Cookie law in the UK – how to achieve compliance

While this guide isn’t endorsed by the ICO and is not legal advice, we have frequently contacted Information Commissioner’s Office to ensure our conclusions are correct. Big thanks to their incredibly helpful team.

Cookie compliance and the UK cookie law

• Get positive opt-in from users
• Don’t pre-load marketing & analytics (performance) cookies
• Disclose third-party cookies
• Make the cookies policy always accessible
• Don’t force people to accept cookies to use your website
• Design a compliant cookie banner
• Give people the ability to change their cookie settings
• Be aware of the distinction between GDPR and UK cookie law
• Take responsibility for third-party cookies
• Make sure your apps are compliant – it’s not just for websites!

How to make your cookie consent compliant

Please note that many reputable companies are not compliant. Please refrain from copying cookie prompts from other websites, including using the same consent mechanism software.

Users need to give actionable, positive consent

Letting visitors know that you’re using cookies is not enough. They have to actively agree to the storage of cookies that aren’t strictly necessary.

You can’t hide the “consent” message in Terms & Conditions or rely on browser settings.

Positive opt-in is required for all optional cookies in the UK cookie law.

You can only pre-load strictly necessary cookies

Only cookies necessary for communication or delivering crucial website features can be classed as “necessary”. This would include:

• e-commerce cookies that allow users to add items to the cart
• authentication cookies that remember the visitor’s previous login credentials
• user preferences, such as personalisation options on your website or a cookie that stores their cookie settings
• communication cookies, i.e. for a chatbot functionality, but only if communication is impossible without the cookies

Other analytics, advertising and tracking cookies can not be classified as strictly necessary.

Automatic consent prompts often pre-load cookies

The solutions that are currently available on the market often are just “dummy” consent prompts. Many of them have the ability to only block the cookies after the consent settings are saved. Since this scenario includes pre-loading all cookies on your website on page load, these solutions aren’t compliant in light of UK law.

Users need to be able to access your Cookie Policy right away

Linking to the policy in the footer is a common practice. We definitely agree with that, but most of the time it’s not sufficient. Your visitors might expect to find it there, but it often requires a lot of effort to reach it – especially on lengthy pages.

Visitors should be able to learn more about your Cookie Policy before they decide whether they agree to the usage. Typically, you would include a link to your Cookie Policy directly in the consent prompt.

Many cookies, such as “_ga”, “_gid”, use naming schemes that aren’t intuitive for the average user. A Cookies Policy allows you to be transparent and describe their purpose. It’s also where you can link to the third-party privacy and/or cookies policies, and include any additional information, such as the contact details for data protection enquiries or information on how visitors can delete cookies from their devices.

We recommend creating a separate Cookies Policy page. If you include it in your Privacy Policy it will not only be harder to find but also make the Privacy Policy less intuitive – the volume of information required in a Cookies Policy is simply too big to cram into a single section.

You can’t lock your content behind a “cookie wall”

As a follow-up to the previous point, users need to access the entirety of your website before choosing their cookie preferences – not just the Cookie Policy. Prompts that prevent scrolling when a cookie pop-up is visible wouldn’t comply with the law.

The consent mechanism needs to be self-evident, but can’t be unnecessarily disruptive

Assuming you allow visitors to access your website without accepting the cookie consent, the prompt needs to remain unintrusive to their experience. You still have to ensure visitors intuitively spot and understand your pop-up, but if it covers half of the web page before they interact with it, the pop-up wouldn’t be fully compliant.

You can’t use suggestive design to persuade the user to accept all cookies

Another common occurrence on websites that break the law is the usage of suggestive colours or design choices to influence the user. Regardless of your brand guidelines, the options within the prompt should use the same styling.

Allow users to manage their choices

You need to provide a mechanism that allows visitors to change their cookie settings. You can achieve this by using a descriptive hyperlink in the Cookie Policy that allows visitors to manage or change their preferences.

It’s important to note here that after changing the settings, previously set cookies might remain on the user’s device. Only the user can delete them but it’s your responsibility to guide them towards a solution. Including a simple note referring to the browser/device settings to delete existing cookies is sufficient in this case.

Your use of cookies may also require GDPR compliance

If the information you get from the usage of cookies can identify a person, you must also comply with GDPR rules. This applies even if you can only identify the person indirectly.

Even a seemingly random anonymous user identifier is “personal data” under GDPR. That’s because anonymous identifiers often refer to other data that can be used to identify a person – directly or indirectly.

As an example, if you assign “XMk3X8gPMf” as the ID of your visitor and share it with us, we have no way of identifying the person. However, if the user browsers other websites that have access to the identifier, and these websites save information about the person as well, connecting the ID with other data sets might identify the user. Many third-party cookies work like that, especially the ones set by advertising and re-marketing networks.

Both parties are responsible for third-party cookies

If you’re using third-party services that use cookies to provide their functionality, both you and the provider are responsible for compliance. This means that your contractual agreement with a third-party likely obligates you to get consent in a compliant way.

As mentioned when talking about your Cookies Policy, it’s a good practice to include links to applicable third-party policies on your website. This allows your visitors to find detailed information on how third parties process their data.

Mobile apps need to comply with cookie laws in the UK

The above requirements apply to all platforms and devices where you store cookies. This means that a mobile app requires a compliant prompt as well. On some devices, like smart TVs or other home appliances, getting consent might be challenging. You could do it in several ways, from communicating it in manuals or creating a standalone app where users need to register and give their consent.

UK cookie compliance checklist

We’ve prepared a quick guide that will help you spot potential non-compliance of your solution. At the end of this section, you’ll find a link to download this checklist in a PDF file.

Please note that we can’t guarantee that passing all the checks means your usage of cookies is fully compliant. These are simply the most common, high-level mistakes that can be easily spotted by anyone and we are not responsible for misuse or incorrect conclusions drawn from the use of this checklist.

To ensure full compliance, please consider carrying out an audit or consulting the extensive guide from the Information Commissioner’s Office.

1. Ensure you have a Cookies Policy in place
2. Ensure your consent mechanism uses positive opt-in
3. Check for suggestive design
4. Ensure you have full access to the website without dismissing the pop-up
5. Check for pre-loaded cookies
   
   To check this, open your website in a private window and do not interact with your cookie consent prompt. Instead, for Google Chrome, Microsoft Edge and Safari, click on the padlock next to your website’s address and select cookies. If you spot any cookies that aren’t strictly necessary, this means they’re preloaded before the user opts in. This means your website is not compliant.
   
   If you’re using Mozilla Firefox, ensure you’ve disabled their Tracking Protection feature and then press F12 to open the Developer Tools. Navigate to Storage > Cookies and proceed as described above.

Download the checklist without submitting your email

Free UK cookie policy template

Our cookie consent policy template follows the guidelines of ICO:

• Explains to the user what cookies are and why you collect them
• Outlines the names of the individual cookie files and the reason you need to use them
• Notifies the user about the ways to disable and manage their cookies

UK cookie law FAQs

Spotted an outdated recommendation or have more questions? Let us know

We’re doing our best to keep the article up-to-date with the current guidelines. However, if you spot a discrepancy or have additional questions, please get in touch with Dawid. He’ll answer your questions and we’ll consider including them in the article to help others as well.

Please note that our advice isn’t legally binding. For more complex enquiries, please contact ICO directly. They offer a variety of contact channels – live chat, e-mail, and over the phone.

And if you’d like to equip your website with a compliant cookie solution & cookie policy, drop us a line.