Cookie tools and cookie laws

A UK digital marketer’s guide to achieving compliance for your business without killing marketing effectiveness

Introduction

Marketers are faced with a huge problem when it comes to cookies. The choice you may think you face is either:

to comply with regulations and lose access to customer data that’s vital for making business-critical marketing decisions; or
don't fully comply, get the data you need, but risk a hefty fine.

The aim of this guide is to show you how you, as a marketer, can (pretty much!) have your cake and eat it.

We’ll guide you through what you need to do to comply and how to minimise the impact on your marketing capabilities.

Note: this non-legal guide is aimed as businesses (whose primary focus will be ensuring their marketing activity is compliant) rather than publishers (whose primary concern will be ensuring they can maximise ad revenue whilst remaining compliant).

Looking for the Attacat Cookie Audit Tool?

Attacat used to offer a highly popular free cookie audit tool. Instead we now offer this comprehensive resource to help marketers with cookie compliance.

The tool made it incredibly easy to achieve a reasonable level of compliance. However privacy laws are now much more complex and the demands on businesses are now much higher. This guide takes the same approach the tool took of demystifying and pointing businesses to practical solutions.

As part of the guide, we review the tools that are out there that do the same job our tool used to do, as well as all the additional cookie compliance.

What you need to know in brief

Please note: we are not lawyers! Use this guidance entirely at your own risk. Please consult a lawyer before implementing any suggestions in this document!

You will be placing cookies on your users devices and if you aren’t getting their explicit and granular consent, you are almost certainly not complying with EU laws.
Most UK brands are failing to comply with cookie laws but increasing numbers are now investing in compliance as privacy-related fines increase
A cookie banner on your site is not enough. Many banners are non-compliant anyway.
The best way to comply, without destroying your analytics data and massively restricting the advertising options open to you, would be to take a bespoke and progressive approach to gaining consent.
An easier, but probably less compliant route, is to make use of available cookie tools.
Our particular favourite tool is CookiePro
Whatever route you take, you need to understand what risks you are exposing your organisation to and how to eliminate or at least reduce them without destroying your marketing potential. This guide aims to do that!

Chapter 1 - About cookies

Why you should care about cookies

If you’re an organisation doing any sort of marketing, you’re almost certainly putting cookies on people’s computers and devices. Like or not, you can’t just do that willy-nilly anymore. So you need to understand what cookies you’re using, how you’re using them, and why, to ensure you don’t end up facing a GDPR-fine, or a privacy-related PR disaster.

Don’t think this applies to you? Do you use Google Analytics, or similar? If so, it applies. Have you embedded a YouTube video into a blog post at some point? It applies. Do you have social buttons on your site? It applies. And that’s before we even broach the issue of adverts and digital advertising. If you’re doing that, it definitely applies.

Almost every time you visit a website, you’re faced with the misery of cookie consent banner. But guess what? A large number of these banners are not in compliance with legislation. That potentially leaves many website owners open to massive fines and yet the industry continues to bury its head in the sand on the issue.

Cookies, as a technology, are on the way out but it will still be some time before they are gone altogether. Until then, you need to comply.

What are cookies?

Okay, so cookies are probably an issue for you as a website owner. But what actually are they?

A computer cookie (also known as an HTTP cookie, a web cookie, an internet cookie and a browser cookie) is a packet of data, which is sent by an internet server to a browser. Your computer stores the cookie in a file located inside your web browser, and it’s returned by the browser every time it subsequently accesses the same server - that is, the cookie is used to identify the user, or track their access to the server. In even simpler terms, cookies help to track users and visits to a website.

It’s not quite as simple as that, of course, and cookies come in many shapes and sizes. Some are essential for running a website efficiently - let’s call these ‘good’ cookies. Others track users across the internet, allowing advertising to be tailored to them. These kinds of cookies and others build up knowledge about you without your knowledge and sell it to the highest bidder. Let’s call these cookies rather “naughtier” and, in some cases, beyond indecent. It’s these cookies that are at the centre of an on-going debate.

Cookies are a pretty important issue. You want to collect information about how people are using your website, and understand how to market effectively to both existing and potential customers. But you also want to be careful about how you gather, store and use people’s personal information. And, of course, you want to avoid breaching any laws or having to cough up for fines if you’re found to be flouting the rules - and thanks to General Data Regulation Protection (GDPR) introduced in the European Union in 2018, the fines are higher than they once were.

So, there’s more than meets the eye when it comes to cookies. If you’re a website owner or marketer, these seemingly innocuous little pieces of data are something you should care about, as they can have a big impact on your business and your customers.

Types of cookie

As a business, it’s crucial that you understand the different types of cookies. You’re allowed to place some types of cookies without permission from site users, but for other cookies, you need explicit permission. Getting this wrong can put you at risk of big fines, so it’s important to know what you’re dealing with.

We can classify cookies in three different ways: what they’re for, how long they last, and where they come from.

Provenance

First-party cookies: These are put onto a user’s device directly by the website they’re visiting.
Third-party cookies: These cookies are put onto a user’s device not by the website they’re on, but by a third-party source, such as an advertiser or a social network.

Duration

Session cookies: These are temporary cookies which expire when your session ends, or when you close your browser.
Persistent cookies: This covers cookies that remain on your hard drive until they’re erased, either by the user or by the hard drive. All persistent cookies must have an expiration date written into their code and you’d need to make a strong argument for setting it any longer than 12 months.

Purpose

This is where it becomes less definitive but the "what your cookies are actually being used for" part is the bit you really need to get your head round before you are going to be able to devise your cookie compliance strategy.

As part of that people tend to try to group cookies into functions. Here's one quite common way of grouping them

Essential cookies: These are necessary for users to use a website. For example, if you’re browsing a site and add an item to your basket, cookies ensure you won’t lose the item when you navigate to another page.
Functionality cookies: This type of cookie means a website can remember actions a user has taken in the past, for example, storing login details so it’s quick and easy to access the site.
Statistics cookies: These cookies collect information about how users use a website, including what pages are visited and what links they click on. Google Analytics cookies fit into this category.
Marketing and advertising cookies: These track the online activity of users, sometimes across huge numbers of websites to build up profiles of users which help marketers deliver more relevant marketing and ads to users. This also includes limiting the number of times a given user sees the same advert. In our view lumping all marketing and advertising cookies in the same basket though is not ideal.

Of course putting cookies in one of those categories isn't always that straight forward. How, for example, would you classify cookies used to personalise your customers’ experience? Functionality or marketing? You might see making more pages more relevant to a returning user as offering good service. Some however will see it as marketing!

Chapter 2 - Cookie laws

History of the cookie directive

So why are cookies such a big deal? Well, there’s been a host of rules and regulations implemented in the EU regarding cookies and, specifically, getting consent from site visitors to use them.

ePrivacy Directive

The ePrivacy Directive (EPD) was passed in 2002, and amended in 2009, and is commonly referred to as the ‘cookie law’. It was designed to protect “the right to private life, the confidentiality of communications and the protection of personal data in the electronic communications sector”. In other words, it was designed to protect web users from data harvesting, personal profiling and unwanted marketing.

It states in the ePrivacy Directive that “no cookies and trackers must be placed before prior consent from the user, besides those strictly necessary for the basic function of a website”. A website, as per this directive, should not start tracking any user data until the user consents.

The cookie law came to public attention in 2012 and 2013 when the related UK law was enacted and cookie pop-ups have been irritating us all ever since.

ePrivacy Regulation

Because the directive was fairly vague, it left things open to interpretation when it came to cookies. That’s one of the reasons the ePrivacy Regulation has been proposed - it was intended to come into effect at the same time as GDPR in 2018, but hasn’t yet been adopted. Despite Brexit the expectation is that the UK will still adopt it, not least because UK businesses serving EU citizens will need to follow the principals anyway.

The EU Commission proposal for the ePrivacy Regulation covers the following key points related to cookies:

Stronger, clearer rules: The same level of protection will apply across the EU, with one single set of rules in force for all member states
Easier cookie acceptance: Browser settings will offer an easy way to accept or refuse cookies
Essential cookies: No consent will be needed for cookies which don’t invade a user’s privacy, for example cookies which remember a shopping cart history
Stronger enforcement: The confidentiality rules in the regulation will be enforced by data protection authorities, who are already in charge of enforcing GDPR rules

Cookies and GDPR

The introduction of GDPR has brought additional clarification to what is and isn’t acceptable when it comes to cookies. Unfortunately, however, this clarification has just proved that most businesses aren’t quite up to scratch with their cookie notices and policies.

Most websites have just been cruising along, barely toeing the line of what’s acceptable when it comes to cookies. But now, it’s inevitable as we progress into the 2020s that we could see the entire industry burst into flames as GDPR forces compliance.

What is GDPR?

The GDPR was introduced in the EU in May 2018, and is a binding regulation for all member states. It’s much broader in scope than the ePrivacy Directive, as it focuses on data protection as a whole, rather than just website or digital data. It’s concerned with how companies are transparent about how they use and store user data.

But whilst the GDPR only mentions cookies once, the issue is inextricably linked to the regulation, as cookies are one of the most common ways in the digital age for companies to gather information about their users.

The GDPR states that users are only permitted to collect personal data from users once they’ve given explicit consent for them to do so, for the specific purpose(s) set out. The following cookie consent requirements apply, as per the rules of GDPR:

Explicit consent must be gained from users before non-essential cookies are activated
Users must be able to activate some cookies of their choosing, rather than being forced to consent to all or none
Consent must not be forced
It should be as easy to withdraw consent as it is to give it
Consent must be stored securely, as legal documentation
Consent should be renewed once a year at least

GDPR accelerated the prevalence of website cookie banners as people began to realise that, no, these laws are not a bad joke! What was once a frustratingly poor experience for users is now just an accepted part of using the web.

The May 2020 guidelines

In May 2020, the European Data Protection Board (EDPB) released guidelines to offer clarification on what counts (or rather, what doesn’t count) as an acceptable way of gaining cookie consent.

It stated that cookie banners must not have pre-ticked checkboxes.

Additionally, it was flagged that continued scrolling or browsing by a user does not equate to consent being given for the processing of personal data.

The EDPB document is unambiguous in its clarification that cookie walls do not constitute valid consent, giving the example of a site that doesn’t let users see any content until they’ve clicked a button saying “accept cookies”. There’s no choice here, so consent isn’t freely given, and it’s not compliant with GDPR rules.

As mentioned previously, the other issue picked up by the EDPB is scrolling in lieu of giving consent. Specifically, the EDPB states

“actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.”

It really couldn’t be clearer! No longer will websites be able to get away with activating cookies as soon as a user starts to scroll down the page. Why not? Well, scrolling down a page is an ambiguous action and can’t easily be interpreted as an acceptance of cookies. What’s more, how would a user withdraw consent? There needs to be a clear way for users to both consent to and withdraw their consent from the use of cookies. The EDPB further states:

“...actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.”

Leeway in implementation

Despite the various clarifications, not every approach to compliance has been ruled in or out. Although there are increasing "norms" emerging there is no one set way of doing things.

It is also fair to say that those norms emerging may still be ruled out in due course. For example you may come across the "IAB's transparency and consent framework" which is a standard that most publishers and advertising networks are working with. Even this industry led approach has, to the best of our knowledge, not been given the authorities blessing. It may well be that in due course it is deemed non-compliant and the industry will have to think again.

As such taking an educated approach to compliance that accepts that the approach you choose may subsequently be ruled out seems reasonable to us. There is however a duty on you to keep an eye on things,

What's at stake?

Since the introduction of GDPR in 2018, websites have had to be extra careful about how they manage their cookies, as there are now hefty fines in place for flouting the rules.

Companies which violate GDPR may be subject to a fine of up to €20 million, or up to 4% of the previous year’s annual worldwide turnover, whichever amount is greater.

If you think that no one would be fined for cookie-related reasons, you’d be wrong. There have been several fines issued over the last couple of years to businesses whose websites have breached cookie privacy regulations, including Vueling Airlines, who were fined €30 million in 2019 because users visiting the site were unable to configure the cookies stored on their computers.

Users visiting the Vueling site were informed as to what cookies are, and what cookies were used on the site, as well as notifying users that Vueling could use the information either itself or via third parties. The site also informed users that third-party analytics cookies may be used. So far, so good!

However, the issue for Vueling was that the ability for users to manage their cookies was non-existent. The site stated that “you can configure the browser to accept or reject by default all cookies or to receive an on-screen notice of the reception of each cookie and decide at that time its implementation or not on your hard drive. You can also use ‘do not track’ cookie blocking tools… you can revoke at any time the consent given for the use of cookies by Vueling, configuring the browser for this purpose, and you can adjust the browser settings to prevent the installation of cookies.”

Sounds okay? Unfortunately for Vueling, they missed out a key component of their cookie policy: Vueling didn’t actually provide users with a means for managing cookies in a granular way. There was no management system or cookie configuration panel to allow users to select which cookies they approved (and otherwise).

One small mistake and the company was €30 million down. Ouch.

Although these stories are still quite rare, we can only imagine that things are going to get much stricter now that it’s been categorically confirmed that cookie walls and scrolling do not classify as giving consent.

Assuming you want to avoid a rather significant dent in your company’s profits, it’s more important than ever that your website complies with the rules and regulations around cookie policies. If you’re in the tiny minority who are doing a proper job of investing in privacy-first GDPR compliance, then your use of cookies will almost take care of themselves. Almost all companies still have significant work to do though.

Has Brexit saved us?

Chapter 3 - Complying with transparency requirements

Please note - GDPR compliance is much more wide ranging than just cookies. Here, we’re focusing just on the cookie aspects of GDPR compliance to provide a non-legal steer on how your website can meet the cookie requirements

Doing a cookie audit - detecting cookies

The not very practical DIY method

You can check yourself what cookies are being used on your site through your browser. The process is slightly different depending on which browser you use, but it usually involves:

Deleting all your cookies
Navigating your site taking care not to visit any other sites
Going to your browsers "Developer Tools" or privacy settings, where you can find out which cookies your site has placed on your browser.

It’s very easy to get this wrong and doing this won’t tell you much more than what cookies are being used, so you’ll have to do an extra bit of digging to find out what the cookies are actually doing, what information is being stored, and so on.

Using cookie audit tools instead

To make the job much easier, there are a good number of cookie audit tools out there!

These tools will automatically scan your website and identify what cookies your site is setting. As they usually have extensive databases of different cookies they will usually be able to identify and describe the function of each cookie to you.

One thing to be careful of is that basic audits will only navigate a site by going from page to page. They won’t do things that normal users might do like fill out forms or log in.

So any pages that are behind interactions (e.g. checkouts, logged in areas, comment forms, thank you pages) will be missed. And it is fairly common for most of these pages to set additional cookies.

This is one of those areas that has contributed to the overall “faux compliance” approach that most businesses are (inadvertently?) taking to cookie laws. On the upside the “naughtiest” cookies (e.g. advertising cookies) tend to be on the non-logged-in side of a site.

Many of these cookie audit tools come as part of a Consent Management Platform, the detail of which we delve into later on.

Known cookie audit tools:

List required

Offer a cookie audit tool? Let us know and we will add it to the above list.

Doing a cookie audit - categorising cookies

Step 1 - Work out what each cookie does

When you do an audit, there’s a few different things you should be looking out for - a good cookie audit tool should be able to help you easily answer the following questions:

What cookies are operating on your website
What’s the purpose of each of the cookies?
Are the cookies linked to information about users?
Do your cookies process any personal data?
Does your site use session cookies, or persistent cookies
What cookies are necessary, and don’t require consent?
What cookies do require consent?
What are the lifespans of each cookie? Is that lifespan necessary for the cookie’s stated purpose
What first-party cookies do you have?
Do you have any third-party cookies?
If you have third-party cookies, who is setting them?
What information do you share with third parties?

You will need to provide the full detail of each cookie as part of the transparency requirements - again an audit tool should help here. Typically their descriptions will be overly techy so making descriptions a bit friendlier would be a "nice to do".

Step 2 - Grouping similar cookies

You want your users to be able to understand what your cookies do without them having to read every single detail. You could do that by grouping similar cookies together into easily understood categories.

From a user’s perspective, if they don’t want you to use advertising cookies they probably won’t be that bothered which networks you are using, they’ll just not like the idea of that sort of tracking. So you can group together all your advertising cookies and provide a summary about them with the ability for the user to get the full detail if they require.

Doing this categorisation will lay the foundations for the consent process which we will get to in a bit.

For reference, we’ve categorised our cookies as follows:

Cleaning-up your cookies

Now you understand what cookies you are using, now is the right time to ask whether you actually need them all!

Inevitably you are going to need to have a discussion with your developer to understand some of your cookies so you can ask at that point.

Many of your cookies however will be related to a third party service you are using (e.g. HubSpot or Google Analytics). Here are some good questions to ask of each cookie “provider”:

Are we still using the service these cookies are coming from
Do we need to still use this service?
Are we running a number of similar services that we could cut down to one?
Does the service provider offer a cookie free alternative and would switching to it have any impact? (For example YouTube does but you will lose some tracking data)

One area that many sites are able to slim down on is in social sharing buttons. On a previous Attacat site we had two different sharing services (including Share This) as well as a myriad of sharing buttons (Google+!!!) from all the social networks. We’ve now stripped them all out.

We may add one or two back in due course but only when a business case for doing so has been made.

Once you’ve done your clean up, you should re-run your audit process just to make sure you haven't missed anything.

Creating a cookie policy

Now you have a slimmed down list, you need to draw up a cookie policy. This needs to do two jobs:

Provide a complete list of all the cookies you are using
Provide a clear explanation of what the cookies do.

In an ideal world you would write this in a completely bespoke way to help gain the maximum buy-in to your use of cookies.

The reality is that you will likely just use the vanilla output of the tool you use to do your compliance (see consent management platforms below). In our experience these are often written in a very technical and legalistic way rather than making any attempt to expound the benefits of the cookies to your users.

We used to have our own bespoke one. We created this in the days before consent solutions were widely available. Now that they are available and do so much of the other compliance that was not practical to do do beforehand, we’ve had to compromise on the text and go with the version provided by our chosen consent management solution. If you are interested in writing a bespoke version though we saved our old policy here in case you want to scan it for potential copywriting approaches.

The good news is that some of the cookie consent platforms offer the ability to customise your category descriptions, so there is at least some scope to be user friendly.

Cookie policy vs privacy policy

It’s impossible to get away from privacy when thinking about cookies and you may be wondering how your cookie policy interacts with your privacy policy?

We see it as a section of your privacy policy. Given the way the world has adapted to cookie consent, it’s become custom to create it as a separate page on your site and interlink the two.

When devising your cookie compliance process, it’s good practice to pay heed to privacy guidelines. If you do decide to write your own cookie policy, for example, the European Commission helpfully gives examples of what it considers to be examples of language that’s acceptable for a privacy policy and what’s not. It gives the following as examples of poor practice:

“We may use your personal data to develop new services” (as it’s not clear what ‘services’ are, or how the data will help to develop them)
“We may use your personal data for research purposes” (as it’s unclear what kind of research is meant)
“We may use your personal data to offer personalised services” (since it’s not clear what type of personalisation this entails)

As examples of good practice, using clear language, it lists the following:

“We will retain your shopping history and use details of the products you have you have previously purchased to make suggestions to you for other products which we believe you will also be interested in” (it’s clear what types of data will be processed and that the data will be used to target adverts to the user)
“We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive” (it’s clear what data will be collected and what it will be used for)
“We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read” (it’s clear what the personalisation entails)

In our view it’s always good to try to make these points in a friendlier and less scary way wherever you can. You can do this whilst still achieving the Commission’s objective of clarity.

For example, from the last bullet point: “target advertising on this website to you that is relevant to your interests” would be better as “make the adverts you see on this website more relevant to your interests and therefore more useful to you.”.

And as a further side note on that last bullet point: the chances are, if you are serving ads like this, they are being powered by a third party and that third party will be sucking up user data from your site to make ads more tailored on other sites too. So the scenario they are suggesting is not a very common one... And the common one is rather more challenging (and still the subject of a fair amount of debate in the industry)!

Chapter 4 - Understanding "consent"

Introduction

You’ve got to get consent! There is no getting away from that.

By now, you’ve paired down your site’s cookies to the ones that make a difference to you. Almost certainly you will still have some so called “non-essential” cookies on your site (such as analytics and ad tracking cookies). That means you are legally required to only place these cookies after you’ve got consent.

So your job now is to get as many people as you can to give consent! To do that you need to have an understanding of:

What does and doesn’t count as consent
Conversion optimisation and persuasive copywriting skills
An understanding of the available technology

What counts as consent?

You might assume that all the cookie banners you see on sites across the web are getting consent in a legal way. You’d be wrong!

As you will see in our review of some randomly selected top brands, most large companies, never mind less well funded SMEs, are falling short.

The UK’s enforcement body the ICO (Information Commissioner’s Office) states that:

“To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action - for example, ticking a box or clicking a link - and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read. Similarly, you cannot set non-essential cookies on your website’s homepage before the user has consented to them.

Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do.”

That guidance is worth reading a few times to really understand it as it’s the crux of cookie laws in two well written paragraphs.

And as a side note it’s also worth noting that the guidelines also highlight that website owners must take care to ensure that consent is given for cookies that collect particularly sensitive data, such as those which gather health details about site visitors.

If all this is starting to give you a bit of a headache, you will be starting to understand why so many businesses have been burying their heads in the sand when it comes to cookies!

But don’t give up yet, we’ll do our best to show you a clear path towards consent!

Can I just claim all my cookies are "essential"?

You don’t need to get consent for so called “essential” cookies. But bear in mind that when the EU say “essential” they mean essential!

Few to any businesses websites will only use essential cookies, hence why we say you will need a consent mechanism.

Here’s the jargon version of “essential”:

If the cookie is for the sole purpose of carrying out the transmission of communication over an electronic communications network; or
The cookie is strictly necessary to provide an ‘information society service’ (e.g. a service over the internet), requested by the subscriber or user. These cookies must be essential to fulfil a user’s request - if cookies are simply convenient, or helpful, they still need consent.

What does that actually mean, though? Well, in practice, it means that you don’t strictly need consent for:

Cookies that are used to remember what items a user adds to their basket (because the user is taking a positive action to do something - the cookie is simply the enabling technology and doesn’t do anything the user might not reasonably expect. Note that this is in contrast to a cookie that might show them items based on what they’ve been looking at on the site)
Session cookies providing security that’s essential to comply with data protection security requirements, e.g. online banking
Load-balancing cookies that ensure the page loads quickly
Even though you don’t need to gain consent for these types of cookies, it’s still good practice to let users know that they’re being used, and what they’re for.

Analytics, marketing and advertising cookies are very definitely not classed as essential!

Can I just put a “cookies are used on this site” notice on my site and claim implied consent?

Sorry, no! Back in 2013 when the cookie directive was new, many, including us, thought that a clear notice saying “this site uses cookies” might be enough, especially if the cookies we were using were not that invasive and we were clear about how we were using them.

Since then there has been unambiguous clarification that this is not acceptable. If the ICO guidelines above are not clear enough then the May 2020 guidelines from the European Data Protection Board (EDPB) state:

“actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.”

It really couldn’t be clearer! No longer will websites be able to get away with activating cookies as soon as a user starts to scroll down the page.

Why not? Well, scrolling down a page is an ambiguous action and can’t easily be interpreted as an acceptance of cookies. What’s more, how would a user withdraw consent? There needs to be a clear way for users to both consent to and withdraw their consent from the use of cookies.

Can I force people to accept cookies before proceeding to my site?

That's also a "no"!

You might think that you could just prevent anyone who isn’t prepared to accept your cookies from using your site. It seems fairly reasonable after all. But the ICO state:

“To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do”

The EDPB May 2020 guidelines are even clearer stating that cookie walls do not constitute valid consent, giving the example of a site that doesn’t let users see any content until they’ve clicked a button saying “accept cookies”.

The EDPB’s argument is that there’s no choice here, so consent isn’t freely given making it non compliant with GDPR rules.

Do I need to get consent for each cookie individually?

As you'd expect, the answer here is "no". Phew!

But it's a question that's worth exploring as part of increasing your understanding of consent.

Repeating the ICO guidance from above (we’ve highlighted the bits relevant to this question):

“To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action - for example, ticking a box or clicking a link - and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read. Similarly, you cannot set non-essential cookies on your website’s homepage before the user has consented to them.

Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do.”

“Consent must be...specific and informed” and “You need to be confident that your users fully understand that their actions will result in specific cookies being set” definitely suggests you can’t get away with claiming consent by just saying “This site uses cookies” “Accept or Decline”. This isn’t specific about what type of cookies you are setting and there is no way for them to be informed about what the impact of such cookies will be.

One way of ensuring a full understanding would be to ask your user to opt into each cookie individually. However once you see how many cookies the average website uses you will be glad this is not the case!

The “Consent does not necessarily have to be explicit consent” line points to the middle ground of getting consent for each broad function of cookies. That’s why if you dig into cookie notices on sites you will see that cookies have been grouped into categories. Here’s one example:

Cookies-constent-categories-example

Behind each of “Performance” “Targeting” and “Functionality” will be a number of different cookies. The argument being that these are categories that your typical user can understand and if they did tick those boxes it would be because they understood what was being offered. Thus consent is being gained in a more granular fashion than a single catch-all.

Whilst likely compliant, your marketing brain will probably be saying there is no way users are going to tick any of those. And you'd be right, you could say goodbye to the usefulness of your analytics and marketing services. That’s why you need to apply some digital marketing skill to the consent process!

(Side note: if you look at the design of the above banner and think about what function the “accept all” and “decline all” buttons then you may be left wondering. Could the “accept all” button actually mean you accept all four cookie types? You’d hope not but you wouldn’t bet your life on it! This is just one of many examples of far from ideal banner design)

Chapter 5 - Maximising consent levels

Chapter 6 - Additional consent requirements

Document and store consent

In addition to getting consent from users, GDPR now also requires you to record that permission being given to you. Article 7(1) says:

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

This also needs to be very granular and detailed. You can’t get away with just maintaining a record of the fact that you had a cookie consent process in place from X date so they must have given consent if cookies have been placed!

The ICO’s examples, such as this one, make this clear:

ICO example

Thankfully most Cookie Consent Management Platforms have this function, though for some reason they only offer it in their premium editions despite it being a legal requirement. Inevitably therefore there will be companies who think they have done what they need to do but are still operating illegally.

Make it easy to withdraw consent

GDPR requires you to offer users the ability to subsequently opt-out of the permissions they gave you and it needs to be as easy as the method with which they gave you consent in the first place.

For cookies this means you need to provide a simple online opt-out that is easy to find. The accepted convention is to include a link in the footer of your page.

Side note: In an ideal world you’d have a privacy centre where your customers can manage all their consents including cookies. Indeed it would best if consumers didn’t need to think about cookies at all and instead just had to think about the functions we use cookies to perform (e.g. "Please can we have permission to anonymously monitor how you use this site so we can improve it over time? Yes/No". "Please can we have permission to anonymously make our Google and Facebook adverts more relevant to you based on how you use this site? Yes/No").

The reality though is that most companies treat cookies separately to other consents, simply because it’s easier technically. Cookie consent management platforms will inevitably take you down this less ideal route.

Chapter 7 - Are big brands complying with cookie regulations?

We had a sneaking suspicion that most websites aren’t meeting the mark. To confirm this, we had a look at a few randomly selected websites of big brands to assess how they’re doing.

Website	Cookies only placed after consent?	Granular consent options?	Easy to withdraw consent?
Tesco.com	(as system not being maintained?)	but doesn't work!	(have invested in a privacy centre though)
New Look
Anthropologie	(can be glitchy)	(can be glitchy)
EE	(as system not being maintained?)
BBC Good Food	(as system not being maintained?)

Tesco

Site: Tesco.com

Surely one of the UK’s leading supermarkets knows the score when it comes to cookie consent? A 2020 upgrade suggests they are investing in it but our review suggests they are still falling a bit short.

What we must congratulate them on is the building of a privacy centre - no small investment and whilst we haven’t done a detailed review of it, it looks like it ticks the GDPR boxes.

Cookie-wise they’ve made a lot of progress. Enter the home page and the cookie banner (lower profile than it should be at the bottom) gives an option to manage cookies. This “Accept all” or “manage cookies” has marketing in mind. It ticks legal boxes by giving options but the easy option for consumers is still to “Accept all”.

If you do click through to manage cookies they provide a pretty-consumer friendly approach. By grouping all their cookies into three types (essential, experience and advertising) they’ve made decision making easy. The best bit (with a marketing hat on) is the yes/no option they offer - you’ll get a much better result with this than a tick box.

It looks great but unfortunately (at the time of writing) it doesn’t work! As soon as I go to another page a variety of advertising cookies get set. All the different domains they are using (e.g. tescobank.com) don’t help the situation either as they all use different approaches.

I couldn’t find any way to modify my cookie choices after setting them either.

So in summary, it looks like a great effort has been made but it fails to comply due to not being fully executed. It does show aspiration which brands who are currently burying their heads in the sand should pay attention to.

The fact that they have slightly different approaches on all their domains is also frustrating (if understandable with a techy hat on!)

New Look

Site: newlook.com/uk

New Look also places non-essential cookies on your browser as soon as you arrive on the site and before you consent, including three advertising trackers (Bing Ads, Google AdWords Conversion Tracking and Digital Window), three analytics trackers (Content Square, Google Analytics and App Dynamics). However they are taking a fundamentally different approach to Tescos.

They are relying on just having a notice at the bottom of the page, an approach that is specifically ruled out by the ICO.

Although they have a ‘got it’ button on their banner, it doesn’t appear to have any function other than hiding the banner.

If a user does happen to click on ‘learn more here’, they’ll see they are relying on you to control all the cookies from your browser. Again this is not considered acceptable.

There’s no clear information about cookies at all. You have to search for cookies to find any information about them, and the result is a page that still doesn’t comply with the regulations. At least, as we understand it!

They do at least explain what type of cookies are used on the site, but other than that it feels they would be found wanting if the ICO paid them a visit.

Anthropologie

Site: Anthropologie.com/en-gb

Anthropologie have also changed their approach to cookies in 2020. They’ve gone for the very clear notification approach of an overlay (with a greyed out site so you have to engage with it).

They’ve (sensibly IMHO!) been bolder than Tesco’s in making the “accept all” the high visibility option. Clicking on the manage cookie preferences link reveals the below:

This approach of simple, easy to understand options with a link to more info is really nice. Arguably the grouping and description of cookies is a bit disingenuous but someone with privacy concerns can still avoid being cookied, so it’s not a big issue. They could likely make their marketing teams happier by making the check boxes into yes/no radials (like Tesco’s do) to get greater opt-in without compromising compliance.

In our testing we found that the choices we made were usually respected, however it does seem glitchy. Sometimes advertising cookies were placed before we gave consent so a bit of work to be done here.

The other area they could improve on is being able to change your choices subsequently. We couldn’t find a way to do it.

So arguably they have some compliance issues, but the ICO will still likely be quite impressed. They have also implemented things in a way that is likely to ticking the boxes for the marketing department too.

EE

Site: EE.co.uk

EE’s approach is a bit of a funny one! If we had to guess it may be that they’ve implemented a system but over time, a lack of site management processes has let the good intentions down. Let us explain!

When you enter the site, a lot of cookies are placed instantly, including trackers like DoubleClick so their compliance is falling down here.

Like Anthropologie they grey the site out on entry and use an overlay notice that encourages you to accept.

The “Learn more about cookies” initially fooled us into thinking we wouldn’t be able to give any granular permissions but clicking on it does reveal these options:

This clearly explains what the cookies are used for, and the only box that is pre-checked is the essential cookies. And the options you select will change what cookies are set! Bravo, EE!

Users are also able to modify their preferences from a link in the footer.

So the system shows a lot of good intent, yet it is completely let down by the fact that they set advertising trackers before you give consent. We assume it all worked perfectly when first implemented but as more marketing technology has been added to the site over time, the trackers have been added without going through a process to ensure they are added to the cookie consent system. It’s the sort of thing that is common when you have lots of different people and perhaps agencies working on the site.

We’d also question whether the “Learn more about cookies >” and “Accept” combination is higher risk compliance-wise than it needs to be. The alternative “Manage preferences” and “Accept all” approach makes it much clearer that you are accepting everything and is therefore more likely to be compliant.

BBC Good Food

Site: BBCGoodFood.com

BBC Good Food seems to be in the same category as EE i.e. everything pretty much as it should be, yet failing to comply because advertising cookies (including DoubleClick and Outbrain) are placed without consent. It may be that they are just failing to keep their system up to date.

The banner design is interesting. Take a half second look at it as a user would do.

Two points of interest:

They have focused on privacy rather than cookies. That’s great intent. As we’ve argued elsewhere focusing on cookies is far from ideal as it’s how personal data is used that is the issue, rather than cookies. However we are not sure it works. Sadly “Cookies in use” is now probably easier for people to understand. Which brings us on to...
There’s so much text on that banner that most users will just read “We value your privacy” and “OK”. If that’s all you’ve read, you’ve hardly knowingly accepted having your browser impregnating with tracking technology, never mind understood what said cookies are doing.

Their consent process is also worth looking at as it’s very comprehensive allowing very granular consent. They offer 13 different opt-ins (grouped into the four categories you can see below) you can opt-into as well as descriptions of a good number of essential categories. In our opinion it’s horribly overwhelming and the chances of users opting-into any of the categories would be very slim.

One easy improvement which would likely be at least reasonably compliant would be to modify the above screen so you could opt-in to a category at a time (and of course use yes/no radials to force a proactive choice). The more granular choices could still be made readily accessible for those who want them.

Overall there is a huge amount to applaud with their approach. They have clearly sought to include every legal nut and bolt whilst also attempting to explain things in consumer-friendly terms. They should also be commended for the way they list all their partners. The ability to manage preferences is also available.

Whilst it could be more consumer friendly, maintained properly and made more marketing-friendly, overall it’s a very comprehensive and transparent approach. Other brands would benefit from cherry-picking the best bits from the Good Food approach.

Conclusions

None of the brands we looked at appear to be fully complying but many are trying to.

What seems to be happening is that great effort has been made to get compliance systems in place but not enough effort is being put into maintaining them.

This is symptomatic of privacy still not yet being a ubiquitous part of business culture. It seems marketers and developers are still in the habit of just adding services to a site without going through a privacy audit and process.

What is clear though is that at least some parts of most larger organisations are aware of the requirements and, unlike in the early days of cookie laws, are no longer ignoring them.

Those brands that do ignore, or take a "high risk" approach such as New Look, are increasingly leaving themselves open to privacy issues. They need to be aware that other brands are raising the standard of their compliance and that the ICO has, over time, ruled out what were once considered potentially compliant options.

By now you’ll be aware that, in our view, third party cookie tools that can be classified as Cookie "Consent Management Platforms” (CMPs) offer a practical, if imperfect, solution to complying with the various cookie laws.

What is a Cookie Consent Management Platform?

Cookie Consent Management Platforms Reviewed

We set out, armed with our wish list, to find a CMP that would meet the needs of this site and those of our clients (ecommerce and other brands and B2B organisations).

We found several that had all the necessary features to deliver a legally compliant solution:

Platform	Transparent cookie Info	Cookies only placed after consent?	Granular consent options?	Easy to withdraw consent?
All platforms reviewed

Our focus was therefore on finding a solution that was going to deliver a high level of opt-in.

Our criteria

Marketer-friendly criteria

All the tools we looked at have customisation options. However some give more flexibility than others and some do it all through a user interface. Some would require a developer to achieve the customisation.

In this review we’ve looked at what’s on offer to a marketer without developer intervention (i.e. what’s readily on offer in the user interface).

Our wish list was very specific:

"Accept all / manage preferences"

We believe that a cookie banner that gives users these two options only is the single best way to achieve a high level of consent.

As argued previously, when done with care, we believe this can be a legally compliant solution for those not processing sensitive data. Of course it is an approach that may ultimately be ruled out by the authorities, but at this time we are not aware of it having been specifically ruled out.

Two of our reviewed platforms allowed us to achieve the wording we wanted but fell down on this criterion as, despite the wording being right, either:

1. the functionality didn’t fully work in the way a user would expect if faced with those two options,
2. You had to add a “Decline all” button as a third option. This would dramatically lower consent levels, and/or
3. There was no option to remove the close button - this would allow users to delay their decision which would have the pretty much the same impact on consent rates as a “decline all” button.

Editable banner text

For our “Accept all / manage preferences” approach to have the most chance of being compliant, we think it is important to be able to demonstrate that you are being open and upfront about what clicking “Accept All” means.

To do that effectively you also need to be succinct and to the point. In our view many default banner texts could be clearer, hence why we want to put our own text in.

Overlay banner

Our approach is to force the user to make a decision about cookies before they use the site.

As discussed elsewhere in this guide we’d prefer to do it differently (see the section on progressive consent) but we feel this is the best way of doing it when using a Cookie CMP.

Editable category descriptions

The ability to be able to describe how you use your cookies is nice to have. It gives you an opportunity to build trust with those who are privacy conscious.

Yes/No radios

We didn’t find any CMP offering this. It's a nice-to-have rather than a must-have. The aim here is to increase consent levels amongst those who click through to “manage preferences”.

The way most CMPS have designed the manage preference process will result in a high proportion of the user who go down this route not consenting.

This is because they either use unticked checkboxes or toggles set to off by default. This is very compliant but using yes/no radios would be equally compliant but would require the user to make a decision one way or another and that would lead to a higher rate of consent. (Care would be required to avoid frustration: we’d still offer a way to bulk decline (and bulk accept!!)

Ease of deployment

We want a solution that is easy to understand, set-up and deploy. On the last point, one thing we definitely don’t want to be doing is altering the code of any third party product (e.g. a YouTube video or Facebook button) to work with the solution. We want the solution to just take care of all those cookies with the simple deployment of one script.

Platform	Ease of deployment	£/month
CookieBot	4/5	from £8
Cookie Script	5/5	from £5.30
CookiePro	4/5	from £31
CookieYes	2/5	from £free
Iubenda	Untested	from £22

Prices and functionality beleived to be correct at time of writing. Some platforms make it easier than others to find features and pricing info! "From" prices based on lowest price package offering all features necessary for compliance (for some reason some exclude "consent logging" from their lower cost packages).

Our decision

We opted to go with CookiePro despite it being the most expensive option and most difficult to get going on. Of the CMPs we looked at, it was the only one that offered the level of customisation we wanted.

Cookie Script came very close with it’s great admin interface design. If they ever implement our one must-have feature of allowing “Accept All / Manage preferences” then we would probably be all in. Similarly CookieBot lacked that key feature.

CookieYes has a lot of potential but we didn’t go with it because it looks like it requires configuration of individual third party scripts, whereas others just deal with third parties without us having to worry about them.

Cookie tools and cookie laws

Introduction

Looking for the Attacat Cookie Audit Tool?

What you need to know in brief

Chapter 1 - About cookies

Why you should care about cookies

What are cookies?

Types of cookie

Chapter 2 - Cookie laws

History of the cookie directive

Cookies and GDPR

The May 2020 guidelines

What's at stake?

Has Brexit saved us?

Chapter 3 - Complying with transparency requirements

Doing a cookie audit - detecting cookies

Doing a cookie audit - categorising cookies

Cleaning-up your cookies

Creating a cookie policy

Cookie policy vs privacy policy

Chapter 4 - Understanding "consent"

Introduction

What counts as consent?

Can I just claim all my cookies are "essential"?

Can I just put a “cookies are used on this site” notice on my site and claim implied consent?

Can I force people to accept cookies before proceeding to my site?

Do I need to get consent for each cookie individually?

Chapter 5 - Maximising consent levels

Introduction

Progressive consent - the ideal solution

Third party cookie tools - the simple choice

Designing effective consent banners (“Consent rate optimisation”)

Chapter 6 - Additional consent requirements

Document and store consent

Make it easy to withdraw consent

Chapter 7 - Are big brands complying with cookie regulations?

Tesco

New Look

Anthropologie

EE

BBC Good Food

Conclusions

Chapter 8 - Cookie Consent Management Platforms

What is a Cookie Consent Management Platform?

Cookie Consent Management Platforms Reviewed

Our criteria

Our decision

Subscribe to our newsletter