Go to top

Get consent to set tracking cookies on your website

Disclaimer: I am not a legal expert; this article is for informational purpose only and is not a substitute for professional legal advice.

What this article covers:

Almost every website owner in the UK has to decide how they want to deal with setting tracking cookies on their website. Not complying with the Privacy and Electronic Communications Regulations (PECR) could result in criminal prosecution or a fine of up to £500,000. Cookies that collect analytics/statistics are also included in the General Data Protection Regulation (GDPR).

Some website owners have cookies on their website that they don’t know about — for example from a plugin or embedded video. Audit your site to check what cookies you set and what they’re used for, then see what you can get rid of. The next step is to make sure your method to get consent to set cookies is suitable.

Options when setting tracking cookies

This table summarises your options when it comes to getting consent for tracking cookies and other non-essential cookies.

cookie consent table

Option 1: No cookie consent

I only recommend this if you only use essential cookies, like those used in an online shop for the checkout process.

Tracking cookies are increasingly being blocked by default, so you’ll still be collecting inaccurate data even if you set tracking cookies without getting consent.

Not getting cookie consent:

  1. Don’t ask for consent from the website user/visitor.
  2. In the footer of the site have a link to the cookie policy.

Option 2: Cookie consent gateway/wall

cookie consent pop-up
Using a pop-up on a website that disappears if the visitor clicks a button..

I don’t recommend this as it will put some visitors off completely, and you won’t be following the law anyway if you use a gateway.

Using a cookie consent gateway/wall:

  1. Have an intrusive pop-up with a cookie notice that says, “We have placed cookies on your device to help make this website better. To continue to use our website, you agree to the use of such cookies. For more information on how these cookies work, see our cookie details [link to cookie policy].”
  2. The visitor needs to click a button to close the pop-up and view the site.
  3. In the footer of the site have a link to the cookie policy.

Option 3: Implied cookie consent

Cookie consent banner
Using a pop-up banner on a website that disappears if the visitor scrolls or clicks a button.

Although I don’t recommend this option, at the time of writing some large companies still use it. Set tracking cookies after getting implied consent if you are willing to not fully comply with legislation.

Using implied cookie consent:

  1. Have a discreet pop-up at the bottom of the screen with a cookie notice that says, “We have placed cookies on your device to help make this website better. If you continue to use our website, we will assume that you agree to the use of such cookies. Find out more about cookies and how to stop them being set in our cookie details [link to cookie policy].”
  2. On the cookie notice pop-up, have a button labelled “I’m fine with this” and one labelled “Deny cookies”. To be compliant, one button must not be more prominent than the other.
  3. When the visitor starts scrolling, set the non-essential cookies and remove the pop-up.
  4. In the footer of the site have the cookie notice, so it’s visible even after cookies have been set. This links to the cookie policy, so visitors can withdraw their consent later.

Option 4: Explicit cookie consent

Cookie consent banner
Using a pop-up banner on a website that disappears if the visitor clicks a button.

Some businesses don’t rely on tracking cookies — they set up a Google Analytics account years ago but no one checks the reports (or no one knows what to do with the report). Set tracking cookies after getting explicit consent if you aren’t concerned about the drop in the amount of data you’ll collect.

Using explicit cookie consent:

  1. Have a discreet pop-up at the bottom of the screen with a cookie notice that says, “We’d like to set analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone. For more information on how these cookies work, see our cookie details [link to cookie policy].”
  2. On the cookie notice pop-up, have a button labelled “I’m fine with this” and one labelled “Deny cookies”. To be compliant, one button must not be more prominent than the other.
  3. Only set non-essential cookies if the visitor clicks, “I’m fine with this”.
  4. In the footer of the site have a link to the cookie policy, so visitors can withdraw their consent later.

Legal obligations when setting tracking cookies

When it comes to cookies, to be compliant with PECR and GDPR you need to do the following:

More information is available on the ICO’s website, ico.org.uk. In particular, read their myth-busting article.