Data Protection

Don’t let your cookie compliance crumble

Although a whole year has passed since the ICO published updated guidance on the use of cookies, a significant number of websites targeting UK users remain non-compliant. Raj Shah looks into how you can ensure cookie compliance.



Although a whole year has now passed since the UK’s privacy regulator, the Information Commissioner’s Office (ICO), published updated guidance on the use of cookies, a significant number of websites targeting UK users remain non-compliant with the latest legislation and guidance. While many online businesses have updated their respective websites’ privacy notices to comply with the General Data Protection Regulation (GDPR), the requirement to apply an equivalent standard of consent when setting cookies on those websites is frequently overlooked.

The closure of businesses’ physical premises during the ongoing COVID-19 pandemic has led to a surge in the reliance on online operations. It is therefore important to ensure your website’s use of cookies and its cookie notice meet the latest requirements, particularly since the ICO has stated that it is increasingly prioritising the regulation of cookie compliance. Remember, all the ICO needs to do to identify cases of non-compliance is simply to visit the relevant website.

What are cookies?

Cookies are small text files made up of letters and numbers, and which are downloaded onto the devices of visitors to a website. They enable the website to remember information regarding those visitors’ activities on the site (such as remembering the contents of shopping baskets or identifying a visitor who has navigated to the site previously). They are also commonly used to target advertising at website visitors depending on browsing history or other preferences.

What are the latest requirements?

The law on cookies as it stands currently derives from 2011 amendments to the Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR). Under the PECR, operators of websites that set cookies on users’ devices must inform users of the presence of those cookies and explain what those cookies do and why. This is usually set out in a website’s cookie notice.

The PECR additionally require that websites only set cookies on visitors’ devices in one of two circumstances:

  • the cookies are strictly necessary – that is, cookies used for technical purposes to allow the communication to take place or provide a service the website visitor has requested (for example, authentication cookies, cookies used to set languages, and cookies for load balancing); or
  • the visitor has been given clear information about the relevant cookie’s purpose and has consented to the download of that cookie onto their device. The standard of consent must now align with the GDPR’s requirements, constituting a freely-given, specific, informed, and unambiguous indication of the website visitor’s consent, which is made clear by an affirmative action.

In practice, this means that many cookies commonly set by websites, such as analytics cookies, social media plug-ins, adtech cookies, and cookies tracking interactions with marketing emails that link to webpages will need to be consented to before they can be set. It also means that, once consent to those cookies has been obtained, website visitors must be able at any time to withdraw that consent as easily as they gave it.

What this means your website cannot do

The above means that pre-ticked boxes or equivalent devices (such as sliders defaulted to ‘on’) must not be used for cookies that are not strictly necessary, and that visitors must have control over any such non-essential cookies. Non-essential cookies cannot be automatically set on landing pages before consent has been obtained from the website visitor. Despite the ICO’s guidance, many websites remain non-compliant with this requirement and continue to set analytics cookies without having first explained what these are in a clear way and having provided an opportunity for visitors to consent to them.

Some websites have attempted to address this by implementing cookie banners that state that consent is impliedly given if visitors continue to browse the website. This is unlikely to represent valid consent under the new GDPR standard. Cookie walls that block users from accessing the site entirely before they consent to cookies are also problematic, since it is difficult to demonstrate that consent has been freely given and is specific to certain cookies.

It should also be noted that the ICO is not sympathetic to ‘nudging’ techniques designed to spur visitors into selecting particular options for cookies (for example, by making an ‘Accept all cookies’ button much bigger or brighter than a button that allows visitors to reject certain cookies or manage their cookie preferences).

Ensuring cookie compliance

If your website doesn’t meet the requirements described above, now is the time to undertake an audit of the cookies it uses. Not only will this allow you to verify whether there are any cookies not covered by your existing cookies notice, but you will also then be in a position to determine which are strictly necessary for your website’s operation and which are non-essential and require visitors’ consent. Mechanisms can then be put in place to obtain this consent in a fair and transparent manner. Our data privacy team can advise on solutions to implementing these mechanisms, as well as reviewing and redrafting cookie notices.

A new EU regulation on the subject is currently in the works and will almost certainly include updated rules on the use of cookies. If that regulation is applicable to the UK (which may depend on what kind of relationship the UK and the EU have after the end of the Brexit transition period), then further amendments to your website may be required. By revisiting your cookie practices and policies now, however, you will be better placed than most to ensure your website is compliant with the latest privacy legislation.



You are contacting

Raj Shah

Senior Associate



    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor


    Subscribe now
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.