GDPR consent now needed for non-essential cookies including analytics, but will it be enforced?

Share This Post

The ICO have produced updated guidance on the use of cookies and how GDPR consent fits into the need for cookie consent.

Until now, most websites have been relying on only getting proper visitor consent for the use of tracking and privacy intrusive cookies (which is what the ICO hinted at in their previous guidance and their own cookie approach), meaning that non-essential but useful and non-intrusive cookies, like Google Analytics could be placed without proper consent. But this has now changed with the ICO saying that proper GDPR-compliant consent is now needed for all but essential cookies, including analytics cookies, third-party cookies, etc.

So, what’s changed?

The Privacy and Electronic Communications Regulations (2003) set out the rules for cookies (along with digital marketing compliance rules). Essentially PECR has always said (with some exemptions) that consent is always required for the placing of non-essential cookies. PECR hasn’t changed with the advent of GDPR (it sits alongside the data protection regulation) and so the PECR rules continue to apply as they always have. But there are a couple of parts of PECR that have GDPR implications:

  1. That web visitors should be provided with “clear and comprehensive information” about the use of cookies
  2. That the web visitor has “given his or her consent” to the placement of cookies

In both cases what these terms actually mean (regarding information and consent) fall back on what data protection law requires. So, in a pre-GDPR world we needed to tell users that we use cookies and that they can turn them off in their browser if they don’t like it, a kind of soft-consent relying on browser related settings to indicate consent. But of course, consent (in terms of what constitutes valid consent) changed with GDPR. Temporarily, there was an indication that proper GDPR consent was now needed, when the GDPR came in, but this quickly changed, with even the ICO’s website going back to the old-style “we use cookies, press OK to say you accept” approach – the only exception to this rule, was in the ICOs cookie guidance indicating that they’re more likely to take action against those using privacy intrusive cookies without proper consent.

However, today (3rd July) that has all changed, with the new ICO guidance indicating that GDPR consent is now required for all non-essential cookies and you have to be clear and transparent about your use of cookies and why you’re using them and how they will be used (in your privacy notice mainly, but maybe your separate cookie notice).

What does this mean in practice?

Generally speaking:

  • If you’re using any cookies which are deemed essential, i.e. your website can’t run without them (which is likely to be restricted to cookies for maintaining logins to your website or remembering a user session or what’s in an e-commerce basket, etc.), then you can continue to do so without consent but you will need to explain these cookies and what they’re used for
  • All other cookies are deemed non-essential and you will therefore need proper GDPR consent before you can use them – so you will need some mechanism (usually via your cookie banner) to allow users to turn on these cookies rather than turn them off; plus you will need to describe these cookies any why/how you use them plus you will need to be able to demonstrate you were given that consent

Whilst you may have some challenges on how to get this consent as part of your banner (it’s not always easy to configure cookie consent banners) on your website, the downside of all this, particularly if you rely on analytics (like Google Analytics) to track hits to your website, understand popular content, how many hits, etc. there’s a good chance you will no longer get an accurate picture of hits to your site as we suspect that most website users will just ignore the banner and not toggle the option to give consent to analytic cookies…

How will this be enforced?

Now this is the confusing bit – the guidance is pretty black and white: you must have GDPR consent for using anything but essential cookies and you can’t place non-essential cookies until you have the consent you need.

However, at the end of the guidance in the “What else do we need to consider?” section it talks about ICO enforcement of these cookie rules and says:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. For example, the ICO is unlikely to prioritise first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services, for regulatory action.

The guidance therefore seems to say on the one hand “comply” but on the other “but we probably won’t enforce”.

So, should you comply or not? Could you take the risk your cookie usage will never get reported to the ICO let alone enforced against? That’s only a decision you can take, but in questioning the ICO about this, they told us “Organisations would need to be able to demonstrate any actions they have taken towards meeting the requirement for consent. We accept that these may not always happen overnight, but the legislation has been in place for a while and organisations would need to be able to show what they have done to achieve as much as they can.”

Let us know in the comments below what you think about this change in guidance/rules…

And if you want to know more, sign up to our free webinar (July 19th).

More To Explore


The key message from the ICO regarding the use of AI is not to forget if AI is processing personal data, then you need to

Read More »

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy