If you have a website that uses cookies, you’re likely aware of the European Cookie Law. What started as an EU Directive, by May 2011 it was adopted by all EU countries, and mandated that EU citizens who visit your website have the right to refuse cookies.

Like it or not, it’s clearly here to stay 8 years later, and there’s a lot of research coming out showing that companies are not really respecting the initial intent of the law, and that will likely force the regulators to act even more. Combine it with the EU GDPR and we’ve got a storm of non-compliance brewing in the background.

“But my company and customers are in North America” I often hear from clients.

If you collect the personal information of one EU citizen, and they file a compliant with the regulator, you don’t want to find out the hard way that this privacy law has global implications. Kris Constable – Senior privacy & security advisor

This week, a paper called Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence was published, and it may trigger a reaction from the regulators, or at least put this issue higher on their radar.

The three most notable things to consider when evaluating your consent management platform (CMP) around cookies are

Make sure it’s a clear opt-in process. If a regulator asked one of your users, “did you consent to accepting cookies”, would they declare they clearly took an action to consent?



If you had to prove to a regulator that the user consented to accepting cookies, it should be better than “they accepted the radio check box we pre-filled in for them”. Don’t be accused of using dark pattern design.

Make it just as easy to reject cookies, as to accept them. This means that you shouldn’t have a single option to opt-in, but have to take an extra step or two to opt-out. Likewise, some current implementations don’t even have an opt-out option, it’s “opt-in” or nothing, which leads to another consideration right now:

Make clear you’re collecting the cookies (or any personal data) for a specific purpose. An important aspect of data protection is purpose limitation, meaning users must consent in relation to a particular and specific purpose for processing data. They cannot provide carte blanche for a data controller to do whatever they like.

Ensure you’re not punishing users for not accepting cookies. It terms of technical implementation, it’s a lot easier to just reject a user who chooses not to accept cookies, but I speculate we’ll see the regulators looking at this in the near future. As a website owner you should likely not be rejecting access to any part of your website or application that you can not prove to a regulator requires the collection of personal data for that service to function.

When the regulators will start to act, and how swiftly, is yet to be seen. The UK’s information commissioner [disclosure: I’m a former advisor/investigator for her office when she was in Canada] has the same stance today as they did when they wrote their blog article on cookies last summer,

Cookie compliance will be an increasing regulatory priority for the ICO in the future … Start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear. Ali Shah is the ICO’s Head of Technology Policy

As an active consultancy in the privacy law compliance space, we’re actively engaged with clients on (re-)evaluating their cookie consent and CMP strategies, and we’ve not found one organization meeting compliance on one of the above four highlighted considerations, so hopefully this article helps initiate a review for your organization.