ICO publish consent guidance and update cookie consent rules

consent and cookies

Share This Post

[Please note this article was published in May 2018, since then the ICO’s approach has changed, with new cookie guidance as explained in this new article]

We’ve been waiting for some time, for the Information Commissioner’s Office (ICO) to publish it’s final consent guidance. It’s been in draft since March last year and waiting on the Article 29 Working Party’s own guidance.

Last week however, they published their final guidance. You can read it here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/.

There’s not many differences from the original draft from last year other than the removal of the time limit on how long consent lasts – they were indicating probably around 2 years, but now they have used more general wording about when it is most appropriate to do so.

They have also updated their cookie guidance to fall into line with GDPR.

Cookies and consent

Now, this is an area that most organisations have probably overlooked. There was a small mention of consent and cookies in the draft guidance and this is still in the final consent guidance too, but essentially where you need consent for cookies (and there are very limited exemptions to cookie consent) that consent will need to be GDPR compliant.

This is a significant change for most organisations that are using cookies. Essentially if you are using non-essential cookies (e.g. for Google Analytics) you need to now get GDPR compliant consent to continue to use them. So, if like most businesses, you are using the generic “we use cookies, read about it in our cookie policy and click OK to say you are happy for us to use cookies (or turn them off in your browser)” wording, you will not be compliant come the 25th May as your cookie consent now needs to be GDPR compliant, meaning:

  • You can’t use the existing “implied” consent
  • You must set out clearly what cookies you are using
  • You must seek positive opt-in to use cookies meaning you will need to make sure you provide an option to website visitors to opt-in to your use of cookies (the cookie guidance says “To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do“)
  • You must be able to demonstrate that consent for cookies was given

In the cookie guidance from the ICO it is noted “The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy” which may indicate some levity unless you’re collecting personal data (particularly special categories of personal data), so maybe we’ll see what comes of any enforcement in this area. That said, if you’re using cookies that track behaviour (which could include things like Hubspot’s functionality for building up a profile of inbound marketing leads) you are potentially at risk from non-compliance…

More To Explore


The key message from the ICO regarding the use of AI is not to forget if AI is processing personal data, then you need to

Read More »

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy