Back to Support

Do I need to change my cookie policy?

Published 18 Mar 2021 by Ellice Eadie, CANDDi
Read this in about 6 minutes

While the value of businesses tracking their website visitors is clear, the legal basis behind website tracking certainly isn’t.

It’s all about striking the right balance between optimising your visitors’ experience online, but also ensuring they’ve provided sufficient consent in the eyes of the law.

So, what do you need to do?

We’ve put together a couple of options to help you figure out what to do for the best.

In saying this, we’re certainly not lawyers - and the responsibility for implementing tracking consent mechanisms for your visitors rests on your shoulders. However, using our expert industry opinions, all we can do is try to guide you in the right direction.

This guide aims to cover the different types of cookies, explain some of the jargon, and lay out what the law says when it comes to consent. Let’s get started!

What are cookies?


These cookies can ONLY be placed and read from the website the user is actively visiting. For example, since you’ve visited, information about your browsing activity can only be accessed by

This is generally used for website analytics, or to personalize the experience for the visitor. For example, imagine how annoying it would be if you were online shopping, and every time you clicked a new page your basket emptied.

The good news is that CANDDi has always used first-party tracking exclusively, so our platform isn’t in any danger of being affected by ongoing data privacy laws which tend to focus on third-party tracking.

Third party cookies

These cookies can be read across multiple websites. Ever looked at a nice pair of trainers on, then seen ads for the same trainers on different websites across the web? Third party cookies are how this happens, and have probably wreaked havoc on your wallet over the years.

There is very little legal guidance regarding what online tracking compliance should look like in practice. But it does always agree on one thing. There should always be consent.

So with that in mind, we believe there are four broad categories of consent forms.

This is the clear as day approach. Implementing this will mean your site displays a consent pop-up with all of the tracking options unticked. This means that if the user just simply presses “okay”, no tracking will be performed.

CANDDi Accreditation

- Confirms beyond all doubt that consent is informed and freely given- Users are likely to be confused, or not read the banner and opt for no tracking. This means their activity can not be personalized or tracked, helping neither the visitor or the business.
- Perfect option for special category data which must be handled with extra care

This method provides only two main options: “accept everything” or “reject everything”.

Clearly, the user will be steered towards the green “accept everything” button, though it’s very easy for data-conscious individuals to open up a more detailed interface to explicitly opt in to different types of tracking.

CANDDi Accreditation

- Provides a privacy-aware user with the ability to select what they want to consent to- Since most users will simply click the big green button without fully reading the form, it can be argued that this does not provide explicit informed consent.
- Provides the average user an ability to say yes and get on with browsing the site
- Allows the user to change their preferences at a later time

This option is a little more subtle than the full implicit consent banner.

Here, the user simply has an option to say yes; if they want to find out more they can go to a settings page (note: there isn’t a “no” option on the main banner).

CANDDi Accreditation

It takes multiple clicks to navigate to the separate window. Needless to say, this means it isn’t particularly easy to change which tracking you consent to, or indeed to opt-out of the cookies altogether.

- Very simple for users to opt-in- It can be argued that the relatively hard-to-find options window actually obfuscates the entire consent process.
- Flexible options do exist for privacy-conscious individuals

With this approach, the cookie consent banner contains an “accept” button and appears when the visitor first lands on a website.

There is a link to that website’s privacy page for those who want to learn more about the nature of the tracking being used.

The key thing to note here is that the only way a visitor can opt out of this tracking is by clearing the cache on their browser.

CANDDi Accreditation

- Avoids all of the messiness of users having to choose the cookies they want- It would be hard to justify that a user has actually given informed consent.

What does CANDDi recommend?

Tracking consent is what can only be described as a very large and very grey area of the law. As such, it’s important that you determine your own approach to gathering consent on your website.

That said, we can certainly recommend that any organisation which processes any form of special category data must obtain full explicit consent.

As for typical B2B businesses, the full explicit consent approach is likely overkill. While it’s true that regulations may change in the future, there’s no need to prematurely jump to the “whitest” solution possible.

We’ve seen the negative effects of this already, when thousands of B2B organisations destroyed their perfectly viable email lists in the mistaken belief that the then-upcoming GDPR legislation would make them unusable.

Keeping all of this in mind, we’d recommend most of our customers offer aggregate implicit consent with website settings. This balances the interests of the user and the interest of your company, leading to informed consent which benefits both parties and improves the relationship between them.

If you’d like to talk any of this through with the team, or need a hand in general, let us know at