Compliance

Written by Joanne Hughes, Policy & Compliance Specialist at Policy Pros

Last reviewed:

What is Cookie Compliance and How Does UK GDPR and PECR Apply?

Written by Joanne Hughes, Policy & Compliance Specialist at Policy Pros

Last reviewed: March 2026

What Are Cookies and Why Do They Matter?

Cookies are small text files that are placed on a user's device (computer, smartphone, or tablet) when they visit a website. They serve a wide range of functions, from remembering login details and shopping basket contents to tracking browsing behaviour and serving targeted advertising. While cookies are a fundamental part of how the modern internet works, their use raises significant privacy concerns because they can collect and store personal data, build detailed profiles of user behaviour, and track individuals across multiple websites.

For UK businesses operating websites, understanding and complying with the legal framework governing cookies is essential. The two primary pieces of legislation are the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the UK General Data Protection Regulation (UK GDPR), enforced by the Information Commissioner's Office (ICO). Non-compliance can result in enforcement action, significant fines, and reputational damage.

What PECR Requires for Cookies

The Privacy and Electronic Communications Regulations 2003 (PECR) are the primary UK legislation governing the use of cookies and similar technologies. Regulation 6 of PECR sets out the key requirement: you must not store information on, or access information already stored on, a user's device unless the user has been given clear and comprehensive information about the purposes of that storage or access, and has given their consent.

This means that before placing any non-essential cookies on a user's device, the website operator must obtain the user's prior consent. The only exception is for cookies that are strictly necessary for the provision of a service specifically requested by the user. Strictly necessary cookies do not require consent under PECR.

PECR applies regardless of whether the cookie collects personal data. Even if a cookie is used purely for anonymous analytics or performance measurement, it still falls within the scope of PECR and requires consent unless it meets the strictly necessary exemption.

Valid Consent Under UK GDPR and PECR

The standard of consent required by PECR is aligned to the definition of consent in the UK GDPR (Article 4(11)). Consent must be:

  • Freely given: The user must have a genuine choice. Consent is not freely given if the user has no real option to refuse without detriment (for example, if access to the website is blocked unless all cookies are accepted).
  • Specific: Consent must be specific to each purpose. A blanket consent for all cookies, without distinguishing between different types and purposes, does not meet the legal standard.
  • Informed: The user must be provided with clear, plain-language information about what cookies are being used, what they do, who the data is shared with, and how long they persist, before being asked to consent.
  • Unambiguous: Consent requires a clear affirmative action by the user, such as ticking an unticked box or clicking an "Accept" button. Pre-ticked boxes, continued browsing, or silence do not constitute valid consent.

Users must also be able to withdraw their consent as easily as they gave it. If a user changes their mind and wishes to reject cookies they previously accepted, the website must provide a straightforward mechanism to do so.

Types of Cookies: Strictly Necessary vs Analytical and Marketing

Understanding the different categories of cookies is essential for determining which cookies require consent and which do not.

Strictly necessary cookies: These are cookies that are essential for the website to function as requested by the user. Examples include cookies that maintain a user's session while they navigate between pages, cookies that remember items in a shopping basket during a single session, and cookies required for security purposes such as preventing cross-site request forgery. Strictly necessary cookies do not require consent under PECR.

Analytical or performance cookies: These cookies collect information about how users interact with the website, such as which pages are visited most often, how long users spend on a page, and whether users encounter error messages. Common examples include Google Analytics cookies. While analytical cookies can provide valuable insights for website improvement, they are not strictly necessary for the website to function and therefore require prior consent under PECR.

Marketing or advertising cookies: These cookies are used to track users across websites for the purpose of displaying targeted advertisements. They build profiles of user interests and behaviour and are often set by third-party advertising networks. Marketing cookies always require prior consent, and users must be clearly informed about the third parties involved and the purposes for which their data will be used.

Functionality cookies: These cookies remember choices that users have made, such as language preferences, font size, or region. While they enhance the user experience, they are generally not considered strictly necessary and therefore require consent.

Compliant Cookie Banner Requirements

The ICO's cookie guidance, updated in 2022, sets out clear expectations for cookie banners (also known as cookie consent mechanisms). A compliant cookie banner must:

  • Appear before any non-essential cookies are placed on the user's device
  • Provide clear, concise information about the types of cookies used and their purposes
  • Offer a genuine choice to accept or reject non-essential cookies, with equal prominence given to both options (the ICO has specifically stated that making the "Accept" button more prominent than the "Reject" button is not acceptable)
  • Allow users to accept or reject cookies by category (for example, analytical, marketing, functionality) rather than on an all-or-nothing basis
  • Not use pre-ticked boxes or set non-essential cookies by default
  • Not rely on implied consent (such as continued browsing or scrolling) as a basis for setting cookies
  • Provide a link to the full cookie policy for users who want more detailed information
  • Allow users to change their cookie preferences at any time, with an accessible mechanism to do so (such as a persistent link in the website footer)

Cookie walls — where a user is prevented from accessing the website unless they accept all cookies — are generally considered non-compliant by the ICO, as consent given under such conditions is not freely given.

Cookie Policy vs Privacy Policy

Many businesses confuse the cookie policy with the privacy policy, or attempt to combine them into a single document. While they are related, they serve different purposes and should be treated as separate documents.

A cookie policy is a specific document that explains what cookies the website uses, what each cookie does, how long it persists, whether it is set by the website operator or a third party, and how users can manage their cookie preferences. It should be written in clear, accessible language and updated whenever the cookies used on the website change.

A privacy policy (also known as a privacy notice) is a broader document required by the UK GDPR that explains how the organisation collects, uses, stores, and shares personal data across all of its processing activities — not just those related to cookies. The privacy policy must include information about the legal basis for processing, data subject rights, retention periods, and contact details for the Data Protection Officer (where one has been appointed).

Policy Pros recommends maintaining separate cookie and privacy policies to ensure clarity and compliance. The cookie policy should link to the privacy policy, and both should be easily accessible from every page of the website.

ICO Enforcement Examples

The ICO has taken an increasingly active approach to cookie compliance enforcement. In recent years, the ICO has written to a number of the UK's top 100 websites to highlight areas of non-compliance, including the use of cookie banners that do not offer a genuine choice to reject non-essential cookies, the setting of advertising cookies before consent has been obtained, and the use of deceptive design patterns (so-called "dark patterns") that make it harder for users to refuse cookies than to accept them.

While the ICO has favoured an engagement and guidance-led approach rather than large-scale fines for cookie non-compliance to date, it has made clear that enforcement action — including monetary penalties of up to 17.5 million pounds or 4 per cent of annual worldwide turnover (whichever is higher) under the UK GDPR, and up to 500,000 pounds under PECR — remains available for serious or persistent breaches.

Organisations should not assume that the ICO's current approach will continue indefinitely. The ICO has signalled that it expects significant improvements in cookie compliance across the UK economy, and businesses that fail to act risk being subject to enforcement action as the regulatory environment tightens.

How to Audit Your Cookie Use

A cookie audit is a systematic review of all the cookies and similar tracking technologies used on your website. It is an essential step in achieving and maintaining compliance with PECR and the UK GDPR. A thorough cookie audit should:

  • Identify every cookie set by your website, including first-party and third-party cookies
  • Categorise each cookie by type (strictly necessary, analytical, marketing, functionality)
  • Document the purpose of each cookie, the data it collects, and its expiry period
  • Identify which cookies are set by third-party services (such as Google Analytics, social media plugins, or advertising networks) and review the data processing agreements with those providers
  • Check that no non-essential cookies are set before the user has given consent
  • Review the cookie banner for compliance with the ICO's current guidance, including the availability of a genuine reject option and granular category-based consent
  • Ensure the cookie policy accurately reflects the cookies currently in use
  • Establish a regular review cycle (at least annually, or whenever significant changes are made to the website) to keep the audit up to date

Tools such as browser developer consoles, dedicated cookie scanning services, and third-party consent management platforms can assist with the audit process, but manual review is also important to ensure accuracy.

How Policy Pros Can Help

Policy Pros provides professional privacy policy writing and cookie compliance services for UK businesses. We draft cookie policies, data protection policies, and privacy notices that are fully aligned to the UK GDPR, PECR 2003, and the latest ICO guidance.

Whether you need a standalone cookie policy, a full data protection documentation suite, or a review of your existing cookie banner and consent mechanism, our team will ensure your website meets the legal requirements and reflects current best practice.

Contact Policy Pros today to discuss your cookie compliance and data protection policy requirements.

Share:
Get a QuoteView All Services
Trustpilot Reviews - 5 Stars