cookie policy gdpr

Cookies & GDPR – Why you’re (probably) not compliant

We’ve heard about GDPR and we know that it has a significant impact on how we do business (especially B2C), but precisely how it affects company websites has been unclear – until now.

The ICO (Information Commissioner’s Office) has finally published its Cookie Policy guidance.

The new guidelines mean that we can now be more confident in making sure our website policies are compliant. It also means that we have a clearer idea on what practical steps to take to make this happen.

First up, before we take a closer look at something that will affect a very large percentage of all companies who currently have a Cookie Policy (and if you don’t have a Cookie Policy at all, then you need to act quickly. VERY quickly), let’s remind ourselves what a Cookie is, and why websites use them.

When you visit a website, you aren’t just presented with a webpage and its obvious, visual content. Behind the scenes, the site you have visited has sent a small file of information to your computer. This file (usually in the form of a “pixel”) then stays on your computer, acting as a kind of semi-permanent ‘link’ between you and the webpage that sent the Cookie. It literally “tracks” your movements and behaviour.

Why do websites do this? In a word: information.

The website will assume that you’re interested in what it has to say, or what it has to sell, and wants to keep reminding you that it exists. Have you ever been surfing the web, clicked on a site, and then found that adverts for that site or product keep popping up wherever you go next? Even days or weeks later? Well, that’s because of a Cookie.

It means that the relationship you have with that original website/company/product isn’t over when you click away from the page.

Not all Cookies are about advertising, though. Some are designed to gather data about your computer’s “IP” address (which tells the website you’re visiting where in the world you are). Some just want to keep track of how many visitors, or “hits” the website is getting. Some are needed for the security of the site to function properly.

Again – whatever the specific purpose of the Cookie, it all boils down to one thing: information.

And that’s why Cookies (and your company’s Cookie Policy) are a matter of serious interest for the ICO and GDPR.

If your company is gathering ANY kind of data or information about a private individual (and, in practice, that means each and every visitor that clicks on your site), then the visitor needs to know this, and they need to be able to make an informed choice about whether, and how, to proceed.

And in case you’re wondering if your website uses Cookies to gather data on visitors and what they click on, 99.99% of websites do. Why your particular site does this is something you need to take up with your webmaster/designer.

“A central tenet of GDPR is that valid consent requires affirmative action.”

So, back to GDPR.

A key development is that implied consent is no longer permitted.

What does this mean? It’s highly likely that you’ve visited a site recently which “pops up” a Cookie consent notice which says something along the lines of: “This site uses Cookies, by continuing to use the site, we’ll assume you’re okay with that.”

Now, this kind of policy is illegal.

A central tenet of GDPR is that valid consent requires affirmative action. Assumptions no longer play any part in valid consent. If your site visitor continues to browse, they have NOT given tacit consent for any Cookies to be sent to their computer.

As of right now, your Cookies Policy must obtain opt-in consent prior to the sending of ANY Cookies.

Interestingly, you might already have experienced websites which present you with a “full Cookie wall”. This is where access to anything on the site is blocked until you click the appropriate sections of the Cookie Policy form

However,  GDPR doesn’t technically allow for this, because it means that consent hasn’t been “freely given”. In other words, you have no choice but to click the opt-in form before continuing, which goes against the principles of choice and control which underpin the entire ethos of GDPR.

Next, your Cookie Policy needs to be more detailed. A generic “template” message is no longer enough.

Users need to be able to clearly and easily refuse third-party Cookies (eg. advertising “pixels” from Facebook or Google). If you can’t provide a Cookie Policy which allows this, then don’t use tracking pixels.

Finally, the title “Cookie Policy” for your Cookie Policy won’t cut it any more.

Instead, you need a pop-up or banner which states, in plain English, that it contains important information about how the site works and how they, the visitor, is in control.

For more information on this, get in touch with your web designer, or give us a call. You can find our contact details at

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.