The Information Commissioner’s Office has published guidance on the use of cookies as well as updating its own cookie policy and the cookies banner on its website. Together these indicate what good practice looks like. In this insight we consider this move.

What is the role of cookies?

Cookies are small snippets of information, typically comprising a string of letters and numbers that websites provide when accessed by users. It allows the website to recognise a user’s device and store some information about the user’s preferences or past actions for when they next visit.

Cookies can be used for various purposes, including digital shopping carts, assisting logging in, analysing traffic to a website or monitoring the browsing behaviour of the user. Some cookies are strictly necessary for a website to function properly. Data from cookies also forms the basis of advertising technology (AdTech) which comprises tools used to analyse and manage information (including personal data) for online advertising campaigns and automate the processing of advertising transactions, such as Real-Time Bidding.

What are the rules governing cookies?

The use of cookies is governed principally by the Privacy and Electronic Communications Regulations 2003 (PECR). The key principle being that users must consent to cookies being “set” on their devices. The implementation of the General Data Protection Regulation (GDPR) in 2018 has introduced a more rigorous standard of consent.

Here are some of the key points to bear in mind:

  • Legitimate interests” cannot be relied upon for cookies.
  • Users must give express, informed, opt-in consent for cookies.
  • Implied consent is no longer valid.
  • Pre-ticked boxes or slider bars defaulted to “on” should not be used.
  • Websites and apps must tell users what cookies will be set and what they do, including any third-party cookies – using clear and plain language.
  • There is an exception for strictly necessary cookies.
  • Strictly necessary is measured from the perspective of the user not the website publisher, so cookies necessary for data analytics are not strictly necessary.
  • Non-essential cookies should not be set on landing pages before you gain the user’s consent.

What should my business be doing?

Good practice is to display a pop-up, a banner or an overlay for cookies when a user first visits a website. This should briefly summarise the website’s use of all cookies on a per cookie basis using clear and plain language.

It should display a link to the more detailed cookie policy and the top or bottom of the homepage should also include such a link.

The pop-up should contain an opt-in consent mechanism for analytics cookies and the like. You can use a slider bar that is set to “No analytics cookies” or “Off” by default or let the user tick one of two equivalent boxes to consent or refuse analytical cookies, without having a default or pre-set position. 

The ICO takes a dim view of cookie walls in most circumstances where a user has to consent to cookies before it can access a website at all e.g. “by continuing to use this website you are agreeing to our use of cookies”.

What else should I be aware of?

We are expecting a further overhaul of the rules regarding cookies once the delayed e-Privacy Regulation is agreed by the EU. The timing of this legislation remains unclear, so we are monitoring developments here.

How can we help you?

If you need some further advice and guidance around Cookie policies or any other aspect of data protection – we’d be happy to help.

Please get in touch with Rebecca Steer at