26 August 2025

Neil Jennings

What once would cost you the measly sum (!) of £500k for stuffing up, you could now be on the line for a whopping £17.5m fine.

For goodness sake, if you don’t use a plate, at least clean up those cookie crumbs!

OK, let’s back up a little. We’re looking at cookies and privacy laws. This isn’t an academic review of specific laws and regulatory landscapes, although I will touch on the main thrust of things very briefly.

Right now, there is a big push in the AI governance and risk space, and rightly so. But the new doesn’t make the old disappear - it just hides it a little.

One of the most critical pieces of the privacy puzzle (and something with the potential to build real trust with users) is cookie compliance. Perhaps not sexy, but certainly important. The digital world is not a high trust society, so it might make strategic sense to do what you can before it’s too late.

What is a cookie?

Cookies are essentially unique identifiers placed on a browser that allows a website to ‘remember’ certain information. Some cookies are very important to the user, like cookies that remember the items you put in your online shopping basket (‘session cookies’) or those used for security and network purposes. These are typically known as essential cookies. Other cookies are more aligned to the web operator’s desires, like tracking preferences or websites visited.

Why is cookie consent important?

Aside from the numerous global legal requirements, cookie consent is important because there is an inherent collection, use and potential disclosure of personal data. Businesses need to make sure personal data is protected appropriately and that consumers are given appropriate choices. In some cases, the very first interaction a consumer will have with a business is a cookie consent banner, so you have the opportunity to make a good first impression!

What does the landscape look like?

Across the globe, companies are navigating conflicting consent regimes:

• Opt-in: You need to obtain consent before using cookies. The main exception is the ‘strictly necessary’ cookies, like the cookies that remember what’s in your shopping basket. You don’t need consent, but you still need to inform users.
• UK (PECR)
• EU (e-Privacy Directive)
• Brazil (LGPDP)
• Quebec (Loi 25)
• India, Argentina, South Africa, etc.
• Opt-out or implied: In most cases, consent is assumed until the user actively refuses and in most cases, the user must be given the opportunity to say no. Again, it’s important to inform users, regardless of consent requirements.
• Many US states (e.g. California, Colorado, Texas, Florida, etc. - some of these laws require states to adopt the Global Privacy Control, a browser-level mechanism)
• Canada’s federal privacy law (PIPEDA) requires informed consent, which means either express or implied as context suggests. You might argue that continued browsing constitutes implied consent, but I am not exploring that here!
• Australia (Privacy Act) - there is no absolute express requirement, but a contextual one. It is best practice to include an opt-out provision.

In the EU, we know from the CJEU’s ruling in the Planet49 case that consent cannot be given / obtained via a pre-checked box. In effect, the standard of consent whether or not cookies constitute personal data must be the GDPR standard of consent’ - freely given, specific, informed and unambiguous.

What's been happening in 2025?

Recently, the UK’s Data (Use & Access) Act came into force. Among other things, it amended PECR (the Privacy and Electronic Communications (EC Directive) Regulations) by increasing the maximum fine for breach from £500k to £17.5m, or 4% of global annual turnover. This is a huge change in the regulatory landscape and it appears that the Information Commissioner’s Office is already planning on undertaking dedicated enforcement action.

On the other side of the Atlantic, the CCPA in California requires that businesses provide “easy” mechanisms with “minimal steps” to opt out and that don’t “impair” the user’s ability to decide on their own. Already in 2025, the California Privacy Protection Agency (slightly confusingly, the CPPA) fined a major US retailer c.$350k, and a large auto company c.$625k. A major theme was not a lack of opt-out mechanism, but rather an opt-out that was more complicated than it should have been. That required too much effort. This has similarities with the FTC, NY and CA rules in relation to subscription cancellations, which must not be overly complicated.

So, the rules are not particularly complex. There is either opt-in or opt-out and both mechanisms must be simple and actually do what they say. The real complexity, however, lies in how to approach things operationally. Do we adopt an internationally fragmented approach based on jurisdiction, or a unified ‘highest common denominator’ approach? In other words, do we try to comply with every law separately, or take the strictest law and apply it across the board?

Surely it’s simple?

Yes, the concept is simple - when your business uses cookies for various reasons, it may be required to comply with privacy and consumer protection obligations. It becomes more complicated when your business operates across different jurisdictions, because different jurisdictions have different obligations. Operational inefficiencies like small privacy teams, stretched technical teams, lack of understanding and no cohesion between teams can cause gaps. If nobody is accountable, then the risk continues to increase.

• A fragmented approach:
• One option is to undertake compliance on a per-jurisdiction basis. This involves putting in place processes to ensure compliance with every relevant law. Obviously, it is high effort and high cost. It is time-intensive for both legal / privacy and technical teams. It isn’t a single solution, but a rules-based engine. You will need various template front-end banners, an ability to geolocate, and separate back-end logic. Ongoing maintenance and updates are also high effort, and compliance depends on a law-by-law basis.
• A unified approach:
• Alternatively, and instead of per-jurisdiction, you can adopt a path of least resistance by selecting the strictest law and apply it to all jurisdictions. It is a simpler starting point, requires a single front-end template, significantly less back-end logic, and can be updated with relative ease over time.

Threats and opportunities

We interact with cookies to no end. The phrase “consent fatigue” popped up in the last few years, and no wonder why! We live in a two-sided digital world - one side where businesses are trying to do the right thing, and the other side where businesses are trying to get away with as little as possible. The duplicitous cookie consent - it’s strictly necessary by default. But it’s also awkward enough to manage settings. We capitulate once again.

Threats and opportunities are two sides of the same coin. Risks, in other words. The main threats are lack of compliance, damage to consumer trust, and facing hefty fines for lack of compliance. On the other hand, there is an opportunity to build and enhance trust by being open and transparent, something consumers are increasingly demanding.

We also see various jurisdictions talking about system and process design in terms of deception, manipulation, or ‘dark patterns’. In other words, making opt-in or opt-out mechanisms that are easy to miss, difficult or awkward to use, or anything else that might be considered a forced pattern or deceptive practice. Some businesses will ask how they can truly comply to build trust, others will ask what the bare minimum is…a perennial issue!

‘This can go in the next sprint’

As I mentioned above, this article is written from the perspective of in-house legal and privacy functions who not only need to know the law, but also need to understand the strategic and operational reality of the businesses they advise.

Privacy leaders don’t need reminding of the theory. Well, maybe a little. But the real challenge is what to do about it in the day-to-day, when regulatory requirements meet operational realities. If you’re a legal, privacy, compliance or AI function and you haven’t heard a project manager tell you they don’t have enough “dev time”, you aren’t listening hard enough… Most privacy initiatives need various teams and players involved, which usually means that the initiative is treated as a project, placed in a ‘sprint’, and then given specific resources over a specific time period. If it’s mega urgent, it might be treated as an ‘injection’.

Basically, there is a lot of analysis, thinking, planning and discussion involved. Before you’re part of a sprint, make sure you’re sprinting in the right direction.

The compromise?

What’s more important - compliance certainty or potential revenue generation? Every business faces a trade off when it comes to legal and compliance, marketing, and the not-always-obvious back end resourcing issue of developer hours. Taking a unified approach with the strictest law, there is significantly less risk of non-compliance compared to a fragmented approach. Legal and privacy will, of course, be much happier. However, your business will almost certainly see fewer active consents for the use of non-essential cookies. This will have a knock-on effect for your sales and marketing teams, and ultimately, revenue. If your marketing team insists on analytics cookies by default, but your biggest market is the EU, you already know where that’s going to land you.

So what is the least bad option? Would it cost less (in terms of salary), or does potential revenue dwarf the operational cost of fragmented compliance?

How to think about it

The (potentially) several million dollar question! When you’re a global business, there is no right answer. It is entirely contextual. Do you fragment compliance across every jurisdiction? Do you go with the strictest requirement everywhere? Do you just bury your head in the sand?

First, get clarity on the following questions:

• What is the intended end result? Is it to comply with the laws, or is it to act as a risk control? These are not the same thing.
• Where are your major consumer bases? This can have an impact on risk tolerance and strategic compliance direction.
• How much friction / impact full a unified approach causes? Could a unified approach have a major negative impact on conversions?
• What resource issues do you have right now? Do you need to use a third party software? Does it need integration? What projects are devs taking on right now?

Operational issues to contend with

Before making a final decision, and gaining real clarity on what this means in practice, the following are some areas that need particular focus to ensure you don’t waste time:

1. Mapping requirements: Where are your customers? Which consent regime applies? What are the critical jurisdictions for your business?
2. Cookie categorisation: Analytics vs advertising vs functional. Regulators expect precision, not a one-size-fits-all banner.
3. Consent mechanisms: Balancing user experience with legal compliance. Too restrictive and you could lose revenue and insights, too lax and you risk fines and loss of trust.
4. Vendor management: Do you undertake proper vendor mapping and management? Do you have a good idea of the supply chain issues?
5. Documentation & auditability: DPIAs, RoPAs, and records of consent aren’t optional, but regulatory requirements. If you can be required to produce it, you need to make sure you have it.
6. Incident response: What happens if cookies are miscategorised? How do you contract with third parties? Proper due diligence beats hope every time.

Avoid half-baked or overcooked

The ‘right’ option is the one that works best for your strategy and risk tolerance. Maybe a key strategic priority is revenue generation at all costs. Maybe a fear is any reputation damage or regulatory intervention.

When it comes to in-house, legal and compliance functions aren’t doing a good enough job unless they are talking in terms of business risk, not just legal obligations. That means talking with leadership, dev teams, project managers. Where are the time pressures? What is the strategic direction of the business? If you’re in-house counsel or privacy leader, you can almost certainly answer “why?”. That’s not good enough anymore. You need to be prepared to answer “why now?”

The operational challenge of privacy isn’t going away. But the companies that approach it with clear, scalable frameworks will not only stay compliant, they also build trust with customers, regulators, and investors.

Don't just guess, make fully-informed and risk aware decisions to make sure your cookie banner isn’t just compliant, but consistent with your business’s values. Reach out today for help understanding whether your strategy should be fragmented or unified, or ask about our International Privacy Compliance health check packages!

This content is informational only and not legal advice. GLF is not a law firm regulated by the SRA.