Overview
As a UK-based events company, ensuring your website and any third-party tools you use (such as registration forms, analytics platforms, or marketing integrations) are legally compliant with cookie and privacy laws is essential.
This guide explains:
- Why cookie consent is required under UK law
- Your responsibilities for third-party registration forms (even on separate domains)
- The applicable legislation
- Practical steps to ensure compliance
- The potential risks of non-compliance
⚠️ Disclaimer - This document is provided by ASP for general guidance only. It does not constitute legal advice and should not be relied upon as a substitute for professional legal consultation.
🔍 What Is Cookie Consent?
Cookie consent is when a user gives permission for your website—or tools used on your website—to store or access cookies or similar technologies on their device.
Cookies are often used for:
- Website analytics (e.g. Google Analytics)
- Personalisation (e.g. remembering user preferences)
- Marketing and advertising (e.g. retargeting)
- Tracking registration form completions
⚖️ What Laws Apply in the UK?
Two main regulations govern the use of cookies on UK websites:
1. PECR (Privacy and Electronic Communications Regulations)
- Requires clear and comprehensive information about the use of cookies.
- Consent must be freely given, specific and informed.
- Consent must be obtained before any non-essential cookies are set.
- Applies regardless of whether cookies are set by your site or a third-party provider embedded in your site.
2. UK GDPR (General Data Protection Regulation)
- Applies if cookies collect personal data, such as IP addresses or behavioural analytics.
- Requires a lawful basis for data processing—usually consent in the case of cookies.
- Demands transparency and gives users the right to withdraw consent at any time.
🤔 Do These Rules Apply to Third-Party Registration Forms?
Yes. If you use third-party registration platforms (e.g. Eventbrite, or similar), and those tools:
- Set cookies or tracking scripts,
- Collect personal data (e.g. email address, IP, location),
- Are accessed via links or embeds from your website,
…then your organisation shares legal responsibility for ensuring users:
- Are informed of this,
- Give valid consent before any non-essential cookies or tracking scripts are activated.
Even if the form is hosted on a separate domain, if your website links to it or embeds it, and users are tracked or profiled, you are still responsible.
📌 ICO Guidance
The Information Commissioner's Office (ICO) is the UK regulator responsible for enforcing PECR and UK GDPR.
Relevant excerpts from their guidance include:
“Where third-party cookies are set through a website, both you and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.”
— ICO Guidance on Cookies and Similar Technologies
“As the online service provider, it is your responsibility to understand the technologies you intend to use and ensure you comply with PECR.”
— ICO Guidance on the Use of Storage and Access Technologies
✅ What You Must Do – Compliance Checklist
| Task | Required? | Notes |
|---|---|---|
| Show a cookie banner before setting cookies | ✅ | Must appear on the first visit, and renew regularly. |
| Allow users to opt in/out of non-essential cookies | ✅ | Consent must be granular, by category or purpose. |
| Link to a detailed cookie policy | ✅ | Should explain what cookies are used, by whom, and for what purpose. |
| Ensure embedded tools/forms support consent management | ✅ | Ask providers like if they support Google Consent Mode 2.0. |
| Use a Consent Management Platform (CMP) | ✅ | Consider Cookiebot, OneTrust, or Iubenda for ease. |
🔧 Common Tools to Review
| Tool or Integration | Cookie Consent Required? | Action |
|---|---|---|
| Google Analytics | ✅ | Must be blocked until consent is given; supports Consent Mode 2.0. |
| Meta Pixel (Facebook) | ✅ | Should not run until user opts in. |
| Third Party Registration Forms | ✅ (if cookies or tracking used) | Check if they support Consent Mode or respect third-party CMP. |
| Eventbrite | ✅ (if embedded/tracked) |
Ensure consent is collected before embedded widgets run. |
🧪 Example Scenarios
Scenario 1: Embedded Registration Form
You embed a Reg form directly into your event website. If it includes tracking scripts or sets cookies (e.g. for Google Analytics or Meta Pixel), you must ensure:
- Consent is collected before the form loads or cookies are triggered.
- Your CMP can block and unblock the form based on user consent.
Scenario 2: Link to a Third-Party Form on a Separate Domain
If your website links users to a hosted registration page (e.g. register.regform.com), and that page sets cookies:
- That third-party platform must have its own cookie banner.
- Your privacy or cookie policy should explain that users may be subject to third-party cookies when following that link.
🛠 How to Stay Compliant
-
Use a Consent Management Platform (CMP)
Integrate a CMP such as Cookiebot (works with ASP), OneTrust, or Iubenda to manage cookie opt-ins automatically. -
Implement Google Consent Mode 2.0
This allows you to control how Google tags behave before and after consent is given. -
Work with your third-party suppliers
Confirm that your registration providers can support Consent Mode or delay cookie setting until consent is granted. -
Keep your policies up to date
Ensure your cookie and privacy policies reflect all cookies and data collection methods—especially from third parties. -
Regularly scan your site
Use free tools like Cookiebot Scanner or Iubenda Cookie Scanner to identify all cookies in use.
🚨 Penalties for Non-Compliance
Failure to comply with PECR or UK GDPR can lead to serious consequences, including:
- Fines up to £17.5 million or 4% of annual global turnover (whichever is higher)
- Formal reprimands or enforcement notices
- Damage to reputation and customer trust
- Suspension of data collection or marketing activities
⚠️ Disclaimer
This document is provided by ASP for general guidance only. It does not constitute legal advice and should not be relied upon as a substitute for professional legal consultation.
ASP is not a legal, regulatory, or compliance expert and makes no warranties or guarantees regarding the accuracy, completeness, or applicability of the information provided. All organisations are responsible for ensuring their own compliance with data protection and privacy laws, which may vary depending on the location of your users, technologies used, and nature of data collected.
We strongly recommend consulting a qualified legal or compliance professional to assess your organisation’s specific responsibilities.
ASP accepts no liability whatsoever for any loss, enforcement action, penalty, or damage arising from the use or interpretation of this guide.
📑Further Reading
Understanding Cookie Compliance: Why It Matters & How It Affects Your Data
Cookie Update: Switch to a Specialist Cookie Provider
Comments
0 comments
Please sign in to leave a comment.