info@castlegateit.co.uk · 01904 654 036

Cookie compliance and consent management

Menu

Home / Blog / Cookie compliance and consent management

Back to all blog articles

Cookie compliance and consent management

Most websites store data on a visitor’s device through cookies and similar technologies. Two overlapping regulations govern this in the UK. The Privacy and Electronic Communications Regulations (PECR) requires informed consent before any non-essential cookies or similar storage are placed on or accessed from a visitor’s device. Where that storage involves personal data, as most tracking and analytics cookies do, UK GDPR also applies, requiring a lawful basis for the processing and setting the standard that any consent obtained must meet.

Many websites are not compliant, even when they display a cookie banner

Many organisations assume that displaying a cookie banner makes their website compliant with cookie regulations. In practice, this is rarely sufficient.

Websites typically include analytics platforms, advertising networks, embedded videos, social media integrations and third-party services that begin storing data on a visitor’s device before any consent has been given. As a result, many websites fail to meet the legal requirements of the Privacy and Electronic Communications Regulations (PECR).

Compliance means no data storage without consent

The principle behind PECR is straightforward: with a small number of exceptions for strictly necessary functionality, websites must not store data on a visitor’s device through cookies or similar technologies until that visitor has consented.

Common services that store data via cookies and similar technologies include:

  • Google Analytics
  • Google Ads
  • Google Maps
  • Meta Pixel
  • LinkedIn Insight Tag
  • Hotjar and other heatmapping tools
  • Embedded YouTube and Vimeo videos
  • Social media embeds
  • Live chat platforms
  • Accessibility tools
  • Marketing automation platforms

Achieving genuine compliance requires more than simply installing a cookie banner. It requires the technology behind the website to prevent data from being stored until consent has been granted.

Why cookie compliance is more challenging than it appears

Modern websites can contain dozens of third-party integrations, embedded services and tracking scripts. New cookies may be introduced when plugins are updated, content editors add new content, marketing campaigns are launched, or third-party providers change how their services operate.

Many off-the-shelf consent solutions create the appearance of compliance without actually preventing all unauthorised data storage.

In practice, we regularly encounter situations where:

  • A cookie banner is visible, but trackers still load before consent
  • A consent platform is installed, but embedded content continues to set cookies
  • Analytics appears disabled, while supporting scripts continue collecting data
  • New tracking technologies have been introduced without the website owner’s knowledge

For organisations that take compliance seriously, these issues present both regulatory and reputational risks.

A consent management platform is only the first step

A Consent Management Platform (CMP) is an essential foundation for compliance, but it is only one part of the solution.

At Castlegate IT, we use Cookiebot as the foundation of our consent management approach. Cookiebot scans websites, identifies cookies and trackers, where possible categorises them appropriately, notifies us if manual actions are required, and records visitor consent decisions.

Installing a CMP without a full understanding of the regulations and the technical controls required to satisfy them is a common mistake. Cookie classifications may be incorrect, embedded services may continue storing data, and cookie declarations may fail to accurately describe the purpose and function of the technologies in use.

Each website must be reviewed individually to ensure that:

  • Analytics and advertising tags are correctly controlled
  • Embedded content and third-party scripts respect consent choices
  • Tracking technologies are blocked until consent is granted
  • Consent records are maintained correctly
  • Cookie declarations remain accurate and up to date

Effective compliance requires the right tools combined with the technical expertise to configure, test and maintain them correctly.

Balancing compliance with usability

Compliance should not come at the expense of the user experience.

Many websites implement consent controls in ways that create confusion or frustration. Visitors encounter blank spaces, missing content or unclear instructions, making it difficult to access the information they need.

Our approach combines Cookiebot with in-house tools, processes and technical solutions to ensure that websites remain both compliant and usable.

Where videos, maps or third-party content cannot be loaded without consent, we provide clear placeholders and explanatory messaging that help visitors understand what is unavailable and how to enable it.

The result is a compliant implementation that remains transparent, accessible and straightforward to use.

Compliance is an ongoing responsibility

Cookie compliance is not something that can be implemented once and forgotten.

Websites evolve continuously. New content is added, plugins are updated, marketing tools change, and third-party providers introduce new tracking technologies.

A website that was compliant six months ago may no longer be compliant today.

We recommend regular reviews, ongoing scanning and periodic testing to ensure that consent controls continue to operate correctly and that new technologies have not introduced compliance risks.

The risks extend beyond regulatory enforcement

While regulatory enforcement is often the first concern, the risks associated with non-compliance are broader than potential fines.

Visitors are becoming increasingly aware of how their data is collected and used online. Organisations that appear to disregard privacy expectations may damage trust with customers, members, donors, stakeholders and service users.

Non-compliant implementations can also create governance and procurement challenges. Many public sector organisations, charities, educational institutions and larger businesses are expected to demonstrate compliance with privacy regulations as part of their wider risk management and accountability obligations.

Potential consequences of non-compliance include:

  • Regulatory investigation or enforcement action
  • Complaints from website visitors or stakeholders
  • Reputational damage and loss of trust
  • Increased scrutiny during supplier due diligence processes
  • Difficulties satisfying procurement, governance or audit requirements
  • Uncertainty over the accuracy and legality of website analytics data

For many organisations, maintaining compliance is as much about protecting reputation and demonstrating accountability as it is about meeting legal requirements.

How Castlegate IT can help

We implement practical, defensible cookie compliance solutions that combine industry-leading technology with expert technical configuration and ongoing oversight.

Our services include:

  • Website audits and compliance assessments
  • Cookie and tracker identification
  • Cookiebot implementation and configuration
  • Consent Mode integration for third-party systems
  • Embedded content management
  • User experience optimisation
  • Ongoing monitoring and reviews

We help organisations reduce compliance risk, improve visitor trust, maintain a positive user experience and keep consent controls functioning correctly as their website evolves.

If you would like to understand how compliant your website is today, get in touch and we can carry out an initial review and discuss what improvements may be needed.

by Jim Semlyen 8 Jun 2026

Get in touch for a bespoke quote

Ready to future-proof your website with the latest technologies? Contact us today to discuss your requirements and receive a tailored website optimisation plan.

You can call us on 01904 654 036 or email your enquiry to info@castlegateit.co.uk

Latest case study

Multi-language website development Multi-language website development

Featured case study

WordPress cyber security for corporate brands WordPress cyber security for corporate brands

Get in touch

Office address

Castlegate IT, The Bonding Warehouse, Terry Avenue, York, YO1 6FA

Registered address

Castlegate IT, Blake House, 18 Blake Street, York, YO1 8QG

Sales

info@castlegateit.co.uk

Support

support@castlegateit.co.uk

Reviews

Copyright © 2026 Castlegate IT Limited. All rights reserved. | Registered in England No. 7824836 | VAT No. 938 6395 71

Disclaimer | Privacy Policy | Cookie Declaration