Compliance

Cookies, Consent & Tracking

Intermediate

Cookies and similar tracking technologies are regulated. Under EU/UK ePrivacy rules, you generally must get the user's consent before setting non-essential cookies or trackers. That consent must be freely given and as easy to refuse as to accept. "Essential" cookies (needed to make the site work) do not need consent. Analytics and marketing cookies do.

It is easy to drop in a third-party script or analytics SDK that sets cookies the moment the page loads. That is exactly what the rules forbid without prior consent. The details matter: do not load non-essential trackers until the user has agreed, make rejecting as easy as accepting (no deceptive design), and record what they chose.

This is the web-mechanics companion to Privacy & Data Protection and Product Analytics & Telemetry Privacy. Getting it wrong is a common, visible compliance failure (regulators actively fine non-compliant cookie banners) and an easy one to avoid.

Get consent right

AlwaysGet explicit, prior consent before setting non-essential cookies or loading analytics, marketing, or tracking scripts. Do not fire them on page load by default.
DoMake refusing as easy as accepting: a clear "reject all" next to "accept all", with no pre-ticked boxes and no nudging (no deceptive design).
DoSeparate strictly-necessary cookies (no consent needed) from analytics and marketing cookies (consent needed), and explain what each is for.
DoRecord the user's choice, honour it, and let them change or withdraw it as easily as they gave it.
ConsiderA consent-management approach that actually gates script loading, so a "reject" really stops the trackers from running.

Don't track without permission

DoDefault to the privacy-protective state: nothing non-essential runs until the user opts in (see Secure Defaults, the same principle).
DoKeep the cookie and tracking inventory current. Know what is set, by whom, why, and for how long. Third-party scripts can add their own (see Vendor & Third-Party Risk).
AvoidTracking walls or pre-consent fingerprinting that try to identify users before they have agreed.
NeverSet advertising or analytics cookies, or load third-party trackers, before consent, and never ignore a user's refusal.

Track first, ask never


// fires on load, sets cookies, before any consent

Non-essential tracking runs the moment the page loads, with no consent. This is a clear ePrivacy violation, and the kind of thing regulators issue fines for.

Gated on consent

if (consent.has('analytics')) loadAnalytics();   // only after opt-in
// banner offers equal Accept / Reject; choice stored & honoured

Trackers load only after the user opts in, refusal is as easy as acceptance, and the choice is respected. This is compliant and honest.

Self-review checklist

AskDoes any non-essential cookie or tracker fire before the user consents?
AskIs rejecting as easy as accepting, with nothing pre-ticked?
AskIs the user's choice recorded, honoured, and changeable?
AskDo I actually know every cookie/tracker on the page, including third-party ones?

Why it matters: Cookie consent is one of the most visible, actively enforced parts of privacy law. Non-compliant banners and tracking before consent draw complaints and fines, and tell customers we do not respect their choices. Gating trackers on genuine, freely-given consent is simple to do and keeps us compliant and trustworthy.