Taking the cookie: what nonprofits need to know about the latest ICO guidance

Author information: Phil McMinn , Director of Digital Marketing , Post information: , 7 min read ,

In July 2019 the Information Commissioner's Office (ICO) published new guidance on how cookie consent on websites should be collected. Since GDPR came into force in May 2018, understanding around the legalities of gaining consent around cookie usage has been murky. The ICO’s announcement provides unambiguous guidance on how they interpret the GDPR, and it takes on some of the popular myths about how and when consent is required.

The announcement is concerning for the third sector, specifically around the use of Google Analytics, the tracking tool used by most websites.

This post outlines the key points from the ICO’s announcement, looks at the potential implications for nonprofits, shares data from a major UK charity that has already started testing the guidance’s implications, and suggests what your charity can do now to prepare for what comes next.


Organisations use cookies for many reasons. Two common examples are:

  • Gaining insight into how you’re interacting with a website
  • Sending data to advertising platforms (Google Ads, Facebook, Twitter, LinkedIn, Instagram etc) to allow organisations to show you tailored adverts as you browse the web

Large organisations routinely set hundreds of these cookies, including British Gas (173 cookies as I write this), The Guardian (221) and Mail Online (a mammoth 348).

When you visit a site with Google Analytics in place, a piece of JavaScript in the site’s code sets a first party cookie on your computer. This allows Google Analytics to collect data about the content you viewed, the things you did (downloading a PDF, filling in a form), anonymised, inferred demographic data (age, gender), your location and more. Google’s terms state clearly that the collection of personally identifying information such as your email address, phone number and name, is forbidden. The ICO see this cookie as “non-essential”—this data collection does not impact on the user’s ability to receive the service they’ve come to the site for.

The de facto post-GDPR response to gaining consent for cookies (both essential and non-essential) has been to include a pop-up with a variation of the message “I’m OK with cookies” or “By using this site, you’re OK with cookies”. Here’s what The Guardian currently do:

Guardian - Cookie Popup.png
The Guardian's cookie popup

There’s no clear option to say “No, I’m not OK with that”. Because users are more likely to take the path of least resistance, the ICO’s view is that this is not adequate consent. Instead “users must take a clear and positive action to consent to non-essential cookies”.

They’re likely right. We carried out a test over six months on one of our clients’ sites and found that 95% of users clicked “Continue” when presented with a basic “To accept cookies, click continue” ask, even when given the less-prominent-but-still-there option to not accept:

ASL - Cookie Banner.png
Click to continue
ASL - Cookie.png
The path of least resistance

Given how hot a topic privacy and data protection is in a post-Cambridge Analytica world, it’s far more likely this is evidence of users taking the easy option than “clear and positive action”.

What does the new guidance say?

The central pillar of the ICO’s new guidance is that you should not rely on implied consent for using “non-essential cookies”.

They say that analytics cookies are “not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.” If you want to use Google Analytics on your site, you now need explicit consent.

The ICO have changed the cookie control mechanism on their own website to mirror the changes in the guidance. Now, when you visit the ICO site, Google Analytics is switched off by default.

The ICO's cookie banner

The potential implications for charities and nonprofits

For charities and nonprofits, the ICO’s position is concerning, and presents barriers to their ability to operate effectively in a digital world. Two ways charities use data collected by Google Analytics include:

  • Understanding drop-off points in a donation funnel. Google Analytics data allows you to test the impact of simplifying donation forms on the volume of donations. Many of our clients’ websites handle millions of pounds of revenue a year—even a 1% increase in the volume of donations, driven by form optimisations means much more money for the charity.
  • Allocating budget to specific marketing campaigns. A small charity has £1,000 to spend encouraging people to run the London Marathon and fundraise for their charity. They split this money between Facebook, Google and Instagram, running targeted ads on each platform. Google Analytics allows organisations to understand which platform, audience, ad format and messaging worked in driving signups, so money can be spent more efficiently and on the right audiences.

These examples challenge the ICO’s definition of these cookies as “non-essential”.

In both of these examples, there are alternative ways to collect data. In the first case, user testing the experience of a donation platform can help reveal pain points in a donation journey but to achieve the same level of detail and analysis would require significant budget, and the results would be less quantative. In the second example, a user’s traffic source can also be passed into a CRM without Google Analytics, allowing organisations to see where donations come from. But Google Analytics allows users across an organisation to view and act on this data quickly, and to report in more granular detail than a CRM can. In both cases, server-side logs can provide a version of the data.

Take away the car, and you can still get there on a horse. But that’s a hard pill to swallow for charities who are tasked with efficiently spending the money they—and their supporters—have worked so hard to raise.

What actions should you take now?

The complicated and shifting balance of power between regulatory organisations, as well as lack of resources, makes it unlikely that the ICO would take enforcement action before the ePrivacy Regulation (ePR) is applied in late 2019 or 2020.

That reduces the urgency to implement an ICO-like approach immediately. But ultimately, the ICO’s announcement is based on the law, so it’s difficult to see ways around their guidance as it stands. Not acting isn’t an option.

One person who understands this is Will Howells, Head of Digital at Terrence Higgins Trust. In response to the ICO guidance, he tested the ICO’s model of consent for Terrence Higgins Trust’s website. At the time of writing this, when you visit the Trust site, Google Analytics is off by default.


In a two week test period, the site saw a 70% drop in traffic reported into Google Analytics. Interestingly, the charity saw a sharp improvement in engagement metrics like bounce rate and time on site. In conversation with Will, the word “frustrating” came up a number of times in response to the ICO’s announcement. But he was also sanguine about the changes. The Trust were currently “spoiled with rich data” but he was frank about how much of that data was of actionable value. A 70% reduction in data still gives him 30% to model patterns on when exploring user behaviour on site. He saw CRM data playing a bigger part in future data analysis, and he wondered if Google might explore technology that allowed data to be sent to Google Analytics without a cookie being set. Lastly, content delivery networks (CDN) like Cloudflare provide generalised data around session spikes that could be attributed back to specific campaigns and activity.

While your charity might not be ready to adopt the ICO’s guidance right away, here are three steps you can take now to begin preparing for what’s ahead.

  1. Investigate what impact varying levels of “data dropoff” would have on your nonprofit. Think beyond how the loss would affect your ability to assess the performance of your website and talk to as many people in the organisation as possible (fundraisers, community and challenge event managers, the HR team) to ensure you’re considering the implications it would have on the charity’s ability to serve its end users. Don’t assume it’s just about your team—know the data’s value to your charity inside out.
  2. Draw up examples and case studies of where analytics has fed through to your charity’s site development and delivered a material benefit to the end-users e.g. a UX change driven by GA data made it easier for site visitors to find the information they need, or it resulted in higher donation amounts/rates. Samaritans recently saw a 200% increase in donation revenue when their new website relaunched, in part driven by quantitative data that led to a reduction in donation funnel drop-offs. Can your organisation point to a similar use of data? Have these examples ready.
  3. Begin drafting a persuasive pitch to your charity’s supporters. Explain why it’s in the user’s interest to accept—not for today's visit which has been great, but because you want all future visits to be great too. Explain that the positive experience of using that site today is partially a result of insights derived from analytics of previous visitors. And explain that the data collected has longer term benefits to the overall health of your charity. Ultimately, trust will play a decisive role in the data organisations have at their disposal. While Terrence Higgins Trust’s website saw a steep decline in traffic when they switched analytics off by default, they also saw engagement rates for users who accepted analytics cookies soar: bounce rates fell by 14% and time on site rose by 16 seconds. This doesn’t indicate that the quality of traffic somehow improved, but it does show that those users accepting cookies are more engaged users. Higher levels of engagement with a website might correspond to the level of trust a user has with a site, which should give charities a steer in how they approach this issue. You’re going to need to explain why you deem data from analytics tools to be essential as a charity—not just with a cookie banner but also via email, blog posts, conversations on social media. Being open, and explaining clearly what impact the data has on your charity, could well lead to an increased willingness to trust in that charity’s decision to use data, and increase clicks on the “Yes, accept” button.

Showing constructive engagement with this issue in each of these ways—even if you’re not immediately turning off analytics in the way the ICO have done—will always play better with the ICO than doing nothing.


Many people in the third sector who read the ICO’s announcement may well have experienced something akin to the sky falling in. At Torchbox HQ, it initially felt seriously worrying—without the endless data we have at our disposal, how can we continue doing what we do for our charities? The stark truth is that nonprofits will lose data. But having talked to various leaders across the sector, and thought through the positives that will come from understanding the value of data and explaining that value to your users, we see this as an opportunity to engage your supporters and build the trust you have with them. Taking that approach should ensure you still have significant data to work with, and it puts trust front and centre in the relationship between you and your audience.

Author information: Phil McMinn , Director of Digital Marketing , Post information: , 7 min read ,