How to make your campaign platform page ‘cookie compliant’

Follow regulations

Since the General Data Protection Regulation (GDPR) came into effect last May, there has been a great deal of interest in how it applies to cookies and similar technologies.

Cookies can seem like a very complex issue, and the rules on their use are in the Privacy and Electronic Communications Regulations (PECR), and not the GDPR.

However, some of PECR’s key concepts now come from the GDPR, such as the standard of consent, and specifically that:

Website users must take a clear and positive action to consent to non-essential cookies

The PECR always requires consent for non-essential cookies, including third-party cookies used for the purposes of online advertising or web analytics. This guidance explains, in more detail, how this applies. In the past implied consent was acceptable, but since May 219 active opt-in consent is the required standard for non-essential cookies.

Non-essential cookies


  • websites and apps must tell users clearly what cookies will be set and what they do – including any third-party cookies
  • pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies
  • users must have control over any non-essential cookies
  • non-essential cookies must not be set on landing pages before you gain the user’s consent
  • ‘legitimate interests’ cannot be relied upon for marketing and advertising cookies

Consent is not required for cookies that are defined as ‘strictly necessary’ for the operation of the website. These are cookies that are essential to providing the service that’s requested by the user (for example remembering the contents of a shopping basket). Cookies that are simply helpful or convenient, or that are only essential for your own purposes, will still require consent.

The Information Commissioner’s Office (ICO) recognise that analytics can provide useful information, but they are not part of the functionality that the user requests when they use an online service e.g. if you didn’t have analytics running, the user would still be able to access your service. This is why analytics cookies aren’t viewed as strictly necessary and also require consent.

Following a further report by the ICO on the use of programmatic advertising technology we recommend that you review, and understand the requirements for implementing a compliant cookie management and privacy policy. You may wish to speak to your organisation’s Data Protection Officer for further advice.

ICO guidance on how to conduct a cookie audit.

Find out about examples of popular cookie banners and consent management platforms currently being used to meet these requirements: