How many of you have a Cookies pop-up on your website?


Hi all,

I understand we need a Cookies Policy but is a Cookies pop-up as soon as you arrive to site legally essential too? Most of what I see online seems to suggest it is, but then I come across numerous amount of websites which don’t.

I only use Google Analytics which uses Cookies. GA starts the second they land on my site, so technically I can give an opt-out option as the cookie collection has already started.

Thanks very much.


My understanding is that you do need a Cookie warning as soon as someone visits the site, but they don’t have to “pop-up” … I much prefer the more discrete ones at the top o bottom of the page.

When I create my WordPress website, I intend to use Civic UK to do this for me:

Which I believe is a Plugin you download and modify to your needs.

At the moment, 123-Reg creates the banner at the top of the page for me … all I need to do is link my Cookie policy to the “click here to read the Cookie policy”.

But I also recently came across some websites using a company called iubenda

The only thing I would say about this, is that they give you a standard privacy policy that links to their site and appears in a pup-up box, but also that the link button they provide can be really difficult to find (or interpret as the Privacy Policy) link as it looks like a logo.
Plus, since I know you had your PP custom made, it doesn’t seem very valuable to you.

Good luck with these last stages :wink:


Thanks Anna.

What does your 123 one say currently?

My understanding is that users have to be given the right to opt in from the moment they arrive at your page. So Google Analytics, for example, should be off until you agree - no cookies should be collected until someone agrees. But so many I see aren’t like that and generally work on the basis that, unless you say otherwise, cookies will be collected and indeed have already started to be, namely GA. Indeed some VA sites I’ve looked at have these “official” plug-ins coded for them, yet I’ve been able to dismiss the pop-up and so not agree, but not not agree either. When I later go back to it, it’s assumed I have agreed, and will continue to do so until I say otherwise. And I don’t think that’s GDPR compliant.

There’s a load of stuff on forums about how a lot of these plug-ins aren’t sophisticated enough for true GDPR compliance. It all sounds rather complicated to me and even after an hour call with my dad last night, who was a senior software developer, I don’t fully understand it.

Complications are added too when, as you say, the code and PP has to match. As mine has been drawn up for me, it then starts getting even more complicated.

The conclusion we came to is my dad, bless him, is going to write the code needed so GA is off until the user agrees. I don’t use any other cookies, so there’s no other issues otherwise. To me that sounds straightforward, but apparently it’s not as simple a simple code and a good bit of work to draw up.

It all seems a load of drama over nothing for the likes of work I/we do. I understand why different for other companies and industries.

Thanks for the detailed response! Much appreciated.


Oh I should add too that when I speak with my solicitor about my PP and terms, I was going to seek clarification from her re 1. No pop-up, 2. Pop-up but saying unless you say otherwise we will collect and indeed have already stayed using GA, 3. Having to opt-in before any can be placed.

What prompted this for me, was her sending me my PP for review and it saying in there that when it comes to cookies users have the right to opt in or out before any cookies are placed:

“As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this Technical Data by using cookies. A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site…”


Ah ha - here is the answer. In short, a cookies banner is essential, and the viewers consent has to be given prior to the installation of any cookies, unless those cookies fall within the Exempt category. The likes of Google Analytics, which is all I was worried about, fall under that.

Under the Cookie law, organizations that target users from the EU must inform users about data collection activities and give them the option to choose whether it’s allowed or not. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must first obtain valid consent prior to the installation of those cookies, except where those cookies fall into the category of exempt cookies. So in practice, you’ll need to show a banner at the user’s first visit, implement a cookie policy that contains all required information, and provide or inform users of the means by which they can refuse (or withdraw consent to) the processing. Prior to informed and explicit consent, no cookies – except for exempt cookies – can be installed.

Exemptions to the consent requirement:
Some cookies are exempt from the consent requirement and therefore are not subject to preventive blocking (though you’re still required to have the banner and cookie policy in place). The exemptions are as follows:

  • Technical cookies strictly necessary for the provision of the service. These include preference cookies, session cookies, load balancing, etc.
  • Statistical cookies managed directly by your organization (not third-parties), provided that the data is not used for profiling*
  • Statistical (anonymized) third-party cookies (e.g. Google Analytics)*