Exciting news: British Assessment Bureau will rebrand as Amtivo in Autumn 2026! Find out more here >>

Website Cookie Consent – Why It Matters

Request a Quote

  • Accredited certifications
  • Helpful resources
  • No hidden fees
  • Trusted certification experts
Request a Quote

You’ve probably noticed a growing number of websites using a cookie consent platform designed to capture user consent for certain cookies. Such platforms also inform visitors of the cookies and similar tracking technologies used by the website in order to make it clear what a user would be giving consent for before these are activated. While some cookies are deemed to be strictly necessary and do not require consent, if your website uses non-essential cookies and you are not asking for consent before they are dropped on users’ devices, then you may be operating your website illegally. 

This article gives a brief overview of the legislation surrounding website cookie consent, explains how you collect user consent and covers the different types of cookies.  

 

What Is the Associated Legislation? 

The law around cookies (and similar technologies) is found in the Privacy and Electronic Communications Regulations (PECR) 2003, which itself is based on an EU directive from 2002.  

Unlike the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018, which are largely based on principles, the PECR is rule-based – this means not much is open to interpretation. Significantly, although the PECR has not changed much over time, the threshold for consent to be valid is now much higher, thanks to the GDPR. This is the bit that is catching out a lot of business owners that operate websites. 

 

What Are the Different Purposes of Cookies? 

In general, cookies are categorised as either strictly necessary or non-essential.  

Necessary cookies: Only those that you consider to be strictly necessary (those required for the operation of your website) don’t need prior consent. For instance, cookies on an e-commerce website that are used to remember what’s in a shopping basket are deemed to be strictly necessary. 

Non-essential cookies: The non-essential category could include functional cookies, performance-related, analytical or targeting (marketing). Non-essential cookies are those used for purposes that are not directly involved in the delivery of the website. You might consider them essential to track customer behaviour, but unless they are necessary to make the website work in accordance with its purpose, then they are deemed non-essential. 

Some cookies are used just for a single session, whereas others are persistent and may hang around for days, weeks or years. This may mean that the level of risk or exposure will vary but your legal responsibilities do not change.   

 

What Is Needed? 

Every website that is running non-essential cookies needs to have some mechanism that allows users to give consent for their use before they are dropped onto the user’s device. For the purpose of this article, this will be referred to as a Cookie Consent Management Platform (CMP). 

The cookie CMP should provide a permanent link to a ‘settings’ area where cookies can be activated or turned off if they had previously been set. Incidentally, if the options to run cookies are set to ‘active’ or ‘on’ when a user first arrives at your website, then the website could be seen to be operating unlawfully. The reason is that one of the conditions for consent to be valid involves the user making an affirmative action to opt in or accept non-essential cookies. It follows that this action must take place before any cookies are dropped. 

In addition, there should be a supporting website cookie policy that describes the purpose of the cookies with a corresponding list. This is important because you must inform users what it is you are asking them to accept and activate. 

 

What We Do At Amtivo 

We have a cookie policy published on our website and a consent box pops up for first-time users. Users can also find the link in the website footer that appears on every page. We explain that we use a variety of tracking technologies, and we state why we do it at the outset. Our use of cookies improves the way in which users can view our website; it enhances our understanding of how they use it and may assist us in our marketing activities. 

Our policy describes the purpose and the nature of the cookies covering both essential and non-essential ones, and how long they are set for. We also link it to our privacy policy, which provides our contact details should anyone have any questions. 

 

In Conclusion 

You must tell your website users if you set cookies and clearly explain what the cookies do and why. Some cookies are deemed strictly necessary and don’t need prior consent, but all other (non-essential) cookies do. You must obtain the user’s consent at the outset and in accordance with the requirements set out in the GDPR. 

Knowledge of the data protection legislation, and its application, goes a long way to making your life easier in the long run. In this respect, the cost of preparation and prevention can be seen as considerably less than the consequence of dealing with an investigation that could itself, result in a fine, enforcement action and/or possible reputational damage. 

You may find the guidance on cookies by the Information Commissioner’s Office (ICO) of help. 

Get Started on Your Certification Journey Now

Your certification costs will depend on the size of your business, location, and the sector you’re in.