Why Cookie Consent is Broken on Most UK Business Websites (And How to Fix It)

8 22
calendar_todayschedule3 min read
— Originally published at clearlycompliant.co.uk

If you build websites for clients, or you run your own business website,
cookie consent is probably something you have thought about at some point.
You added a banner, moved on, and assumed you were covered.

There is a good chance you are not. And it is not your fault - the way most
cookie banners are implemented makes them look compliant while not actually
being compliant.

I have been building ClearlyCompliant, a free GDPR compliance checker for UK
businesses, and cookie consent is the issue I see failing most consistently
across the sites I scan.

Here is what is actually going wrong and how to fix it.

Quick background on the rules

In the UK, cookie consent is governed by two pieces of legislation: UK GDPR
and PECR (Privacy and Electronic Communications Regulations). The key rule is
simple in theory.

If your site uses cookies that are not strictly necessary for it to function,
you need to get consent before you set them.

Strictly necessary means things like session cookies, shopping basket cookies,
login cookies. It does not mean Google Analytics. It does not mean Facebook
Pixel. It does not mean any third party tracking or marketing script.

For those, you need consent first.

Why most banners do not actually work

The most common failure is a timing issue.

A typical WordPress site might have Google Analytics loaded in the header via
a plugin or hardcoded script tag. The page loads, GA fires, cookies are set.
Then, a fraction of a second later, the cookie consent banner appears.

The banner is asking for consent for something that has already happened.
That is not how consent works.

For a banner to be compliant it needs to load before any non-essential scripts
and it needs to actively block those scripts from firing until the user has
made a choice.

What a compliant setup looks like in practice

A properly implemented consent setup works like this:

  1. Page loads
  2. Consent management script initialises and checks for existing consent
  3. If no consent exists, the banner is shown and all non-essential scripts
    are blocked
  4. User makes a choice
  5. If accepted, the relevant scripts are loaded and cookies are set
  6. Choice is stored so the banner does not reappear on every page

Most consent management platforms can do this. The problem is they need to
be set up correctly, which means your analytics and tracking scripts cannot
just be hardcoded into the page head. They need to be loaded conditionally
based on what the user has consented to.

The other common mistakes

Beyond the timing issue, here are the other things I see failing regularly:

No decline option. A banner with only an "Accept" button is not compliant.
Users must be able to decline non-essential cookies just as easily as they
can accept them.

Pre-ticked options. Defaulting analytics to "on" and requiring users to
untick it is not valid consent under UK law.

No way to update preferences. Users need to be able to change their mind
after the initial choice. Most sites have no mechanism for this at all.

Cookie policy missing or vague. You need a cookie policy that lists what
cookies you use, why, and who sets them. "We use cookies to improve your
experience" is not sufficient.

A quick checklist for your own sites

Before shipping any site, it is worth running through these:

  • Is the consent banner loading before any non-essential scripts?
  • Is there a genuine accept and decline option?
  • Are analytics and tracking scripts blocked until consent is given?
  • Is there a link to a proper cookie policy?
  • Can users update their preferences after the initial choice?
  • Is consent being recorded somewhere?

If the answer to any of those is no, the site has a compliance gap.

How to check quickly

If you want to run a quick check on a site you have built or your own business
website, I built ClearlyCompliant to do exactly this. It is free, it scans the
live site rather than asking you to fill in a questionnaire, and it gives you
a breakdown across 23 GDPR compliance checks including cookie consent.

You can run it at clearlycompliant.co.uk - takes a couple of minutes and the
results are instant.

Cookie consent is genuinely one of those things that is easy to get right once
you understand what the standard actually is. The frustrating part is that most
implementations make it look right while getting it wrong under the hood.

1 Comment

0 votes
🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.

More Posts

I’m a Senior Dev and I’ve Forgotten How to Think Without a Prompt

Karol Modelskiverified - Mar 19

The Privacy Gap: Why sending financial ledgers to OpenAI is broken

Pocket Portfolio - Feb 23

How I Built a React Portfolio in 7 Days That Landed ₹1.2L in Freelance Work

Dharanidharan - Feb 9

What Is SARIF and How Does It Help Security Tools Work Together?

Ganesh Kumar - Jul 4

TypeScript Complexity Has Finally Reached the Point of Total Absurdity

Karol Modelskiverified - Apr 23
chevron_left
1.4k Points30 Badges
9Posts
7Comments
3Connections
Hi, I’m Joe, a web developer and tech entrepreneur. I don’t just write code, I build projects that s... Show more

Related Jobs

View all jobs →

Commenters (This Week)

1 comment
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!