BASIC_COMPUTER_TRAINING JULY 29, 2024

IT Training for Non-Technical Staff: Building a Base Level of Digital Literacy

14 min read 2,793 words
IT Training for Non-Technical Staff: Building a Base Level of Digital Literacy featured image

Cookie Consent Management: What GDPR Actually Requires

Many websites fail to handle cookie consent correctly, whether through outdated implementations, accidental misconfiguration, or a misunderstanding of what the regulation demands. If your website uses cookies to track visitor behaviour, display personalised content, or collect any data beyond what is strictly necessary for the site to function, you need a compliant cookie consent system. This guide walks through what GDPR actually requires, where websites commonly fall short, and how to build a consent process that protects both your visitors and your organisation.

What GDPR Says About Cookies

Cookies fall under the definition of personal data when they can identify an individual, either directly or by linking cookie data with other information. Placing cookies on a user's device without consent can constitute processing of personal data without a lawful basis, which GDPR prohibits.

The regulation requires a lawful basis for any processing of personal data. For most non-essential cookies, consent is the appropriate basis. GDPR defines consent as freely given, specific, informed, and unambiguous indication of the user's wishes. For cookies, this means a user must actively choose to allow non-essential cookies. Silence, pre-ticked boxes, and bundled consent that forces users to accept all cookies in order to access content do not meet this standard.

The Three Requirements That Matter Most

Consent Must Be Specific and Granular

Users must be able to consent to some categories of cookies while rejecting others. A typical cookie policy includes several categories: strictly necessary cookies, functional cookies, analytics cookies, and marketing or advertising cookies. Users should have the ability to accept analytics and marketing cookies separately from functional ones. Your consent interface needs to present these categories clearly and allow independent toggling for each.

Strictly necessary cookies are the exception. These are cookies without which the website cannot function, such as session management cookies or security cookies used for fraud prevention. These do not require consent because they are essential to the service being provided. However, you must still disclose them in your cookie policy.

Consent Must Be Freely Given

Consent is not freely given if it is bundled with terms of service or if rejecting consent makes the service significantly worse. Cookie banners that block the entire site until all cookies are accepted are non-compliant. A user must be able to reject non-essential cookies without being denied access to the content they came to see.

The consent mechanism should present accept and reject options with equal prominence. This means the reject button should not be harder to find, visually de-emphasised, or require additional clicks compared to the accept option. Regulatory guidance has increasingly focused on dark patterns in consent interfaces, and consent banners designed to nudge users toward acceptance without providing a genuine equal choice have drawn regulatory scrutiny.

Consent Must Be Revocable

Users must be able to change their minds after they have given consent. Your website needs a mechanism for users to revisit their cookie preferences at any point. This is often implemented as a cookie settings link in the footer or within the privacy policy.

When a user revokes consent, any non-essential cookies that were set based on that consent should be removed or deactivated. This requires your consent management system to communicate preference changes to your tag management system, which in turn suppresses or removes the relevant tags and cookies.

What a Compliant Cookie Banner Looks Like

A compliant cookie consent banner needs to clearly identify the organisation using the cookies, explain why the cookies are used and what data they collect, give users a genuine choice, and avoid dark patterns that steer users toward accepting cookies.

The banner should present two or more clear options. A practical approach is a three-option layout: accept all, reject all, and customise. The customise option should open a panel where users can toggle individual cookie categories. Both the accept and reject options should be equally visible and easy to select.

Once a user has made their choice, the banner should not reappear on subsequent page loads unless the user clears their preferences, or a significant amount of time has passed and you need to reconfirm consent. Some organisations set a consent expiry period and prompt users to renew their preferences periodically, which can be a reasonable approach depending on your interpretation of the regulation and guidance from your local data protection authority.

Recording and Managing Consent

GDPR requires you to demonstrate that consent was given. This means you need to keep a record of each consent event, including what the user consented to, when they gave consent, and what version of the cookie policy was in place at that time. This consent record should be stored securely and retained for as long as the cookie data remains in use, plus a reasonable period afterwards.

When a user returns to your site and has previously given consent, your system should check for that consent record and apply the appropriate cookie settings. If no consent record exists, the default should always be to reject non-essential cookies until the user actively opts in. This default-first approach is fundamental to compliant consent management.

Managing this technically involves setting a timestamp and consent preference in your database or consent management platform when the user makes their choice. When the user revisits, your tag management system or consent management platform checks this record before firing any non-essential tags. Many organisations use a dedicated consent management platform to handle this logic, which can integrate with popular tag management systems.

Common Mistakes That Lead to Non-Compliance

Several patterns appear repeatedly in non-compliant cookie implementations. Understanding these helps you identify gaps in your own setup.

  • Pre-ticked boxes: Any cookie category that is enabled by default before the user takes action is non-compliant. The user must actively select each category they want to enable.
  • Blocking access: Preventing users from accessing content unless they accept all cookies is not permitted. Users must be able to reject non-essential cookies and still use the site.
  • No reject option: Providing only an accept button, or burying the reject option in fine print, does not meet the requirement for freely given consent.
  • Bundled consent: Presenting all cookies as a single package where accepting means accepting all categories does not allow for granular consent.
  • Cookies set before consent: If analytics or marketing scripts are present in your site's code, they may drop cookies as soon as a user visits, before consent is obtained. These scripts need to be configured to wait until consent is recorded before setting non-essential cookies.
  • No mechanism to withdraw consent: If users have no way to return and change their preferences, the consent is not revocable as required.
  • Vague cookie descriptions: Telling users that cookies are used "to improve your experience" without explaining what data is collected and how it is used does not constitute informed consent.

Third-Party Scripts and Tag Management

Most modern websites include third-party scripts for analytics, advertising, social media integration, or chat widgets. Each of these may drop cookies, which means each script that sets non-essential cookies needs to be controlled by your consent mechanism.

Using a tag management system alongside your consent management platform allows you to fire scripts only when the appropriate consent has been given. The tag management system listens to the consent signal and triggers or suppresses tags based on the user's preferences. This prevents cookies from being set before consent is obtained, which is a common compliance issue even on otherwise well-configured websites.

When adding new third-party tools to your website, you should assess whether they set cookies and ensure they are covered by your consent management configuration. This is an area where ongoing website maintenance matters. As new tools are added and old ones removed, the consent configuration needs to be updated accordingly.

If you operate booking systems or e-commerce functionality that involves customer data collection, the interaction between your booking platform and consent management deserves particular attention. Many booking platforms set cookies for session management, fraud prevention, and payment processing alongside marketing and analytics cookies, which means your consent configuration needs to account for all of these categories separately.

Writing a Cookie Policy That Meets the Standard

Your cookie policy must be clear and accessible. It should identify all cookies used on your site, explain what data each cookie collects, state how long each cookie remains on the device, and describe the purpose of each category of cookies. The policy should also explain how users can manage their preferences and withdraw consent.

A cookie policy that reads as a wall of legal text is not accessible to most users. Using plain language, clear headings, and a well-structured layout helps users actually understand what they are agreeing to. The goal is informed consent, and that requires the user to be able to read and understand the information provided.

Some organisations maintain separate cookie policies and privacy policies. The cookie policy focuses specifically on the cookies used, while the privacy policy covers broader data processing activities including form submissions, email communications, and customer account data. Keeping these documents separate can make them easier to read and maintain, though both should be linked from your cookie consent banner.

When to Review Your Consent Implementation

Cookie consent is not a one-time setup. Your website evolves, you add new tools, third-party services change how they use cookies, and regulatory guidance can shift. Regular reviews of your consent implementation are important to maintain compliance over time.

It is worth reviewing your cookie consent setup whenever you add a new third-party script to your website, change your analytics platform, update your privacy policy, or add significant new functionality that may involve new types of data collection. Annual reviews are a reasonable baseline even if no changes have been made, to ensure your consent records are being handled correctly and your banner remains compliant with current guidance.

Supervisory authorities in the UK and EU regularly publish updated guidance and decisions related to cookie compliance. Keeping up with these publications, particularly from the Information Commissioner's Office in the UK, helps you stay aware of evolving expectations for consent interfaces and consent management practices.

Integrating Consent With IT Operations

For many organisations, cookie consent management sits at the intersection of web development, IT operations, and data protection responsibilities. Ensuring your website uses the correct consent mechanism often involves configuration work in your tag management system, your content management system, and potentially your web server or CDN if cookie handling logic is implemented at that level.

If your website is managed as part of a broader IT support arrangement, it is worth discussing cookie consent during your regular website maintenance reviews. The technical requirements and the legal requirements both need to be addressed, and having someone who understands both sides of this can help ensure the implementation is robust and stays current as your site evolves.

For businesses that are building out their broader IT governance, aligning cookie consent management with your IT strategy helps ensure that web compliance is considered alongside other technology priorities rather than being treated as an isolated task. Compliance considerations can inform decisions about which third-party tools to adopt, how your tag management architecture is structured, and how website changes are reviewed before deployment.

Building Awareness Across Your Team

Cookie consent compliance is not only a technical implementation problem. Anyone in your organisation who makes decisions about adding new tracking tools, launching new web features, or changing how user data is handled should understand the implications for consent. This is particularly relevant for marketing teams, web developers, and anyone involved in vendor selection for analytics or advertising platforms.

Providing your team with basic IT security awareness training or data protection briefings can help reduce the risk of non-compliant changes being made without appropriate review. When teams understand that adding a new marketing pixel or analytics tool may require changes to your consent management configuration, they are more likely to flag these additions before implementation rather than after.

Related practical reading

These related guides can help you connect this topic with the wider website, server, security, and support decisions around it.

Getting the Basics Right

Cookie consent compliance comes down to a few core principles. Users need to be informed about what cookies are used and why. They need a genuine, accessible choice between accepting and rejecting non-essential cookies. That choice needs to be recorded and respected. And users need to be able to change their preferences at any time.

Getting these basics right protects your users and reduces your regulatory exposure. It also builds trust. Users who feel they were given a fair choice are more likely to engage positively with your site than those who felt pressured into accepting cookies they did not want.

If your current cookie consent setup has not been reviewed for some time, or if you are unsure whether it meets the current requirements, it is worth taking a closer look. A practical review of your consent banner, your cookie policy, and your tag management configuration can quickly identify gaps that need to be addressed.

Frequently Asked Questions

Does my website need a cookie consent banner if I only use basic analytics?
Yes, in most cases. Analytics cookies that track visitor behaviour across pages are generally considered non-essential because they are not strictly necessary for the website to function. Even if you use privacy-focused analytics tools, they may still set cookies and therefore require consent under GDPR. Strictly necessary cookies are the only category that does not require consent, and analytics does not typically fall into this category.
What happens if my cookie consent is not compliant?
Data protection authorities in the UK and across the EU have the power to investigate complaints and issue fines for non-compliance. The level of fines depends on the nature of the breach and whether it is a first occurrence or a repeat issue. Beyond regulatory risk, non-compliant cookie banners can damage trust with your users, particularly if they feel they were manipulated into accepting cookies. It is worth addressing compliance issues proactively rather than waiting for a complaint or investigation.
Can I use a third-party consent management platform?
Yes, many organisations use dedicated consent management platforms to handle the technical side of consent collection and management. These platforms can help you display a compliant banner, record consent properly, and integrate with your tag management system to control when scripts fire. When selecting a platform, check that it supports the specific consent categories you need, that it allows for granular configuration, and that it provides adequate consent records for your compliance documentation.
How often should I review my cookie consent setup?
An annual review is a sensible baseline. However, you should also review your setup whenever you add new third-party tools to your website, change your analytics provider, update your privacy policy, or make significant changes to how your site handles user data. Changes to your technology stack or marketing tools are the most common triggers for consent configuration updates.
Do I need consent for cookies if my users are outside the EU?
GDPR applies to users located in the EU regardless of where your organisation is based. If your website attracts EU-based visitors, you should have a compliant consent mechanism in place for those users. UK GDPR has similar requirements for users in the UK. If your website has a significant international audience, it is worth assessing which regulations apply and ensuring your consent approach meets the highest applicable standard.
What is the difference between UK GDPR and EU GDPR for cookie compliance?
The UK retained GDPR as part of its domestic law after leaving the EU, often referred to as UK GDPR. The requirements for cookie consent are broadly similar between the two regimes, though there are some differences in how they are enforced and in guidance from the respective supervisory authorities. The Information Commissioner's Office in the UK provides guidance on cookie compliance for UK-based organisations, and the core principles of specific, granular, freely given, and revocable consent apply in both jurisdictions.
What should I do if my booking system sets cookies?
Booking systems and e-commerce platforms often set multiple categories of cookies including strictly necessary session cookies, functional cookies for remembering user preferences, and potentially marketing or analytics cookies depending on the platform. Each category needs to be handled separately in your consent management configuration. Strictly necessary cookies related to the booking process do not require consent, but functional, analytics, and marketing cookies do. Review the specific cookies your booking platform sets and ensure each category is correctly assigned in your consent management platform.
basic computer training digital literacy training employee IT skills IT training non-technical staff phishing awareness training staff cybersecurity awareness

Related Articles

Google Earth flight simulator

What Google's Earth Flight Simulator Means for Small Business SEO

Jul 7, 2026 Backup Strategy

Website Backup Strategy for WordPress and Custom PHP Sites

Jun 15, 2026 ai tools

How Google Keep with Gemini Can Support Your Small Business SEO

Jun 15, 2026
Cookie choices

Your privacy choices matter.

We use an essential cookie to remember your preferences. Optional analytics and diagnostics help us understand visits, identify issues, and improve the site, but they stay off unless you allow them.

Read the privacy notice