Cookie consent - best practices and top tips

Do I need to get cookie consent?

UK data protection and cookie laws require that users or subscribers consent to cookies being placed or used on their devices. Without cookie consent, the cookie use will not be compliant with cookie laws.

There is an exception to this in relation to “strictly necessary cookies”. Find out more about strictly necessary cookies via this guide.

What is consent?

The consent requirements that apply to cookie use are set out in the UK GDPR. Article 4(11) of the UK GDPR and states: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

For cookie consent to be valid, it must be:

• Freely given - this means that website visitors should have the ability to enable or disable non-essential cookies, and this should be made this easy to do;

• Specific - generic consent to the use of all cookie types will not be specific enough; and

• Informed - website visitors must fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent.

ICO guidance states that cookie consent must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving the consent. It goes on to say that “you cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read. Similarly, you cannot set non-essential cookies on your website’s homepage before the user has consented to them”.

How do I get consent from individuals to use cookies?

You need to ensure that you have a consent mechanism in place for obtaining cookie consent that meets the minimum requirements set out above. To achieve this in practice, website owners must obtain consent by giving the user specific separate information about what they are being asked to agree to and providing them with a way to accept by means of a positive action to opt-in.

Websites often use a consent manager to enable website visitors to consent (or not consent) to different cookie types. A consent manager should allow website visitors to provide granular consent - this means that the visitor can choose which cookies to accept and consent to some, but not all, cookies if they wish. Website visitors should have the ability to customise their cookie consent settings and not be forced to consent to cookies e.g. by using pre-selected boxes that are set to “Accept”. Recital 32 of the UK GDPR also specifically bans pre-ticked boxes – silence or inactivity does not constitute consent.

Cookie consent must be separate from other matters and cannot be bundled with the acceptance of other terms and conditions - if it is bundled with consent to other terms and conditions it will not be compliant.

Withdrawing cookie consent

For consent to be valid, website visitors must have the ability to easily withdraw that cookie consent at any time. It is therefore important to ensure that the consent mechanism in place has the technical capability to allow users to withdraw their consent with the same ease that they gave it, otherwise it will not be compliant with the UK GDPR’s consent requirements.

Website owners must also provide information about how cookie consent can be withdrawn, and how cookies that have already been set can be removed, for example in the website consent mechanism or within a privacy or cookie notice. The consequences of withdrawing that cookie consent could be made clear to website visitors, for example, by explaining the impact on the functionality of the website if certain cookies are not used.

Sign up now to use Docue’s cookie notice and other privacy templates.