Every cookie your website drops is a regulated data processing activity. Under PECR, non-essential cookies require prior informed consent. The ICO has fined organisations for invalid cookie consent, and its enforcement activity is increasing. For FCA-regulated firms, a non-compliant cookie implementation is simultaneously a PECR breach, a potential UK GDPR violation, and evidence of inadequate systems and controls under SYSC. The FCA doesn't wait.
What's included:
Four-category cookie classification: essential, analytical, marketing and advertising, and preference and personalisation
Consent requirements: valid consent characteristics, pre-consent information, consent mechanisms, documentation, and withdrawal management
Third-party cookies and sub-processor management: vendor due diligence, data processing agreements, and ongoing monitoring
Cookie banner requirements: legal standards, accessibility, granular consent options, and consent management implementation
International processing: EEA users, adequacy decisions, non-adequate jurisdiction controls, and multi-jurisdictional consent management
Data retention and deletion: retention schedules, automated deletion, user-initiated erasure, and audit trail
Ready-to-use appendices: Master Cookie Inventory Template, Consent Assessment Matrix, Third-Party Vendor Assessment Template, and Compliance Monitoring Template
+ much more
Who is this for?
Data Protection Officers, Compliance Officers, IT security teams, marketing leads, and web operations teams at FCA-regulated firms.
How it works
Step 1 — Read it. Every section exists for a reason, grounded in a specific regulatory obligation.
Step 2 — Understand it. Map the content against your current practices. Identify where you're strong and where gaps exist.
Step 3 — Make it yours. Tailor the language to reflect how your organisation actually operates. A policy that sounds like your firm is a policy your people will follow.
Step 4 — Take ownership. Assign clear accountability — Board approval, named SMF holder, designated policy owner. A policy without an owner is a liability, not an asset.
Step 5 — Operationalise it. Embed the policy into your governance calendar, training programme, and annual review cycle. This is where compliance becomes culture.
Or, get this free with RegTechPRO
Access this alongside the full compliance policy library — SM&CR, COBS, AML, Consumer Duty, GDPR, and more — for a fraction of the cost of consultancy.
View RegTechPRO pricing and packages →
Every cookie your website drops is a regulated data processing activity. Under PECR, non-essential cookies require prior informed consent. The ICO has fined organisations for invalid cookie consent, and its enforcement activity is increasing. For FCA-regulated firms, a non-compliant cookie implementation is simultaneously a PECR breach, a potential UK GDPR violation, and evidence of inadequate systems and controls under SYSC. The FCA doesn't wait.
What's included:
Four-category cookie classification: essential, analytical, marketing and advertising, and preference and personalisation
Consent requirements: valid consent characteristics, pre-consent information, consent mechanisms, documentation, and withdrawal management
Third-party cookies and sub-processor management: vendor due diligence, data processing agreements, and ongoing monitoring
Cookie banner requirements: legal standards, accessibility, granular consent options, and consent management implementation
International processing: EEA users, adequacy decisions, non-adequate jurisdiction controls, and multi-jurisdictional consent management
Data retention and deletion: retention schedules, automated deletion, user-initiated erasure, and audit trail
Ready-to-use appendices: Master Cookie Inventory Template, Consent Assessment Matrix, Third-Party Vendor Assessment Template, and Compliance Monitoring Template
+ much more
Who is this for?
Data Protection Officers, Compliance Officers, IT security teams, marketing leads, and web operations teams at FCA-regulated firms.
How it works
Step 1 — Read it. Every section exists for a reason, grounded in a specific regulatory obligation.
Step 2 — Understand it. Map the content against your current practices. Identify where you're strong and where gaps exist.
Step 3 — Make it yours. Tailor the language to reflect how your organisation actually operates. A policy that sounds like your firm is a policy your people will follow.
Step 4 — Take ownership. Assign clear accountability — Board approval, named SMF holder, designated policy owner. A policy without an owner is a liability, not an asset.
Step 5 — Operationalise it. Embed the policy into your governance calendar, training programme, and annual review cycle. This is where compliance becomes culture.
Or, get this free with RegTechPRO
Access this alongside the full compliance policy library — SM&CR, COBS, AML, Consumer Duty, GDPR, and more — for a fraction of the cost of consultancy.
View RegTechPRO pricing and packages →
Image 1 of 8
Image 2 of 8
Image 3 of 8
Image 4 of 8
Image 5 of 8
Image 6 of 8
Image 7 of 8
Image 8 of 8
