All You Need To Know About Cookie Consent Changes In 2021

This post is also available in:

Privacy and data laws are constantly changing as we learn more about cybersecurity. Over the last 12 months, cookie consent has seen significant changes, with rules around consent becoming much tighter. This means that what might have been deemed appropriate and acceptable in 2020 is no longer best practice. 

And with businesses increasingly finding themselves under the spotlight when it comes to data compliance and protection, staying clued-up on cookie consent and other data privacy rules is crucial. 

That’s why we’ve put together this guide. 

Below, we will look at what regulation control expects of your website in terms of cookie consent. This way, you can start scrutinising your approach to gaining user permission to make sure you’re ticking all the right boxes. 

What does cookie consent mean for your users?

Because cookies can give your website access to information that might identify a user or reveal personal information about them, it falls under data protection regulations. And within these regulations, you must gain consent from users to use cookies on your web pages. 

As such, you need to think of your popup cookie banner as your way of gaining this consent. Essentially, this is the user’s chance to give or deny their consent to being tracked or having their personal information stored by your website. 

You might see cookies as a relatively harmless way of gathering a few extra insights. However, cookies can be a grave matter for users who don’t want to share their information or be tracked. Although it might feel like extra work, you must be clued up on user consent for cookies. 

Because ultimately, your cookie consent banner allows users to take back control of their digital movements, data and information. And this is becoming increasingly important to individuals in today’s digital age. 

So what has changed around cookies and consent over the last year?

Before Brexit, the UK had to adhere to the EU’s General Data Protection Regulations (GDPR), ePrivacy Directive (cookie consent) and the UK’s Data Protection Act of 2018. 

These three frameworks worked in conjunction with one another to allow users to take back control of how they use their digital data, how they monitor their online behaviour, and whether they want their information to be tracked and stored or not.

However, on 31st January 2021 (post-Brexit), GDPR was technically no longer applicable to businesses and websites in the UK. 

As of 2021, businesses that deal with UK-based information must adhere to the UK’s version of GDPR. Although it is almost identical to EU GDPR in terms of wording, there are still some small differences you need to understand. For example, the UK’s guidelines take a slightly different approach to intelligence, national security and immigration. 

What’s more, the Data Protection Act (2018) is still in force and applicable to UK websites, but rather than working in conjunction with the EU’s ePrivacy Directive, the UK now adheres to the Privacy and Electronic Communications Regulations (PECR) instead. 

That being said, if you’re tracking users from the EU and the UK, your website must also adhere to the EU GDPR guidelines.

What are the main principles you need to accommodate for cookie consent?

As we have said above, since Brexit, PECR has replaced the ePrivacy Directive as the framework for cookie consent. Because of this, you need to be aware of the fundamental principles set out in PECR. These centre on digital privacy rights and security, which include: 

1. Make sure that you tell website users that the cookies are there
2. Explain in clear terms what the cookies are doing and why
3. And finally, get the person’s consent to store cookies on their device

Other considerations when it comes to cookie consent in 2021 

As well as the basics outlined above, there are some of the other important considerations you need to think about to ensure compliance with data privacy regulations. We’ve outlined these in more detail below to ensure you’re not missing anything. 

First visit cookies

You cannot just insert or store cookies as soon as the user lands on your website for the first time. This is because you won’t have gained their consent to do this, and then you’ve technically started tracking them before they’ve either accepted or declined your cookie policy. 

As such, you should trigger only necessary/functional cookies when a user lands on your website for the first time. A necessary/functional cookie refers to one that is necessary for accessing your site’s functionality and content. 

For any additional cookies you use, which aren’t completely necessary for the site’s running, you will need to gain consent.

Renewing your cookie consent 

Once you’ve got initial consent, this is not a timeless agreement. Depending on your user’s location, local regulations (for example, EU GDPR) may require you to renew consent every twelve months. 

So don’t fall under the misapprehension that this is a one time action. This could land you in trouble further down the line. 

Making it easy for users to change their preferences

Just because users made their choice on their first website visit, it doesn’t mean they have to stick with it forever. Part of taking back control of their digital data means being able to change their mind whenever they want. As such, you need to make it easy for users to update their cookie preferences in your settings. 

Users must always understand what they’re consenting to

Finally, you need to ensure your users always know precisely what they’re consenting to. Cookie consent must be specific and unambiguous. This means you need to clearly set out your cookie policy so that everyone can understand. 

Not only this, but you should never force people into accepting. For example, you cannot deny them your services or use of your website if they don’t consent to your cookies.

What happens if you’re not compliant?

Let’s end this guide with a quick reminder of what happens if you don’t comply with the cookie consent regulations. 

The consequences for not complying can vary from a formal warning to a very hefty fine. It can also lead to a damaged reputation, costing you customers in the long term. 

So put simply, no good can come from not complying with these data privacy regulations. As such, you should revisit your cookie consent policy right away to make sure you’re following all the latest rules.