Now, this is an area that most organisations have probably overlooked. There was a small mention of consent and cookies in the draft guidance and this is still in the final consent guidance too, but essentially where you need consent for cookies (and there are very limited exemptions to cookie consent) that consent will need to be GDPR compliant.

This is a significant change for most organisations that are using cookies. Essentially if you are using non-essential cookies (e.g. for Google Analytics) you need to now get GDPR compliant consent to continue to use them. So, if like most businesses, you are using the generic “we use cookies, read about it in our cookie policy and click OK to say you are happy for us to use cookies (or turn them off in your browser)” wording, you will not be compliant come the 25th May as your cookie consent now needs to be GDPR compliant, meaning:

• You can’t use the existing “implied” consent
• You must set out clearly what cookies you are using
• You must seek positive opt-in to use cookies meaning you will need to make sure you provide an option to website visitors to opt-in to your use of cookies (the cookie guidance says “To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do“)
• You must be able to demonstrate that consent for cookies was given

In the cookie guidance from the ICO it is noted “The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy” which may indicate some levity unless you’re collecting personal data (particularly special categories of personal data), so maybe we’ll see what comes of any enforcement in this area. That said, if you’re using cookies that track behaviour (which could include things like Hubspot’s functionality for building up a profile of inbound marketing leads) you are potentially at risk from non-compliance…