The Data (Use and Access) Act 2025 (DUAA) will make some significant changes to the enforcement regime for cookies and direct electronic marketing. The increase in the maximum fines, from £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher) has received some attention. However, another change - which will make it much easier for fines to be issued for serious cookie infringements – is potentially of more significance, and it has received surprisingly little notice.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is the primary law when it comes to cookies and direct electronic marketing. When the GDPR (now the UK GDPR) came into effect in 2018 the Data Protection Act 1998 (DPA98) was repealed, except that its enforcement sections remained in place for PECR infringements.
Under section 55A of DPA98, as modified by PECR, the Information Commissioner's Office (ICO) may fine a person if they are satisfied that there has been a serious contravention of the cookie provisions, in regulation 6 of PECR, by that person, and the contravention was of a kind "likely to cause substantial damage or substantial distress" (and also that the contravention was either deliberate or the person acted negligently in allowing it to happen). The requirement for a contravention to be likely to have caused "substantial damage or distress" also originally applied to direct electronic marketing contraventions, but the requirement was removed by secondary legislation in 2015.
The upshot is that, as the law currently stands, a cookie contravention would have to be both serious and likely to cause substantial damage or substantial distress before the ICO could even consider issuing a fine. It is difficult to imagine that many, if any, contraventions would meet that threshold.
All that is set to change under the DUAA: once its section 115 and schedule 13 are commenced (at a date yet to be announced), both PECR and the Data Protection Act 2018 will be amended so that any contravention of regulation 6 of PECR is potentially subject to a fine. The ICO will still have to have regard to factors such as the nature, gravity and duration, and the intentional or negligent character of the contravention, but there will be no seriousness threshold and no "harm" threshold.
So, does this mean that, when the amended powers come into effect, the ICO will be issuing a swathe of cookie fines? That seems unlikely: although the ICO has adopted an "online tracking strategy", which involves assessing some large websites' compliance, there has been no indication that this strategy will lead to multiple fines being deployed.
However, the possibility cannot be ruled out, especially if the ICO were to encounter cookie contraventions which are serious and egregious.
Thanks are due to Tim Turner of 2040 Training, who first drew the author's attention to this topic.