiannon:

Thanks, Shehana.

So, as we start to discuss the more substantive changes which affect cookies, I'd like to bring in Nicolas. So to set the scene in the UK, the current position across both the UK and Europe, actually, is that you need to obtain consent for all cookies unless you can rely on the strictly necessary exemption -  in the UK to date, the ICO has interpreted very narrowly in that it has to be essential to provide the service that the subscriber or user requests. Is that the same in France, Nicolas?

Nicolas:

Hi, Rhiannon. Yes. The principle under French law is similar. The installation of cookies that are not strictly necessary for the functioning of the website require the user's prior free, informed, and specific consent. This consent must be obtained before any cookies are placed or read on the user's device. Simply continuing to browse the website cannot be considered a valid expression of the user's consent.

Cookies that are exempt from consent are those that are strictly necessary to provide a service which is expressly requested by the user. For example, as per the CNIL's position, shopping cart cookies on a merchant site, authentication cookies including those aimed at ensuring the security of the authentication mechanism (for example, by limiting automated or unexpected access attempts) or trackers for customising the user's interface, for example, for language selections might be exempt.

Rhiannon:

So that's quite interesting because I think in the UK some of those cookies to date would have not been considered essential and therefore require consent.

So Shehana, what's the position then going to be in the UK?

Shehana:

Well, the Data (Use and Access) Act has amended PECR, and it's really clarified, and it sets out a list of what will be deemed strictly necessary cookies. So, to roll them all off, we've got:

• cookies that ensure the security of the terminal equipment;

• cookies that prevent or detect fraud, or detect technical faults;

• cookies that automatically authenticate the identity of the user. So that's seemingly akin to the CNIL's approach that Nicolas just talked about; and

• cookies that record information or record selections that the user has made on an online service.

Rhiannon:

Okay. So, it seems like the UK is coming more in line with France in that sense. And Nicolas, are there any other exceptions in France other than for strictly necessary cookies? Or does consent always need to be collected for the other cookies?

Nicolas:

Yes. There are other exceptions. For example, cookies used solely for measuring website or app audience can also be exempt from the user's consent if they are strictly limited to anonymous statistical purposes and used for the exclusive benefit of the publisher. For example, cookies used for performance, measurement of the site, detecting navigation issues, optimising technical performance or usability, estimating necessary server capacity, or analysing viewed content can be exempted.

These audience measurement cookies must be used solely to produce anonymous statistical data. These cookies must not enable tracking of a user across multiple sites or apps. Likewise, personal data collected may not be combined with other processing or shared with third parties as these operations are not necessary for the functioning of the service.

Rhiannon:

Great. So, I think, Shehana, that feels like the UK is coming into line with what the French had already done. Would you agree with that statement?

Shehana:

I completely agree. And I think it's funny because we always consider the ICO to be the pragmatic/the pro-innovative regulator, so we seem to be following the CNIL's lead here. That's because the Data (Use and Access) Act has  now introduced additional exceptions from obtaining consent. And that means that we now have cookies that we can:

• use for statistical purposes to make improvements to the service or website;
• use to adapt the website to reflect and save preferences or to improve the website appearance and functionality; and
• can identify the location of a subscriber or user requiring emergency assistance.

And for the analytics and the appearance exceptions, users still have to be given information about those cookies, and they still need a means to object. So even though you don't need to ask for consent for those cookies off the bat, you still need to give a means to object.

Rhiannon:

So, what would you say the key takeaway is then for organisations?

Shehana:

Well, I think we've clearly got welcome changes and clearly also catching up with our French counterparts. With all being said, there's still likely to be differentiations in approach with other EU jurisdictions, so I think that's going to make it difficult to take a homogenised EU approach to cookies, unfortunately,

Rhiannon:

It's true. I mean, we've only been comparing there with France, but there are probably differentiations across Europe and all the different member states about their interpretation of what an essential cookie is and what isn't. So, it still needs a country-by-country approach when looking at cookie compliance.

So, let's move away from cookies and slightly sarcastically saving the best for last! The data (Use and Access) Act has aligned enforcement powers under PECR to the UK GDPR. So, what that means is, before PECR capped fines at £500,000, but now they can be up to £17.5 million or up to 4% of worldwide annual turnover. So, what does this mean? And what do we think that the ICO will do in terms of enforcement for PECR?

Well, I think we need to look backwards before we can look forwards. There has been a focus from the ICO in looking at the uses of cookies on websites and also for marketing, but I'll take the cookie bit first.

We've seen the ICO do cookie audits. They started with the top 100 websites, then  they went to the top 200 websites and most recently in accordance with their online tracking strategy, which they announced in January, they are looking at the UK's top 1,000 websites for cookie compliance. And what that's meant in practice is they've done a cookie sweep of websites, spotted non-compliance and then written to those companies asking them to rectify the changes.

They haven't yet fined an organisation for its use of cookies in non-compliance with PECR. The only enforcement that we've seen in the UK was a reprimand against Sky Betting and Gaming in 2024. But they're definitely willing to flex their powers in relation to the use of cookies in websites.

If you then look at marketing infringements, so by those I mean emails sent which are not in compliance with PECR, they've been much more willing to flex their fining powers. 71% of ICO enforcement last year was in relation to marketing infringements. But fines don't tend to be that high; although fines were capped at £500,000, the highest fine in 2024 was 150,000 to Poxell Ltd for making over 2.6 million unlawful marketing calls. So, it's not as if it's a particularly high-fining area, but there is a prevalence of fining.

So, it would be very interesting to see whether the ICO do fine higher and more now in relation to the new powers that will be given to them and the Data (Use and Access) Act. But keeping with our theme, should we do a bit of a comparison with France?

So Nicolas, how has the CNIL typically looked at enforcement and fining of both cookies and marketing?

Nicolas:

Thanks, Rhiannon. Yeah. In the EU, in particular in France, violation of the cookie regulation is sanctioned heavily. Shein, a global giant in ultra-fast fashion e-commerce is currently at the centre of a sanctioned procedure initiated by the CNIL.

So, what is Shein being accused of? Since 2022, based on multiple complaints, the CNIL has conducted several inspections of the Shein.com website. The investigation revealed serious violations:

• the advertising cookies were being placed without prior user consent, thus even before the cookie information banner was displayed;
• there was no clearly accessible refuse all button equivalent to the accept all button;
• the settings links were complex or misleading, and thus designed to discourage users from refusing cookies. It's the so-called dark patterns.

In addition, Shein did not cooperate sufficiently with the CNIL. So, following the investigation, the CNIL-appointed rapporteur recommended an administrative fine of €150 million against Shein for serious violation of the GDPR. The sanction is not yet final. It must be reviewed by the CNIL's committee, which is the only body which is authorised to impose such a penalty.

Rhiannon:

Wow. So that's quite a different ballgame compared with the UK if we combine our top fine of a £150,000 versus €150 million. And it's not the first time the CNIL have heavily sanctioned a company, is it?

Nicolas:

Yeah, indeed, Rhiannon. For example, on December 29, 2023, the CNIL fined Yahoo EMEA €10 million. This fine sanctioned Yahoo's failure to respect its obligation to obtain the user's consent before any commercial cookies were placed on their device. And its failure to respect the choices of users who refused cookies.

Besides, other aspects for marketing communications are also under scrutiny. For example, in a B2C relationship, email advertising is permitted provided that individuals have explicitly given their consent before being solicited. Consent must be freely given, specific, informed, and unambiguous. To be valid, it requires a positive and specific action i.e.  ticking a dedicated checkbox that is not pre-checked. Simply accepting general terms and condition is not sufficient.

And on May 15, 2025, the CNIL imposed a €900,000 fine on Solocal Marketing Services. The main reason for the fine was that the company had used personal data for marketing purposes without obtaining valid consent from the individuals. Solocal had sourced this data from brokers and used it in electronic marketing campaigns but failed to ensure that the individuals whose data was used had given their free, informed, and specific consent.

Rhiannon:

Thanks, Nicolas. It just feels like a very different risk profile then between France and the UK. Because I think from my own perspective with clients, although they do try and get it right, there isn't a huge compliance drive from within organisations because the ICO, although they've been writing letters, haven't actually had any significant enforcement action. But it seems very different in France on both the marketing, the email marketing side, and on the cookie side.

So I think our key takeaways for this for our clients is that there are welcome changes in the Data (Use and Access) Act when it comes to cookies -  there will be a category of cookies that no longer require consent (the analytical side) and we expect the ICO to produce some guidance on exactly what those look like.

However, the risk profile for marketing, including the use of cookies, is going up because the fines that could be imposed by the regulator could now be up to 17.5 million or 4% of annual worldwide turnover. And we've also got the issue of a real patchwork of laws because websites d not tend to be just one particular country, they tend to be global in nature, or at least European focused. So, you might have different laws and different types of cookies having different requirements in different neighbouring countries across UK and Europe.

Shehana:

So my takeaways are that, firstly, whilst these are clearly welcome changes for UK organisations, they're unfortunately not yet in force and are likely not to come into force until this December or perhaps even early next year, along with the substantive data protection provisions that we talked about on podcast episode one (if you've been listening). And then secondly, we're clearly catching up with our French counterparts, but there's likely to be differences in approaches with other EU jurisdictions. So, I think it's going to make it difficult to take a homogenised EU approach to cookies.

Rhiannon:

Nicolas, Shehana, thank you so much for joining me and providing such practical insights. And thank you for listening to our podcast. Please do share the podcast with interested colleagues and look out for the upcoming podcasts on the Act, which we're aiming to release every week. Thank you.