In short, the guidance confirms what most data practitioners already knew about cookie requirements and there are few big surprises. However, since many companies have not been complying, steps will need to be taken by huge numbers of sites and services to avoid censure now that the regulator has confirmed what it expects. There is no transition or lead time for compliance. This is in force now.
One reason companies had been reticent in making wholescale changes to their cookie approach following the implementation of the General Data Protection Regulation (GDPR) is that the rules on installing cookies are set out in the separate Privacy and Electronic Communications Regulations (sometimes referred to as PECR or the e-Privacy Regulations). This legislation is in the process of being updated and many had therefore been waiting for this to be finalised before really worrying about taking action. • The ongoing delays here have not been helpful. However, this guidance sends a warning to companies that, just because there may be future changes, this does not mean you do not have to comply with the existing regime and, of course, GDPR.