Skip to content

How To Ensure Your Website Is GDPR/PECR Compliant

Updated 5 Feb 2024 9:02 PM

For a while now the clock’s been ticking following the introduction of GDPR (General Data Protection Regulation) in 2018 and PECR (Privacy and Electronic Communications Regulations) update in 2019. But yet many websites are shockingly still not compliant.

In order to be compliant you need to have a consent banner on your website which provides the user with the option to consent, not consent, and ideally to select their own preferences.

You also need to ensure that ALL tracking tags and analytics cookies are fired correctly based on consent.

And if you’re advertising on platforms like Google Ads this is even more important, after their announcement this week that they will be suspending ad accounts if your website is not compliant.

Google Ads threatens to suspend non-compliant websites' GDPR consent banner.
Caption – Image courtesy of Thomas Eccel

What is GDPR?

Introduced in 2018, GDPR is a set of standards that ensure businesses hold data and market appropriately to consented individuals. Long gone are the days of buying bulk mailing lists, or scraping websites for email addresses.

And overnight in May 2018 we saw lots of businesses lose up to 90% of their databases because they could not prove consent was obtained correctly, and therefore chose to remove records rather than be in the wrong.

What is PECR?

The lesser known, sometimes never heard of, regulation. PECR has been around for longer than GDPR and was updated in July 2019. PECR, in the words of the ICO (Internet Commissioners Office) own words:

Give people specific privacy rights in relation to electronic communications. There are specific rules on:

  • Marketing calls, emails, texts and faxes;
  • Cookies (and similar technologies)
  • Keeping communications services secure; and
  • Customer privacy as regards traffic and location data, itemised billing, line identification and directory listings.

How Do GDPR and PECR Impact My Website?

Any website that gathers user information or customer data must comply with both GDPR and PECR.

This means you must have a compliant cookie consent bar.

Many websites have a cookie bar that states “By using this website you are agreeing to our use of cookies” or words to that effect. This is NOT compliant, as it gives the user no option to consent or not consent (other than not using your website, but by merely visiting they’ve already been tracked by your analytics), and the regulations state that consent must be freely given.

You need a consent bar that gives all visitors to your website the option to:

  • Accept all cookies
  • Decline all cookies
  • Choose their own preferences (functional, analytics, performance and advertising/marketing) 

My Website Designers Added A Cookie PlugIn On My Website – so I’m Covered Right?

Not necessarily! In my experience some website designers don’t fully understand how to ensure you are compliant, and simply install plugins for cookie systems like Complianz or Cookiebot without setting them up properly, and without giving you training on what you need to do when you need to add a new cookie (like Google Ads conversion tracking or Google Analytics 4).

The best thing you can do is use one of these sites that offer a free review:

CookieYes

CookieBot

Then talk to an expert about getting your cookies set-up properly, and to give you training and a how-to guide on how to add additional cookies in the future (usually an infrequent task).

I Only Have Google Analytics On My Website, So I Don’t Need A Cookie Consent Bar – Right?

Wrong! Everything other than very essential cookies (which help the website function) need to be consent enabled, e.g. you need to allow the user to consent/opt-in in order for them to fire.

What About Google Consent Mode?

Some platforms like Google Analytics have what’s called a Google Consent State, which described in Google’s words:

“Consent mode receives your user’s consent choices from your cookie banner or widget and dynamically adapts the behaviour of Analytics, Ads and third-party tags that create or read cookies.”

So on the face of it, it should be sufficient, however it’s not totally clear whether Google Consent Mode complies with the strictest interpretation of GDPR. In essence it only avoids using cookies but it still continues to collect data on users, even if they have opted out.

This is one of the reasons why I personally, for my own website, and for my clients, adopt a belt and braces approach of ensuring that tags and cookies only fire once consent has been granted.

Want Help With Your Consent Set-up?

If you’re not sure that your website is compliant then get in touch to see if I can help out.