Understanding Cookie Consent and Your Legal Obligations
If you run a website that serves visitors from the UK or the European Union, you need to understand cookie consent requirements. UK and EU law requires you to obtain genuine consent from users before placing non-essential cookies on their devices. This is not optional, and the regulations have been enforced by the Information Commissioner's Office (ICO) for several years now.
The relevant legislation includes the Privacy and Electronic Communications Regulations (PECR), which work alongside UK GDPR. Together, these regulations set out exactly what your website must do when it comes to cookies and similar tracking technologies. Understanding the distinction between cookies that require consent and those that do not is the first practical step toward compliance.
Cookie consent is not simply about adding a banner to your site. You must give users a genuine choice, respect the choices they make, and make it straightforward to change their preferences at any time. Pre-ticked boxes, dark patterns that make rejection difficult, and cookie walls that block access unless consent is given are all practices that fail to meet the legal standard. The ICO has taken enforcement action against businesses using these approaches, and non-compliance can result in significant consequences.
If you operate a website and are unsure whether your current setup meets these requirements, working through a GDPR compliance checklist for websites can help you identify gaps and take practical steps toward compliance.
What Cookies Require Consent and Which Do Not
Not all cookies are treated equally under the regulations. Understanding the different categories helps you determine what your consent mechanism must cover and what it does not need to address.
Strictly Necessary Cookies
These cookies do not require consent. They are essential for providing a service the user has explicitly requested. Common examples include session cookies that maintain a shopping cart as you navigate a site, authentication cookies that keep you logged in, and security cookies that detect repeated login failures.
The key test is whether the cookie is essential for a service the user has specifically asked for. A cookie that remembers items in a basket during a single browsing session is generally necessary. A cookie that tracks which products a user viewed across multiple visits is not.
Analytics Cookies
Tools like Google Analytics, Mixpanel, and Hotjar place cookies that track user behaviour across visits. These are not strictly necessary and require consent before they can be placed. Users must be given the option to reject analytics cookies without being penalised or denied access to your site.
If you use analytics tools, you need to ensure they do not load or set cookies until the user has actively agreed to that category. Many analytics platforms offer IP anonymisation and other features that reduce the data collected, which is worth considering when planning your setup.
Advertising and Tracking Cookies
Any cookie used for targeted advertising, retargeting, cross-site tracking, or building user profiles requires explicit consent. These are the primary focus of privacy legislation because of their role in surveillance-based advertising models.
Facebook Pixel, Google Ads conversion tracking, and similar marketing technologies fall into this category. They should not be loaded until the user has consented to marketing or advertising cookies specifically.
Functional Cookies
Cookies that remember user preferences such as language settings, region, or display options are not strictly necessary. They should also require consent, though the ICO takes a pragmatic view on low-risk preference cookies that do not track behaviour across sites.
If you offer users the ability to save preferences like font size or dashboard layout, those cookies should be covered by your consent mechanism unless they are genuinely essential for the core service.
Building a Compliant Cookie Consent Banner
A cookie consent banner must meet several specific requirements to be considered compliant. The banner must be prominent and not hidden behind other content or dismissed too easily. It must clearly state what cookies are used and for what purpose. Users must have a genuine choice between accepting and rejecting non-essential cookies. The mechanism must not use dark patterns to nudge users toward accepting all cookies.
Users must be able to change their preferences at any point after their initial choice. This means including a clear way to access the consent settings from the footer or another persistent location on your site.
Rather than building a custom consent mechanism from scratch, using a certified Consent Management Platform (CMP) is the practical approach for most website owners. These platforms are built specifically to comply with GDPR, ePrivacy, and the IAB Europe's Transparency and Consent Framework. They are maintained to reflect regulatory changes and are regularly audited for compliance.
Popular compliant CMPs include Cookiebot, OneTrust, TrustArc, and Usercentrics. Most offer free tiers suitable for small websites and paid tiers with additional features for larger commercial sites. When evaluating options, check whether the platform supports the specific cookie categories you use and whether it integrates with your website platform.
Installing Cookiebot on Your Website
Cookiebot is one of the most widely used CMPs and integrates with most website platforms including WordPress, Shopify, and custom-built sites. The installation process starts with creating an account at cookiebot.com and adding your domain to the dashboard.
Once your domain is registered, Cookiebot provides a script snippet that you add to your website. This script must be placed in the <head> section of your pages, before any other scripts that might set cookies. This ensures Cookiebot loads first and can prevent other scripts from placing cookies before consent is obtained.
<script id="Cookiebot" src="https://consent.cookiebot.com/uc.js" data-cbid="YOUR_CBID" type="text/javascript"></script>Replace YOUR_CBID with the unique identifier Cookiebot provides for your domain. This ID links your website to your Cookiebot account and enables the consent management features.
After installing the script, configure which cookie categories your website uses in your Cookiebot dashboard. Map your analytics tools, advertising scripts, and functional features to the correct categories. Cookiebot will then automatically generate a cookie declaration based on this configuration, which you can embed on your site.
Updating Your Privacy Notice for Cookie Compliance
Your privacy notice must include specific information about your use of cookies. The required details include what cookies are used on your site, what data they collect, why that data is collected, how long it is retained, and the lawful basis for using each category of cookies.
List every cookie your site uses, including those set by third-party services. For Google Analytics, specify what data is collected, what the retention period is, and how users can opt out. For advertising cookies, describe the profiling that occurs and how users can object to it.
The ICO provides detailed cookie guidance on their website that explains exactly what your privacy notice must contain. Using this as a checklist when writing or updating your cookie policy helps ensure you cover all the required elements.
Your privacy notice should also explain how users can withdraw consent and how to contact you about data protection matters. Including a clear contact email address for data protection enquiries is a practical addition.
Implementing Consent-Dependent Script Loading
When using Cookiebot or a similar CMP, scripts that set cookies should only load after consent is given for the relevant category. This is achieved by adding the data-cookiecategory attribute to your script tags and marking them with the appropriate category.
The script type is set to text/plain initially, which prevents the browser from loading or executing it. When a user accepts a category, Cookiebot changes the script type to text/javascript, which causes the browser to load and execute the script.
<script type="text/plain" data-cookiecategory="analytics" src="https://www.googletagmanager.com/gtag/js?id=UA-XXXXX"></script><script type="text/plain" data-cookiecategory="marketing" src="https://connect.facebook.net/en_US/fbevents.js"></script>This approach is more compliant than relying on scripts to check consent after loading, because it prevents cookies from being set before consent is given rather than attempting to delete them afterward. Once a cookie is set, deleting it may not fully address data that has already been collected or transmitted.
When a user rejects a category, the script remains as text/plain and is not executed. This means the associated cookies are never set for that user, and no data is collected under that category.
Respecting Consent and Handling Withdrawal
Once a user has made a choice, that choice must be respected consistently. If a user declines analytics cookies, do not load analytics scripts even if they are loaded for other visitors. If a user opts out of advertising tracking, do not use any data collected for profiling or targeting purposes.
Cookiebot provides a straightforward mechanism to change consent at any time. Add a link or button to your footer that reopens the consent preference screen, allowing users to modify their choices easily.
<a href="#" onclick="Cookiebot.renew()">Cookie Preferences</a>Document when and how consent was given for each user. Most CMPs store this information and provide it to you upon request. Being able to demonstrate compliance if challenged by the ICO is an important part of your legal obligations. The documentation should include which categories the user consented to, when consent was given, and what version of your cookie policy was in effect at that time.
If you use a booking system on your website that sets cookies for functionality or analytics, it is worth reviewing how that system handles consent. Ensuring your booking platform is configured to respect consent choices is an important part of overall compliance. There is more detail on this topic available in the guide to booking systems and GDPR compliance.
Testing Your Cookie Consent Implementation
After installing a CMP, testing the implementation thoroughly helps ensure it works correctly for all users. Start by clearing your browser cookies and visiting your site as a first-time visitor. You should see the consent banner immediately.
Test each available option: accept all, reject all, and save specific preferences. Verify that analytics scripts load only when you have explicitly consented to analytics cookies. Verify that third-party cookies are not set before consent is given.
Use the browser developer tools to check what cookies are being set. In Chrome, open DevTools, go to the Application tab, and look at the Cookies section for your domain. Verify that no cookies from analytics or advertising services are set before you have given consent.
document.cookieRunning document.cookie in the browser console before giving consent should show only strictly necessary cookies. If you see analytics or marketing cookies appearing before consent, identify the script responsible and ensure it is tagged with the correct data-cookiecategory attribute.
Test the consent withdrawal process as well. After accepting cookies, return to your consent preferences and reject a category. Verify that the relevant scripts are no longer loaded and that no new cookies from that category are being set.
Ongoing Maintenance and Keeping Records
Cookie consent is not a one-time setup. Your website will change over time as you add new tools, update existing services, or change how you use data. Each time you add a new script that sets cookies, you need to update your cookie declaration and ensure the script is configured to wait for consent.
Review your cookie usage periodically. Remove scripts and services you no longer use. Update your privacy notice when your practices change. Keep records of consent for each user, as this documentation may be required if the ICO requests evidence of compliance.
If your website uses multiple domains or subdomains, each one typically needs its own cookie consent setup. Cookiebot and similar platforms allow you to manage multiple domains from a single account, but each domain must be individually configured.
When to Get Professional Help
Many small websites can implement cookie consent correctly using a CMP without professional help. However, there are situations where getting expert support is worthwhile.
If your website uses a large number of third-party scripts, or if those scripts are embedded in complex ways, reviewing each one to ensure proper consent handling can be time-consuming. A technical review can identify scripts that are not properly tagged and help you understand what each tool actually does with the data it collects.
If you have already received an enforcement notice or warning from the ICO, addressing the issues properly is important. A professional can help you understand what the ICO is requiring and implement the necessary changes.
If your website uses a booking system or other functionality that relies heavily on cookies, understanding how consent interacts with your core service is worth careful attention. The guide on booking systems and GDPR compliance covers this in more detail.
If you want a practical review of your current setup, you can get in touch with details of your website, the platforms you use, and any specific concerns you have about cookie compliance.