Cookie Consent after Brexit - What can we expect in 2021?

November 24, 2020



The end of the Brexit transition period is quickly approaching – and businesses are wondering if their data strategy will still be compliant with the law in 2021. In fact, what effect will the UK’s withdrawal from the EU have on data protection regulation and compliance? In this article, Usercentrics will sum up some of the most important aspects you need to consider. 

As of November 2020, there are three different laws in the UK that apply simultaneously. The GDPR (which still applies during transition period) the new UK GDPR (which is merely a matter of form and took effect on exit day January 31, 2020. There is indeed very little difference between the EU GDPR and the UK GDPR) the Data Protection Act 2018 (in an amended version which also took effect on January 31, 2020).

If you’re a UK based business that is currently processing personal data, or a business outside the UK that is targeting UK users, then you’re very likely to be affected by the changes that are coming with Brexit.

But what exactly will happen after the transition period?

Right now, it is unclear whether Britain will follow GDPR principles or adopt other rules that could affect the handling of user data. However, there is substantial reason to expect British regulation to follow basic GDPR principles. The only thing we know is that the Data Protection Act 2018 will essentially incorporate the GDPR into UK law.

It has also yet to be determined whether the UK will continue to be a “safe third country” after 2020 or not. In order to be classified as a “safe third country” the UK has to pass an adequacy assessment by the European Commission, which has the power to determine if a country outside the EU offers an adequate level of data protection through its domestic law or its international commitments. If adequacy is granted, personal data can flow safely from the EEA to that third country. Until a final decision is made by the EU Commission, data transfers will be subject to restrictions. 

Recommendations regarding Cookie Consent

Besides the GDPR, the UK also implemented the ePrivacy Directive making cookie banners legally required for any website, long before GDPR came into force. That’s why it’s probably a goodtime to take a closer look at the recommendations of the ICO regarding Cookie Consent and Cookie Banners.

The most crucial points are:  

·        Businesses should implement the same GDPR-compliant consent mechanism for UK users until anew regulation is set in place.

·        Businesses need to ensure that any consent mechanism they put in place allows users to have control over all the cookies the website sets.

·        Consent cannot be bundled into terms and conditions or privacy notices. Businesses should be upfront with their users about their use of cookies. They should obtain consent by giving the user specific separate information about the way the cookies (or similar technologies) work and what they will be used for. This explanation must be clear and easily available. 

·        Consent requires a positive opt-in. Pre-ticked boxes are not compliant with the GDPR.

·        Withdrawing consent must be just as easy as providing consent.  

·        Businesses need to name any third-party controllers who will rely on the consent.

·        Businesses must keep evidence of consent – who, when, how, and what users agreed or did not agree to. 


Even though the pandemic has delayed progress, you should still err on the side of caution and make sure that you are prepared for 2021 by getting your website GDPR compliant. A Consent Management Platform (CMP) can help you to obtain and manage the consents of your website users in compliance with applicable laws, boost your users’ trust, protect your advertising revenue as well as protect your company from hefty fines.