I launched ClearlyCompliant a few weeks ago - a free automated GDPR compliance
checker for UK businesses. You enter a domain, it runs 23 checks across
everything from security headers to privacy policies, and spits out a score.
Since launch I have scanned a decent number of UK business websites and one
thing stands out above everything else: cookie consent is broken on almost
every site I look at.
Not missing entirely. Broken. There is a difference.
The problem is not the banner, it is the implementation
Most developers know they need to add a cookie banner. So they grab a plugin,
slap it on the site, tick it off the list and move on. Job done, right?
Not quite.
The issue is that having a banner and having a compliant banner are two very
different things. Under UK GDPR and PECR (the Privacy and Electronic
Communications Regulations), consent has to meet a pretty specific standard
before you can drop non-essential cookies on someone's device.
Here is what compliant actually looks like:
- The banner appears before any non-essential cookies fire
- Users get a genuine accept or decline option, not just an "ok got it" button
- Declining is just as easy as accepting
- Consent is recorded so you can prove it if asked
- Users can update their preferences later
That last technical point - the banner appearing before cookies fire - is where
most implementations fall down completely.
The classic failure mode
Here is what actually happens on most sites I scan.
The page loads. Google Analytics fires immediately and drops its cookies. Half
a second later the cookie banner appears asking for consent.
Consent for cookies that have already been set. On a device that has already
been tracked.
That is not consent. That is a banner that exists to look like consent while
the tracking happens anyway.
From a technical standpoint this usually happens because the analytics script
is loaded in the document head, before the consent management platform has had
a chance to initialise and block it. The fix is straightforward - your CMP
needs to load first and your tracking scripts need to be conditional on consent
- but a lot of out-of-the-box implementations do not handle this correctly.
What the ICO actually looks for
The ICO (Information Commissioner's Office) is the UK regulator for data
protection. They published detailed cookie guidance a few years ago and they
are pretty specific about what they expect.
The key points relevant to developers:
Pre-ticked boxes are not valid consent. If your banner defaults to
"Analytics: on" and users have to actively untick it, that is not a valid
consent mechanism under UK law.
Soft opt-in does not work for tracking cookies. "By continuing to use this
site you agree to cookies" - you have probably seen this pattern everywhere.
It does not meet the standard for informed, unambiguous consent.
Functional cookies only need consent if they go beyond what is strictly
necessary. Session cookies, shopping basket cookies, login cookies - these
are fine without consent. Google Analytics is not.
The sites most likely to have issues
From what I have seen scanning UK business websites, the highest risk profiles
are:
WordPress sites with a basic cookie plugin that does not properly integrate
with the theme or other plugins. The banner exists but the scripts fire anyway.
Shopify stores that have added Google Analytics, Facebook Pixel and a
remarketing tag, but the consent banner only controls one of them.
Brochure sites built by agencies where the developer added GA4 in the head
tag and then added a consent banner as an afterthought without checking whether
the two actually work together.
Why this matters beyond compliance
Beyond the legal risk, there is a practical reason to get this right.
Third party cookies are on their way out. Safari and Firefox already block
them by default. Chrome has been going back and forth on deprecation but the
direction of travel is clear. Building a proper consent flow now, one that
actually controls when scripts fire, puts you in a much better position for
a cookieless future than bolting on a banner that does not really do anything.
How I check for this in ClearlyCompliant
When the scanner runs it checks for the presence of a cookie banner, a cookie
policy, and known tracking scripts. It also checks whether consent mechanisms
are present on forms and whether there is a way for users to update their
preferences.
It does not currently do a full technical audit of script load order - that
would require a more complex headless browser interaction - but it flags the
presence of trackers alongside the presence or absence of consent mechanisms,
which gives a pretty good picture of where the risks are.
If you want to run it on your own site or a client site, it is free at
clearlycompliant.co.uk. Feedback from developers on what else it should be
checking is genuinely welcome.
The GDPR stuff can feel like a legal minefield but the cookie consent piece
is actually a solved technical problem. The hard part is that most
implementations cut corners and the corner that gets cut is the one that
matters most.
Top comments (0)