Do I need one of those awful cookie popups?

In this article, we’ll look at:

  • Why your website might be using Cookies whether you know it or not
  • How the GDPR has made things complicated
  • Whether you need Cookie Control on your site

Learn more

UPDATE NOTICE – Late 2019: Please note that in July 2019 the UK Information Commissioner’s Office (ICO) published updated guidance on the use of cookies.

While the following article has been updated to reflect the new guidance, we have written a complete update on the position as it stands now with regard to cookies, cookie notifications and cookie consent mechanisms.

View the updated article

We’ve all got used to seeing pop-up boxes on websites, notifying visitors about the use of cookies on the site.

You should already have seen ours, but you can take another look here if you’re the masochistic type.

If you’ve been following our series of articles on the implementation of the EU General Data Protection Regulation, you may be rightly asking yourself what impact the GDPR will have on the use of website cookies, and what you need to do to make your small business website compliant.

Well, the truth is that it’s complicated – and in this article, I’ll go onto explain why and, more importantly, what actions you need to take if you operate a website that uses cookies.

We’re going to look at:

  • Why your website might use cookies;
  • Why the new regulation makes the use of cookies particularly confusing;
  • Recommendations for how to approach the use of cookies post-GDPR.
A heads-up: By the end of this article, I will have explained why, for some simple websites it may be completely legitimate not to display any form of cookie warning at all – but that will likely be the exception rather than the rule. You will need to make an informed decision relating to your own website, based on your use of Google Analytics, e-commerce, social media tracking and other cookie-dropping functionality.

Why cookies are important to website owners

If you’re not sure what cookies are, there’s plenty of good content online to get you up to speed, so I’m not going to address that here. You can’t go far wrong with Wikipedia’s article as a starting point.

Suffice to say, it would the exception rather than the rule, for a website not to use any cookies at all – so if you run a small business website (or pretty much any other type for that matter), you want to give this some thought.

Let’s quickly look at some typical uses of cookies so that you’ve got some context on the type of functionality that they enable:

  • E-commerce websites that use a ‘cart’ or ‘basket’ to remember items that the customer wants to buy will use cookies;
  • Any form of personalisation of the website (such as the preferred language) are bound to use cookies to remember the user’s choice;
  • Statistical analytics (such as Google Analytics) will use cookies as the fundamental means of being able to tell one user from another;
  • Social media marketing (such as targeted Facebook advertising) rely on the placement of cookies to work;
  • Content Management Systems, such as WordPress, use a selection of cookies to manage user logins, blog commenting and more.

It’s therefore pretty clear why we need to get a grip on using cookies in a compliant manner – without them, we would lose a number of significant tools.

Why cookies have suddenly got more complicated

The GDPR was never meant to be the be-all and end-all of privacy law – it was always meant to be introduced at the same time as a separate piece of legislation, the Regulation on Privacy and Electronic Communications (or more commonly, the ePrivacy Regulation). Both new regulations were due to replace existing law*.

Whilst the GDPR provides a broad framework of regulation covering a wide range of scenarios, the ePrivacy Regulation was intended to address the specific detail of the regulation of electronic communications, which includes Cookies. The GDPR says virtually nothing about cookies specifically.

You can probably sense that there is a ‘but’ coming.

But – the problem is that the ePrivacy Regulation is not going to be ready in time to coincide with the GDPR, and the GDPR is going ahead anyway – so we’re left in a slightly bizarre limbo situation:

  • The GDPR comes into force on 25th May 2018;
  • The ePrivacy Regulation is unlikely now to come into force until 2019;
  • That means that the existing ePrivacy Directive, which was due to be replaced, is still in force;
  • We do know what the current draft of the ePrivacy Regulation says – so, subject to any changes, we’ve got a reasonable idea what it’s going to say;
  • But as things stand, we’ll be in a situation where we’re trying to comply with two pieces of legislation that were never really designed to work together, and which – in some ways – conflict with each other.


The specific issue with cookies

So that leads us to our specific issue in relation in cookies.

Under the GDPR, most cookies are going to fall into the category of ‘personal data’ because they are capable of identifying an individual and can be used to provide website personalization and even profiling of individuals.

As a result, you are going to need a legal basis for processing the data contained within those cookies – and that legal basis is most likely going to be the CONSENT of the individual.

Under the previous rules, the idea of ‘implied consent’ was ok.

It is implied consent that makes it acceptable to say something like ‘This website uses cookies. By using the site you are agreeing to the use of cookies’. The principle was that as long as you told people about the use of cookies, it was ok to use them, regardless of whether they really agreed or not.

The GDPR mandates that implied consent is no longer valid.

Instead, consent must be explicit and indicated by an ‘affirmative action’ on the part of the individual. Therefore for consent to be valid, you have to give the individual the choice of whether to consent, before any cookies are used.

This creates two immediate problems if you want to use cookies that require consent:

  1. Website development: Your website must be developed in such a way that no such cookies are used when the person first lands on the page. The cookies can only be set when they have ticked an ‘I consent’ box or something similar. Technically, this can be quite complex, and it is likely to result in a less-than-ideal user experience when they visit your site;
  2. Where’s the incentive?: There is generally very little perceived incentive for the individual to actually consent. Let’s be honest, often enough the reason you want to use cookies is for your benefit (e.g. analytics, social media marketing), and not the individual’s.

It’s not hard to imagine a scenario where we’re all forced to make (potentially complex) changes to our websites that force visitors to make decisions about whether to allow cookies or not before they even get to see our precious, carefully designed homepages.

And then, given that we’re likely to want to use cookies to enable website analytics or social media marketing, the effectiveness of those things will be hugely undermined by the fact that by default, they won’t work! They will only kick in if somebody goes out of their way to check the consent box(es).

Is consent necessary?

So far in this article, I’ve already made specific references to ‘cookies that require consent’.

I’ve done that because you should not assume that all cookies DO require consent.

Guidance that has been issued from the ICO since the implementation of the GDPR has helped to clarify this issue somewhat. What we now know is that:

  • When it comes to the placement of cookies on a website, consent is the only relevant lawful basis (you cannot, for example, rely on one of the other GDPR lawful grounds such as Legitimate Interest). So, yes – unless your cookies fall into the exception that I describe below, consent is necessary;
  • Where consent is necessary, you have to gain that consent before any cookies are set;
  • There is an exemption for cookies that are considered ‘essential’ in order to perform a particular online service on someone’s behalf. For these types of ‘necessary’ cookies, no specific consent is required. An example of such ‘essential’ cookies would be cookies that are used to remember basket items during an online shopping process.

It is therefore possible to use cookies on your website without consent, but only in the scenario where all of the cookies in use on your site can (legitimately) be considered as ‘essential’. It’s pretty clear that cookies for the purpose of analytics or social marketing are not going to be considered as essential.

So, as things stand, the situation would appear to be this if you want to be compliant:

  • You need to determine exactly what cookies are in use on your website – this is going to be essential in any event;
  • You’ll need to make a determination (one that you’re prepared to stand by) about which, if any, of those cookies are ‘essential’ and therefore do not require consent;
  • If any of the cookies in use on your site do require consent, then you will either need to:
    • Remove them; or
    • Add some form of cookie control functionality to your website to ensure that the cookies are only set in the event of the user actively consenting.

Both of these actions will involve some sort of technical development, so unless you’re into that sort of thing yourself, you’re going to need to speak to whoever looks after your site.

We’re going to move on to address some of the more commonly used types of cookies, with a proposed approach to each.

E-commerce carts and baskets

In previous legislation, including the existing ePrivacy Directive, there is an exemption to the requirement to gain consent for cookies that are ‘strictly necessary’ for the purpose of fulfilling the user’s request.

Cookies are essential to provide this type of functionality, and therefore their use is seen as legitimate under the prevailing ePrivacy Directive. There is no reason to believe that that will change under the ePrivacy Regulation.

From a GDPR perspective, we would also suggest that the use of such cookies is legitimate as part of fulfilling a contract to which the individual is party. This is an additional lawful basis for processing the data (Article 6(1)(b)).

Therefore, cookies used for this purpose shouldn’t cause you any additional concern. That said, you should still highlight the use of such cookies in your Privacy Policy, even if you’re not relying on consent.

Website Analytics

The use of website analytics, and Google Analytics in particular, is the category of cookies that will arguably affect the largest proportion of small business websites.

When the GDPR was first implemented, there was a distinct grey area around whether the general rules relating to cookies – and in particular the need to gain consent in advance for their use – would really apply to the types of cookies placed by analytics tools.

Essentially, I think we were all hoping beyond hope that they wouldn’t. Because if you need to ask a website visitor whether it’s OK for you to track their visit in your analytics, then inevitably your analytics will only ever give you part of the picture of your site’s performance. It undermines the very purpose of using analytics in the first place.

Guidance subsequently issued by the UK ICO has given significant clarity to this issue – it’s just not the answer that many people were hoping for:

Essentially, under the privacy regulation (PECR) and the GDPR, there is no specific exemption for analytics cookies, and so the same rules requiring specific, valid consent apply.

Technically, therefore, we must ensure that a visitor to our website has expressly consented to the use of analytics cookies before we can run the relevant scripts to track their visit.

Incidentally, there are some broader privacy considerations that should be borne in mind when using analytics (usually Google Analytics):

  • You do not, intentionally or inadvertently, send any data to Google Analytics that allows the identification of an individual. Not only would this be a privacy issue, it is also a breach of the Google Analytics Terms of Service. The most common situation in which this occurs is when personal data is included dynamically within a page URL
  • Your Google Analytics tracking code includes the optional ‘optimizeIp’ declaration, which has the effect of partially obscuring the user’s IP address.

These are both clearly technical configuration issues – if they don’t mean anything to you, you will need to discuss them with whoever looks after your analytics.

Analytics summary: It is now clear that, technically, in order to comply with all of the relevant regulations and legislation, we must actively gain the consent of our website visitors before any cookies are set for the purpose of analytics. This will require some form of cookie control mechanism to be implemented on websites, in order to ensure that all cookie scripts are ‘held back’ until the user actively gives consent – and that mechanisms are put in place to allow users to withdraw that consent at a later stage.

I’ll repeat my previous disclaimer: this is not legal advice, and you need to make your own informed decision about how you handle these cookies.

Social Media Marketing

The use of social media marketing, most commonly Facebook targeted advertising, represents a somewhat complex situation from a privacy perspective.

The majority of the data collection and processing happens on the Facebook platform, and Facebook is Data Controller for the majority of such services. Therefore Facebook has significant GDPR obligations, including making their own terms and privacy policy GDPR compliant.

As part of this obligation, the Facebook advertising Terms of Service for advertisers includes a requirement that all advertisers display a ‘clear and prominent notice’ about the use of the cookies and other technologies that are required for such advertising.

So, any website that uses the Facebook (or similar) pixel to allow the profiling of web visitors (e.g. for the purposes of targeted marketing campaigns) requires the consent of the individual for the placement of the cookies that are associated with that functionality.

In the past, this consent could be based upon the ‘implied consent’ model but, as we have seen, such implied consent will no longer be valid under the GDPR.

As a result, if you plan to continue to use social media marketing, including the Facebook pixel for targeted ads, you will need to ensure that your website meets this consent requirement.

You cannot load the pixel code that generates the cookies until the individual has provided a clear, affirmative action confirming their consent. Very few websites are currently configured to work in this way, so this will likely require your attention.

Functionality-based cookies

It is common, especially for sites based on a CMS like WordPress, to use cookies to provide particular types of functionality – for example, on a multi-lingual site, it is likely that a cookie will be used to store the user’s language preference. Or, on a site that uses popup windows, a cookie might be used to track that a user has already seen the popup, and prevent if firing repeatedly.

These types of cookies, especially when they are generated by a software plugin, can be a little more complex to deal with from a privacy perspective – because it may be necessary to adjust the code that delivers those cookies to ensure that they are only set when an individual has given their consent.

Whether this is possible or not will depend on the exact nature of the cookie itself, and it is therefore likely that you will need to speak with whoever looks after your site.


As you can no doubt tell, getting the cookie control and privacy policy right is likely to be a challenge for many small business websites.

In my opinion, there will be plenty of simple websites out there that, if managed properly, will not need any specific cookie control functionality or annoying cookie warnings.

The wisest approach is:

  • to thoroughly audit your site so that you definitely understand what cookies are in use;
  • challenge yourself whether those cookies are really necessary, and remove any cookie-dropping functionality that you don’t really need – after all, data minimisation is always going to be your best bet here;
  • make sure you have a good justification (documented in your privacy policy) for the use of any cookies for which you say you don’t need consent;
  • speak to whoever looks after your website to work out your options for blocking any remaining cookies that do need prior consent.

And if it feels like a pain in the arse, that’s because it is.

I’ll repeat my disclaimer from the beginning of this series of articles – the responsibility for data privacy within your business is ultimately with you, the data controller. The information provided here is an attempt to help people short-cut what can be a daunting task – but none of it should be considered to be legal advice.

You can contact me via here if you have any data privacy needs relating to your website, or for specific legal advice relating to your particular business, I would always recommending speaking to a specialist legal professional.

In case you’ve missed any of our previous articles, you can check them out here: