Cookie content changes: what it means for your advisory firm
The Information Commissioner’s Office (ICO) has made a significant update to its detailed cookie guidance. Discover some of the key changes and what your financial advisory firm needs to do to remain compliant and avoid hefty penalties.
The ICO is updating its guidance to reflect changes in UK law, particularly the Privacy and Electronic Communications Regulations (PECR), bringing it more closely in line with GDPR-style requirements.
The guidance introduces clearer rules around consent, transparency, and documentation for cookies and similar technologies, replacing older or vague cookie advice.
The penalty for PECR breaches can reach up to £500,000. However, under GDPR, breaches tied to privacy may result in fines of up to £17.5 million or 4% of the company’s global turnover, whichever is higher.
What is the new ICO guidance?
In December 2024, the ICO released new guidance related to PECR, often referred to as the ‘Cookie Law.’
The new guidance refines how companies must obtain consent and inform users before using cookies and similar technologies.
The guidance has clarified:
It is not just about cookies but also tracking pixels, device fingerprinting, scripts, and tags.
Also in scope are any applications that store or access information on a user’s device (computer/mobile).
For the rest of this article, the term ‘cookie’ will be used to describe all of the technologies and in scope items above.
Additionally, the new guidance expands on existing cookie requirements. It aligns them more closely with General Data Protection Regulation (GDPR) principles, particularly in terms of obtaining explicit consent, ensuring transparency, and providing users with control.
Many companies across various industries have already introduced changes, such as more prominent cookie banners or forcing users to accept or reject cookies before they can interact with the website.
To ensure compliance across the board, the ICO is auditing UK websites for compliance, starting with those with the highest volume of traffic. This means financial advice companies need to act now to ensure they are compliant.
What do financial advice companies need to do to be compliant?
In summary, there are three things companies must do to be compliant.
These include:
Inform users that cookies (or similar technologies) are present and being used.
Explain what the individual cookies are doing and why
Get the user’s consent to store a cookie on their device or to access the device.
How do you go about this?
Here are some suggested steps that financial advisory companies can take to become compliant:
Audit all cookies and tracking tools: These tools, both first and third-party, need to be classified into two categories: strictly necessary, where no consent is required, and optional (such as preferences, analytics, and marketing), where consent is required.
Update your privacy/cookie policy: The purpose of each cookie and the organisation which owns the cookie must be provided. Further information can be provided as needed, the amount of information to be provided is not explicitly defined in the guidance.
Enforce a consent response: Most companies have a cookie banner on their website however often it has not always been enforced that users must positively engage and accept, reject, or manage. Following the update, a positive consent must be obtained from the user before they can interact with the website; if you use a cookie management system this will be an option.
Record the consent: You must record user consent interactions, including the time, date, and method of consent.
More details on how to comply with the new rules can be found here.
What happens if my company is not compliant?
For those who do not comply with the new guidance, there are hefty consequences.
For breaches of PECR, the ICO can launch criminal prosecution, non-criminal enforcement, or conduct an audit. Additionally, it can fine companies up to £500,000 for serious breaches of the PECR rules. This fine can be issued against the organisation or its directors.
For breaches of GDPR, where the use of cookies and similar tools violates UK GDPR privacy principles, your company could face fines of up to £17.5 million or 4% of your worldwide turnover, whichever is higher.
These fines and legal actions are public, meaning companies that breach the guidance could face severe reputational damage, with knock-on effects such as loss of customer trust and decreased earnings.
Want to work with Unbiased?
Unbiased is the UK's leading asset under management (AUM) growth platform for financial advice firms.
Since 2010, Unbiased has generated over $100 billion in AUM opportunities for financial advisers, with 65% of prospects new to advice. Reaching more than 10 million consumers annually, it is the leading source of client demand in the industry.
We obtain, verify and validate leads, sending qualified leads who want your services directly to your inbox, as well as providing the tools you need to convert.
For you, this means connecting to new consumers in a repeatable and scalable way, making growing your business a lot easier.
:quality(20))