If your website uses cookies, cookie consent UK GDPR rules almost certainly apply to you — but the legal framework behind cookie banners often gets confused with GDPR itself. In reality, cookie consent is governed by a separate but related set of rules, and getting them wrong is one of the most common compliance gaps on UK business websites.
This guide breaks down exactly which cookies need consent, what a valid consent mechanism looks like, and how to design a cookie banner that satisfies both the law and the ICO's expectations for 2026.
What Are PECR and How Do They Relate to UK GDPR?
The Privacy and Electronic Communications Regulations (PECR) are the UK's specific rules on cookies, electronic marketing, and similar tracking technologies. PECR sits alongside UK GDPR rather than replacing it — think of PECR as the rulebook for how you gain consent for cookies, while UK GDPR sets the wider standard for what counts as valid consent once you have it.
In practice, this means:
- PECR requires you to get consent before placing most non-essential cookies on a user's device
- Where personal data is then processed as a result of those cookies (for example, building an analytics profile), UK GDPR governs that processing
- The UK GDPR definition of valid consent — freely given, specific, informed and unambiguous — applies to cookie consent too
Because the two frameworks overlap, "PECR compliance" and "cookie banner compliance UK" are really the same conversation. If you want a broader grounding in how consent-based marketing works across all channels, not just cookies, our GDPR for marketing teams guide is a useful foundational read before diving into cookie-specific detail.
Which Cookies Need Consent?
Not every cookie requires consent. PECR draws a distinction between cookies that are strictly necessary and those that are not.
Strictly necessary cookies (no consent required) typically include:
- Cookies that remember items in a shopping basket
- Session cookies required for login and authentication
- Load-balancing or security cookies essential to the site functioning
- Cookies used to remember consent preferences themselves
Cookies requiring consent typically include:
- Analytics cookies that track user behaviour across a site
- Advertising and retargeting cookies
- Third-party embedded content cookies (such as social media widgets or video players)
- Personalisation cookies that go beyond basic functionality
The test is not whether a cookie is useful to your business — it's whether the website could function without it from the user's perspective. If the answer is yes, consent is almost certainly required.
What Counts as Valid Cookie Consent?
Valid cookie consent must meet the same standard as consent anywhere else under UK GDPR: it must be freely given, specific, informed, and unambiguous.
In cookie terms, this means:
- No pre-ticked boxes — every non-essential cookie category must default to "off" until the user actively opts in
- Granular choice — users should be able to consent to some cookie categories (e.g. analytics) without being forced to accept others (e.g. advertising)
- Clear information — the banner or linked cookie policy must explain what each category of cookie does, in plain language
- Genuine ability to refuse — declining cookies must not block access to core website content that doesn't depend on those cookies
A cookie banner that only offers "Accept" with no equivalent way to decline does not meet this standard, regardless of how the banner is worded.
Getting your marketing and web teams aligned on this standard is often where organisations struggle most. Our consent under GDPR guide covers cookie consent requirements in detail, alongside the wider marketing consent rules under GDPR.
Designing a Compliant Cookie Banner
A compliant cookie banner needs to balance legal requirements with usability. Key design principles include:
- Equal prominence for accept and reject — the option to reject non-essential cookies should be just as visible and easy to select as the option to accept them, not hidden behind a secondary link or additional clicks
- No cookies set before consent — non-essential cookies must not load until the user has made a choice
- Layered information — a short summary in the banner, with a link through to a full cookie policy for those who want more detail
- Easy access to change preferences later — a persistent link or icon allowing users to revisit and update their cookie choices at any time
- Consistent presentation across devices — mobile and desktop banners should offer the same genuine choice, not a stripped-down mobile version that nudges users toward acceptance
Many organisations now use a consent management platform (CMP) to handle this consistently across their site, log consent choices, and manage cookie scripts so that nothing fires before consent is given. A CMP doesn't guarantee compliance on its own, but it removes much of the manual risk of cookies loading too early.
Analytics, Marketing and Third-Party Cookies
Analytics cookies are a frequent source of confusion. There is a narrow exemption under PECR for very basic, first-party analytics used solely to improve a website, but in practice, most commonly used analytics tools — including standard implementations of Google Analytics — do not meet this exemption and do require consent.
Key points on analytics cookies GDPR compliance:
- Assume analytics cookies require consent unless you have specific, documented reasoning otherwise
- Third-party analytics and advertising cookies almost always require consent, since they typically involve data being shared with, or processed by, an external provider
- Social media embed cookies (such as share buttons or embedded posts) usually count as third-party cookies requiring consent, even though they may feel like a minor addition to a page
Marketing and advertising cookies carry the highest compliance risk, since they often involve building profiles used for targeted advertising across multiple sites. These should always sit behind explicit, granular consent — never bundled in with essential or analytics cookies.
Common Cookie Consent Mistakes
The most frequent cookie compliance failures on UK websites include:
- Loading cookies before consent — scripts firing automatically on page load regardless of user choice
- "Accept all" only banners — offering no equally easy way to reject
- Bundled consent — combining analytics, marketing, and third-party cookies into a single all-or-nothing toggle
- Assuming analytics cookies are exempt — without genuinely meeting the narrow exemption criteria
- No easy way to withdraw — requiring users to dig through browser settings rather than providing an on-site preference centre
- Outdated cookie policies — listing cookies that are no longer in use, or missing newer ones added since the policy was last reviewed
- No consent record-keeping — being unable to demonstrate when and how a user's consent was captured
Each of these gaps increases regulatory exposure and undermines the trust a compliant cookie banner is meant to build. If your organisation is unsure where your current setup falls short, see our cookie consent & tracking controls setup guide to close the gap across your marketing and development teams.
What the ICO Expects From UK Websites
ICO cookie guidance is clear that cookie banners offering only an "accept" option, with no equivalent reject mechanism, do not meet PECR requirements. The ICO has previously written to organisations operating non-compliant cookie banners and expects prompt remediation once concerns are raised.
Broader ICO expectations for 2026 include:
- Genuine, granular choice for users over non-essential cookies
- Clear, accessible information about what each cookie category does
- No use of dark patterns designed to nudge users toward acceptance
- Ongoing review of cookie usage as websites and third-party tools change over time
- Maintaining accurate consent records that can be produced on request
Non-compliance can result in formal ICO enforcement action, and cookie compliance is treated as a mainstream part of wider UK GDPR and data protection UK obligations — not a lower-priority side issue.
Training Your Marketing Team on Cookie Compliance
Cookie consent failures are rarely deliberate. More often, marketing teams add a new tracking pixel, analytics tool, or third-party embed without realising it changes the site's cookie footprint and consent requirements.
Effective training for marketing and web teams should cover:
- How to identify whether a new tool or script sets cookies requiring consent
- Why "accept all" only banners fall short of PECR requirements
- How consent management platforms work and how to configure them correctly
- The importance of keeping cookie policies and banners up to date as tools change
- How cookie consent connects to the wider GDPR marketing consent rules covered in the GDPR for marketing teams guide
Building this awareness into onboarding and ongoing training — through GDPR training for marketing professionals — reduces the risk of avoidable compliance gaps creeping in as your website evolves.
FAQs
Do all cookies require consent under UK law?
No. Strictly necessary cookies — such as those required for login, security, or basic site functionality — don't require consent. Most other cookies, including analytics, marketing, and third-party cookies, do require valid consent under PECR.
Can I use a 'accept all' only cookie banner?
No. ICO cookie guidance is clear that users must be given an equally easy way to reject non-essential cookies as to accept them, so an "accept all" only banner does not meet PECR requirements.
Are Google Analytics cookies exempt from consent?
Generally, no. While there's a narrow exemption for very basic first-party analytics, most standard analytics implementations, including typical Google Analytics setups, do not meet this exemption and require consent.
What happens if my website doesn't comply with PECR?
Non-compliant websites risk formal ICO enforcement action, which can include investigations and penalties. The ICO has previously contacted organisations directly about non-compliant cookie banners and expects issues to be fixed promptly.
How often should cookie consent be refreshed?
There's no fixed statutory interval, but consent should be refreshed whenever your cookie usage changes materially, and cookie policies should be reviewed regularly to ensure they accurately reflect what's currently in use on your site.
Make sure your marketing team gets cookie consent right — explore our Data Protection Training for Marketing Teams course and build a website that's genuinely compliant, not just cookie-banner deep.