The new GDPR (General Data Protection Regulation) comes into force on 25th May, and as we’ve mentioned previously organisations need to be taking action to ensure they’re compliant.

This legislation overlaps with the separate “ePrivacy Directive” which more specifically covers Cookies and IP addresses and is due an update in Spring 2019.

We can’t be sure whether or not GDPR enforcement will include a clamp down on intrusive cookie use, or what changes might be included in the revised ePrivacy legislation next year.

Having said that, we can remind you of some sensible things to do to demonstrate that you are being open and transparent in your use of cookies.

Remember, this is just our suggested approach; it’s the responsibility of individual businesses to decide what’s right for them.

Audit your cookies

With help from your web developers and digital agencies, make a comprehensive list of all the cookies you use on your website.

Understand their purpose

Make sure you understand what each of these cookies is used for.

Tidy up

Get rid of any cookies (or the tags associated with them) that you no longer need.

Judge intrusiveness

With the cookies left, determine how intrusive you think they are. You can be far more relaxed about less intrusive cookies (e.g. web analytics) than those that enable more intrusive behaviour (e.g. remarketing).

Create a cookie policy

If you don’t already have one, you should have a separate page on your website that gives specific details about what cookies you use and what you use them for.

Ideally, this is your opportunity to share your cookie audit with your website visitors, demonstrating how transparent you are. This page could also include lots of information on cookies and tips for managing them.

Consider opt in mechanisms

If your cookies are on the more intrusive end of the spectrum, you may decide that a prominent cookie bar that requires closing is necessary.

However, if not, see if you can find other ways to ask visitors to accept the use of your cookies. For example, if you already have a “T’s and C’s” opt in as part of your user journey, update the T’s and C’s to include reference to your website cookie use.

Ignorance isn’t a defence

If you don’t know that a cookie is being used on your website, or what the cookie is used for, that doesn’t make it ok. In fact it makes it worse!

If in doubt, remove it.


Don’t go through the above process once. You should go back and start again on a regular basis to ensure it isn’t outdated. How often is, of course, up to you!

How far should you go? Essentially this is up to you, but consider how intrusive your cookies are and then think about how compliant you want to be.

  • You might choose to comply with the Spirit of the Law. In which case, we think the points we suggest would be sufficient (regular cookie audit, visible cookie policy, list of cookies etc.)

  • Or you might choose to comply with the Letter of the Law. In which case you may need to go further and consider opt-in mechanisms (e.g. Cookie banners) and mechanisms for helping visitors manage the cookies you use (e.g. the settings within the cookie pop up on the website).

What is a good cookie policy? You’ll need to work out what is best for you and your organisation, but we think two good examples are the cookie policies on the TUI website and the John Lewis website.