Logo Logo


The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how you as a website owner must obtain and store cookie consents from your visitors from the EU.


Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Cookie control is tightened in UK and US

Updated February 3, 2020.

Efforts to regulate online surveillance and secure the right to digital privacy has crystalized in the European Union in the shape of the General Data Protection Regulation (GDPR) and in the US with the California Consumer Privacy Act (CCPA).

European data protection authorities have also begun to tighten their national guidelines for cookie control in the wake of the Planet 49 ruling from the Court of Justice of the European Union (CJEU).

In this blogpost, we look at efforts of cookie control, including Cookiebot’s consent management platform that enables compliance with the emerging data privacy laws of the world, such as the GDPR and CCPA.

Cookie control in the UK

The Information Commissioner’s Office (ICO) is the data protection authority of the UK.

ICO enforces the European GDPR on UK soil – and after Brexit, will enforce the new domestic UK-GDPR (United Kingdom General Data Protection Regulation). It is also responsible for the enforcement of the various other data protection laws in effect, such as the Data Protection Act 2018 (DPA2018) and the PECR.

PECR stands for Privacy Electronic Communications Regulations. It dates from 2003 and is the national implementation of the ePrivacy Directive (ePR) in the UK.

In the summer of 2019, ICO updated its guidelines for PECR regarding the use of cookies and trackers and put a significantly tighter cookie control in place.

When it comes to a website’s cookie management, implied consent as we know it today – the soft opt-in that allows websites to interpret as consent the continued browsing of its users – do not meet the requirements for valid consent, ICO has ruled.

Instead, users must give their affirmative consent to anything that is not necessary cookies (or non-essential, as ICO calls them) and it is the legal responsibility of websites to have a cookie manager in place that enables this for their users.

Pre-ticked boxes (or any equivalents) are not lawful to use on anything but necessary cookies, according to the new ICO guidelines. This means that preference, statistics and marketing cookies must abide by the same rules: they all need to be un-ticked and now require affirmative opt-in to be viewed as valid consent.

Cookie control through GDPR compliance banner by Cookiebot.

GDPR/ePR compliant banner in the EU by Cookiebot.

In other words, users must now choose to tick the boxes of preference, statistics and marketing cookies alike, in order for these categories of cookies to be activated.

This is in line with the ruling from the CJEU, the highest legal body of the EU, which decided that no pre-ticked boxes are allowed on consent banners inside the EU.

The ICO guidelines now include that –

Inform yourself on ICO’s updated guidelines on cookies or read their summarized blogpost on “good” cookie use.

Brexit and cookie control

The UK left the EU on January 31, 2020.

On Exit Day, the new UK-GDPR took effect alongside an amended Data Protection Act 2018. However, the EU’s GDPR and ePR will still apply the UK for the duration of the transition period (likely until December 31, 2020).

This means that the CJEU Planet 49 ruling which prohibits any pre-ticked checkboxes on consent banners in the EU applies to the UK until December 31, 2020.

After December 31, 2020 – when the UK is formally and finally independent from the EU – the UK-GDPR, DPA2018 and PECR will be the domestic data protection in laws in effect.

Cookie control in the US

California became the first state in the US to enact a comprehensive data privacy law on January 1, 2020.

The California Consumer Privacy Act regulates how businesses are allowed to collect, handle and sell or disclose the personal information of California residents.

CCPA forces those commercial entities who fall under its definition of business to:

Read more about the CCPA, learn who is liable for compliance and how to be compliant.

Try Cookiebot for free today for CCPA compliance on your website.

US cookie control outside California

The American equivalent of the European data protection authorities, the Federal Trade Commission, operates in a different climate altogether, since the US do not have a federal data privacy law akin to the GDPR, and so no strict cookie control from an enforceable, federal level.

However, the Federal Trade Commission recently levied a record $5 billion fine against Facebook for its mishandling of user data in the Cambridge Analytica scandal. It is the highest fine ever imposed by the FTC… but a fraction of Facebook’s annual revenue of $56 billion. Part of the FTC’s ruling was also to impose stronger oversight on Facebook’s collection and handling of users’ data.

Cookie control in the US, ccpa compliance by COOKIEBOT.

Cookie control in the US takes shape as record enforcement against Facebook.

Moreover, the FTC recently directed a multimillion-dollar fine against Google for data collection targeting children under the age of 13.

European data protection authorities have started collaborating on cross-country cookie control, e.g. the Irish Data Protection Commission (who currently has 11 investigations open against Facebook), who has met with government officials in Washington. Even the European Commission has shared information with the FTC about its past investigations into Google.

Cookie control in France

The French data protection authority (CNIL) has also tightened cookie control by updating its guidelines on the use of cookies and trackers.

The guidelines apply to all types of operations involving cookies and trackers on any type of device, effective after a grace period of around a year from now (approximately July 2020).

CNIL is also in line with the Planet 49 ruling by the CJEU.

It rules that the soft opt-in or implied consent as it stands today – i.e. continuing to browse a website after its cookie banner is displayed equals consent – is a thing of the past in France.

Cookie control in France, GDPR compliance through Cookiebot.

CNIL rules that implied consent is unlawful and strengthens French cookie control.

French website owners and operators must obtain affirmative, unambiguous and freely given consent before any non-necessary cookie or tracker can be activated.

Inform yourself on CNIL’s new guidelines for cookies and tracking on their own website.

Cookie control in web browsers

Digital self-defense is also an option a lot of people are choosing in exasperation of learning about the ugly truth of the dismal state of privacy on the Internet today.

This type of digital self-defense is essentially a version of privacy protection, where everyone has to fend for themselves, by downloading the right browser that then block cookies automatically.

Privacy-friendly browsers such as Epic, Brave or Firefox offer cookie control through non-discriminatory, across-the-board cookie blockers that stop all cookies, even necessary and benign ones.

The downside is that they often break websites, because they block cookies that support the basic functions of a domain. This full cookie stop is the default mode of both Epic and Brave, whereas Firefox utilizes a tracker list from Disconnect to determine which cookies they block.

Cookie control via privacy-friendly web browser are a good tool for digital self-defense

This digital self-defense is not a viable final solution to the privacy problems of surveillance capitalism, since most people don’t have the time or the technical skills to navigate the abundant market of privacy tools, browsers, VPNs or adblockers.

There is also another way to protect privacy in our digital infrastructures… One that doesn't require digital self-defense, but puts the responsibility on the shoulders of website owners and operators, as directed by the GDPR.

Cookie control through a cookie manager and consent solution

Cookie control through a cookie manager like Cookiebot is a technology that we – obviously – have put our weight behind and think of as a vital part of a sustainable solution for protecting privacy.

Using a consent solution that is specific to each website (implemented through the cloud and integrated seamlessly onto a domain) not only prevents websites from breaking by allowing them to discriminate between different categories of cookies, it also holds the potential to be fully GDPR and CCPA compliant, including compliance with the new guidelines of ICO and CNIL.

Cookie control with Cookiebot

A website owner looking for cookie control can use Cookiebot to –

Try Cookiebot for free here.


General Data Protection Act (GDPR)

California Consumer Privacy Act (CCPA)

ICO’s new and updated guidelines on cookies and tracking in the UK.

Take a look at ICO’s guide to what good cookie use for website owners and operators look like.

CNIL’s new and updated guidelines on cookies and tracking in France.

UK PECR (Privacy Electronic Communications Regulations)

UK Data Protection Act 2018

US California Consumer Privacy Act (CCPA)

Will the EU and UK find an adequacy decision post Brexit?

Record fine against Facebook in FTC privacy settlement

Google settles fine for child data collection

US Federal Trade Commission (FTC)

Prospects of a US Data Protection Authority

Epic, a privacy-friendly web browser

Brave, a privacy-friendly web browser

Firefox, a privacy-friendly web browser

New CCPA configuration 

Cookiebot offers CCPA compliance!



Make your website’s use of cookies and online tracking compliant today

Try for free