Addressing the ICO’s Cookie Restrictions for Digital Analytics

The world of digital analytics in the UK had a rude awakening in July 2019, when the Information Commissioner’s Office (ICO) clarified their cookie guidance policies, tightening up regulation on the use of cookies to track web analytics. 

The New Cookie Guidance

The updated cookie guidance requires website owners to obtain consent from website visitors to use “non-essential” cookies, which includes any cookies used to track analytics on a site. In order to give consent, each web visitor must be presented with a consent form upon first visiting a website, and then actively choose to allow cookies. 

The default consent form setting for cookies is required to be in the “off” position, forcing visitors actively approve the cookies that enable analytics data collection. (You can find the official ICO guidelines here.) 

Cookie Guidance Impact on Digital Analytics

As businesses become compliant with the new ICO regulations, website owners can expect a serious downtick in their collected visitor analytics, as the majority of visitors will leave the mandatory consent form in the default “off” position. 

We estimate a 60% collapse in reported site analytics when the mandatory cookie consent form is implemented on a site. This is based on the assumption that visitors will make an arbitrary 50:50 choice between the two options but with a bias towards protecting their privacy. Systems with a default of “decline’ could see even worse dropoff.

This massive fall in collected site analytics data will undoubtedly leave website owners scrambling for analytics solutions to address the new regulations and the lack of data collected through their newly-compliant analytics implementations. 

Before deciding on how to become compliant with the new regulations, you need to gain a full understanding of your current analytics implementation and the associated cookies. 

Know Your Cookies

In order to find the compliance solution that best suits your business, you first need to understand which cookies are present within your website’s analytics implementation, as well as what data is most important to you. Obtaining this information will allow you to more fully comprehend the purpose behind your analytics implementation, and help guide you through the decision-making process ahead.

A great way to gain this understanding is through an automated cookie audit.

Running an automated cookie audit will allow you to scan your entire website and get a complete breakdown of all the MarTech (and associated cookies) present, which will help you identify the analytics data that your implementation is currently collecting and give you insight into the data that is most important to you. This knowledge will help direct you to a solution that best fits your business needs.

Here at ObservePoint, we provide you with software to run cookie audits automatically, which can help you obtain a better understanding of the cookies deployed on your site and save you from wasting time and energy on manually evaluating your cookies. 

Once you have a clear understanding of your analytics implementation and the associated cookies, you can start exploring potential solutions to the new regulations and select a method that works for you. 

Potential Solutions to The New Cookie Regulations

Companies impacted by the new regulations are currently considering several solutions to become compliant with the new regulations. A few of the most common solutions are as follows:

  • Gate your analytics implementation with a consent management platform (CMP)
  • Eliminate “non-essential” cookies
  • Use cookie walls
  • Collect data through your server

Let’s explore the details of these options. 

Gate your analytics implementation with a consent management platform (CMP)

Using a CMP to gate your analytics implementation involves using your analytics implementation as is, but only allowing the implementation to be activated when a visitor gives consent to being tracked through a CMP. (If a customer does not consent to being tracked, the website must still operate as normal while refraining from tracking the visitor).

An example of a compliant CMP consent form can be found at

This method will allow you to maintain your current analytics strategy and the associated cookies, but will likely result in a heavy reduction in data collection, due to visitors opting out of analytics tracking. The associated data loss with this method may make the solution non-ideal.

Additionally, whether you’re using a CMP built in-house or a CMP from a third party, you should remember that a CMP is not a replacement for analytics validation software. You can’t simply set and forget your CMP and hope that compliance will be maintained as your website goes through changes into the future. You will still want to monitor your CMP, likely by using automated auditing software, like ObservePoint, to ensure compliance moving forward.

Eliminate “non-essential” cookies

Simply wiping all the “non-essential” cookies off your site may be the most basic method to meeting the new ICO regulations. 

This method of getting rid of cookies altogether will allow you to free up time and resources that were previously spent managing your analytics implementation. Plus, without any “non-essential” cookies on your site, you can do away with the mandatory cookie consent form, giving your site a cleaner and smoother feel for visitors. 

However, while cleaning the cookies off your site will allow you to quickly and simply become compliant with the new regulations, you will also simultaneously extinguish any means of collecting and analyzing user data. Whether or not this is a viable option for you and your business will depend largely on the size of your business, and how reliant you are on user data to make decisions. 

Gate your site with cookie walls

Utilizing cookie walls is the practice of blocking off your site to visitors unless they consent to the use of cookies. 

Completely blocking off your entire site to visitors until they give consent to being tracked by cookies is against the ICO’s regulations, but you may be able to stay in compliance by only gating specific areas of your site with cookie consent forms. This method will allow you to maintain analytics data for critical portions of your site for dedicated users, but the practice may be a deterrent for some visitors. 

While limited use of cookie walls may be a viable option, cookie walls are likely not ideal for building positive relationships with new visitors, as cookie walls can feel unnaturally restrictive and annoying to visitors. As a result, cookie walls could potentially curb your new customer growth.

Collect data through your server

Another feasible option that would allow you to comply with the new ICO regulations while still collecting data would be to start collecting data through your server, using server-side identifiers to stitch sessions together rather than through the use of cookies in your browser.

Doing so would allow you to collect data from visitors anonymously without cookies, thus giving you a clear and compliant way to get rid of the mandatory cookie consent form for browser cookies. This method will enable you to steer clear of any potential violations with the ICO’s new regulations, while still allowing you to obtain helpful user data.  

The downside to this method is that you need to completely overhaul your entire analytics tracking system, which will undoubtedly require some heavy leg-work. 

Protect Personally Identifiable Information

Regardless of which solution you choose, a key element to complying with the new guidelines and other regulations is making sure you consciously and transparently adopt data privacy best practices and protect personally identifiable information (PII). 

You need to know when you’re using cookies to track visitors and ensure that you’ve received consent to do so. You also need to take measures to ensure PII is being protected from any malicious tracking code that could exist on your site. 

In order to maintain the security of your visitor’s PII, we recommend auditing your site regularly with automated software (like ObservePoint) to detect any cookies or tracking code that could be misusing PII. 

Use ObservePoint to Confidently Gain Compliance with ICO Policies

At ObservePoint we can help you scan and inventory your entire analytics implementation, including cookies, so you have a clear baseline to work with whether you’re shifting to new data collection methods or simply cleaning up your current implementation. Either way, we’re here to help you get the information you need to make educated decisions regarding the new ICO cookie guidance policies.

To see how ObservePoint can help you with your ICO compliance needs, schedule a demo today.


Browse your favorite Categories

Schedule a Meeting