The general rule is that prior consent to GDPR standard is needed in order to place cookies, unless one of the two exemptions apply.

Consent is not required where:

  • the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • the cookie is strictly necessary to provide an ‘information society service’ requested by the subscriber or user.

Even when consent is not required in the above cases you should still provide users with information about those cookies.

The Information Commissioner has issued an latest guidance on the use of cookies in July 2019,


  • National Data Protection Authority Guidance:
  • Guide to the Privacy and Electronic Communications Regulations

This guide is for organisations that wish to send electronic marketing messages (by phone, fax, email or text), use cookies, or provide electronic communication services to the public.

  • Direct marketing Guidance: Data Protection Act, Privacy and Electronic Communications Regulations.