Get started

Cookie Compliance for UK Websites — The Complete Guide

guide 9 min read Updated 2026-03-23

Cookie Compliance for UK Websites — The Complete Guide

Cookie compliance is the easiest regulatory failure to see and the hardest to fix invisibly. A user visits your site, sees a cookie banner, clicks “accept all”, and expects their choice to mean something. If cookies are already set before the banner appears, if rejecting cookies doesn’t actually block them, or if there’s no “reject all” button, that choice is meaningless — and you’re in breach.

UK cookie law is governed by two overlapping regimes: PECR (which covers the placement of cookies) and UK GDPR (which covers the data processing those cookies enable). The February 2026 Data Use and Access Act (DUAA) reformed both, introducing five new cookie exemptions, tightening consent requirements, and increasing penalties to £17.5M or 4% of worldwide turnover.

This guide walks you through the regulatory landscape, what your site needs, and the practical steps to get there.

Why This Matters

The core principle is simple: cookies can’t be placed without consent (PECR) and personal data can’t be processed without a lawful basis (GDPR). Since most cookies process personal data — analytics identifiers, advertising IDs, session tokens, and behavioral signals all count — both rules apply simultaneously.

For UK SMEs, the practical risk isn’t theoretical. The ICO has enforcement tools. The DUAA gave it stronger ones. European regulators have issued multi-hundred-million-euro fines for cookie violations. The trend is toward stricter enforcement, not looser.

More immediately, a single customer complaint can trigger investigation. If your site doesn’t have a functioning consent mechanism, you’ll struggle to explain why cookies were placed without consent.

PECR governs “cookies and similar technologies” — not just HTTP cookies but anything that stores or accesses information on a user’s device. This includes:

  • Traditional HTTP cookies (session, persistent, third-party)
  • Local storage and session storage (localStorage, sessionStorage)
  • Fingerprinting scripts
  • Tracking pixels
  • Advertising identifiers

If it identifies the user or stores data about their behavior, PECR applies.

The Two Regimes

PECR: The Privacy and Electronic Communications Regulations 2003 control the placement of cookies. Before the DUAA (February 2026), it required consent for all non-essential cookies. The DUAA added five new exemptions: analytics (aggregate statistics only, with explanation and opt-out), security, functionality, software updates, and interface customization cookies no longer require prior consent if specific conditions are met. But for most SME websites — those using standard Google Analytics, Facebook Pixel, HubSpot, or advertising networks — this exemption doesn’t apply. Consent is still required.

UK GDPR: Once you’ve collected personal data via cookies, UK GDPR’s processing principles apply. You need a lawful basis for processing (consent is one option, but not the only one). You need a privacy policy that discloses what you’re doing. You need to respect data subjects’ rights (access, deletion, portability). Cookies make data processing visible; GDPR governs what you do with that data.

Both apply. Both require documentation.

Essential vs. Non-Essential

Cookies that are “strictly necessary” for a service the user has explicitly requested are exempt from prior consent. Shopping basket cookies, login session cookies, and language preference cookies are examples. Everything else requires opt-in.

The critical test: would the service function without this cookie? If yes, it’s not essential. This disqualifies almost all analytics, marketing, and advertising cookies.

Common misconception: “We only use Google Analytics, so we only have essential cookies.” Wrong. Google Analytics sets persistent identifiers (_ga, _gid) that track users across sessions. These are non-essential. They require consent.

A compliant consent mechanism must:

  1. Appear before non-essential cookies fire. This is the critical technical point. If a page loads Google Tag Manager, Facebook Pixel, or analytics before any user interaction, you’re placing cookies without consent. A banner that appears after the fact provides no legal protection.

  2. Offer genuine choice. “Accept all” cannot be easier than “Reject all.” If rejecting cookies requires multiple clicks, navigating to a settings page, or is simply unavailable, consent isn’t freely given. Both options must be equally prominent.

  3. Enable category-level granularity. Users should be able to accept analytics while rejecting marketing, or vice versa. All-or-nothing consent mechanisms are compliant but users appreciate choice.

  4. Actually block cookies. This is where most banners fail. The banner displays but scripts continue to execute. A compliant mechanism uses a consent management platform (CMP) that prevents non-essential scripts from loading until consent is given.

  5. Respect withdrawal. Users must be able to change their preferences as easily as they gave initial consent. A persistent link (usually in the footer) that opens a consent panel is the standard approach.

PECR requires “clear and comprehensive information” about cookies. A brief statement (“we use cookies”) doesn’t satisfy this. Your policy must list:

  • Cookie name
  • Purpose (tracking, analytics, marketing, etc.)
  • Provider (first-party or third-party domain)
  • Type (session or persistent)
  • Duration (how long it persists)
  • Category (essential, analytics, marketing, functional)

Most consent management platforms can generate this automatically from a scan of your website. Many also provide template language you can customise.

Your cookie policy can be a standalone document or a section of your main privacy policy (though a standalone document is clearer).

Step 1: Audit Your Cookies

Start by identifying what’s actually on your site, not what you think is there.

Option A: Use a scanner. Tools like Cookiebot, CookieYes, or Termly scan your site and identify every cookie and third-party tracker. Most charge a fee but provide comprehensive results. Upload your site URL, let them run, and download the report.

Option B: Use browser developer tools. Open your site, open the browser console, clear cookies, and reload the page with Network and Storage tabs open. Note every third-party domain contacted and every cookie set before you interact with the page. This is manual but free.

Most site owners discover 2–3x more cookies than they expected. Expect to be surprised by plugins, embedded widgets, and CMS features you forgot about.

Step 2: Classify Cookies

Go through your audit and classify every cookie:

  • Essential: Does the user need this for a service they’ve requested? If no, it’s not essential.
  • Analytics: Does it measure site usage or user behavior (Google Analytics, Hotjar, Plausible)?
  • Marketing: Does it track users across sites for advertising (Facebook Pixel, Google Ads, LinkedIn)?
  • Functional: Does it improve user experience without direct marketing intent (live chat widgets, language preferences)?
  • Unknown: Can’t determine the purpose? Mark it and investigate. Contact the provider if needed.

Be strict about “essential.” When in doubt, it’s not essential. If it would be convenient without the cookie but the service would still function, consent is required.

Select a CMP that actually blocks non-essential cookies until consent is given. Reputable options include Cookiebot, CookieYes, Termly, and Osano. Avoid banner-only solutions that display a notice without enforcing blocking.

Your CMP should:

  • Provide a pre-built banner (customizable to your brand)
  • Block scripts based on consent categories (before-consent and after-consent execution)
  • Generate a cookie policy from your scanned cookies
  • Store consent records (required for documentation)
  • Integrate with your CMS or tag manager

Most require integration with Google Tag Manager or direct code placement to work.

Step 4: Configure Genuine Choice

Once your CMP is installed:

  1. Make “Reject all” as prominent as “Accept all.” Same size, same color, same position (or very close). Some CMPs place “Reject all” beneath “Accept all” or off to the side — adjust if so.

  2. Offer category granularity. Let users accept analytics but reject marketing. This isn’t required but users appreciate it.

  3. Don’t pre-tick any non-essential categories. Pre-ticked options count as assumed consent, which fails the freely given test.

  4. Place the preference center in a persistent footer link so users can change preferences on return visits. This is legally required and technically simple.

This is the technical step that determines whether your mechanism actually works.

If you use Google Tag Manager, configure your tracking tags to fire only after consent is given. In GTM, this means applying consent-checking logic to your triggers. Similarly, if you use Facebook Pixel, HubSpot, or other tracking scripts, they should not execute until consent is confirmed.

Test this: clear cookies, open your site with the Network tab visible, and reload without interacting with the banner. If you see requests to Google Analytics, Facebook, advertising networks, or other non-essential domains, those scripts are firing pre-consent. Your mechanism isn’t working.

Your CMP should provide tools or documentation on how to properly block these. If you’re uncertain, ask your CMP vendor or your developer to verify.

Your cookie policy lists every cookie your site uses. Most CMPs generate this automatically, but you should review and customize it.

Standard structure:

  • Introduction: Brief explanation of what cookies are and why you use them.
  • Essential cookies: List by name, purpose, and provider.
  • Analytics cookies: Same format.
  • Marketing cookies: Same format.
  • Functional cookies: Same format.
  • How to manage cookies: Explain how users can change preferences and withdraw consent.
  • Contact details: Where to email if they have questions about your cookie use.

Your policy should also link to your main privacy policy (which covers UK GDPR data processing obligations).

Step 7: Enable Withdrawal

Add a persistent link — usually in the footer or in a sidebar — that opens your preference center. Label it something like “Cookie preferences” or “Manage cookies.” This must be available on every page and easy to find.

Test it: reload the page after accepting consent, then click the link. Can you change your preferences? Can you withdraw consent entirely? If not, your mechanism is incomplete.

Step 8: Re-Audit Quarterly

Websites change. New plugins, new integrations, updated CMS versions — each can introduce new cookies. Schedule a quarterly re-scan to catch drift.

Many CMPs can alert you when a new domain is detected, which simplifies this process.

How to Check It Worked

After implementation, verify compliance:

  1. Clear cookies and reload your site with the Network tab open. Do non-essential requests fire before you interact with the banner? If yes, your mechanism is broken.

  2. Interact with the banner — click “Reject all.” Does the page reload without non-essential requests? Or do they continue? Rejection should block them.

  3. Click “Accept all” on a new session. Now do the requests fire? They should.

  4. Test preference withdrawal. Accept consent, then navigate back and change your preferences. Does the change persist? Can you withdraw entirely?

  5. Check for your cookie policy. Is there a link to it from the banner? Can you access it from your website?

  6. Verify documented consent. Your CMP should store a record that consent was given, what categories were consented to, and when. This is required for audit trail purposes.

If any of these steps fail, your mechanism isn’t compliant. Work with your CMP vendor or developer to fix it.

What’s Next

Cookie compliance is not a one-time fix. The DUAA continues to evolve — the full implementation is expected by June 2026, and Section 103 (which requires a formal complaints procedure) takes effect on 19 June 2026. Staying informed about changes is part of ongoing compliance.

If your site processes personal data (which it does via cookies), your privacy policy and data retention practices matter. Cookies are often the visible breach, but they’re part of a broader GDPR compliance obligation.

For a comprehensive audit of your website’s compliance — including cookie consent, GDPR data processing, and accessibility — Bartram Web screens your site against PECR, GDPR, and WCAG standards and delivers a report with a prioritised action plan. To stay informed about regulatory changes across cookies, data protection, and other compliance domains, subscribe to our fortnightly newsletter.

Updated 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

Cookie Audit Checklist — 12 Things to Check on Your Website

12-item checklist to audit your site's cookie compliance: pre-consent loading, genuine choice, banner functionality, policy completeness, withdrawal rights, and more.

Read article →

Your Cookie Banner Probably Isn't Compliant — Here's Why

The most common cookie banner failures: decorative banners, no genuine choice, pre-consent tracking, missing policies. Why having a banner doesn't mean you're compliant.

Read article →

What's Really Loading on UK Websites — The Tracker Research

What the ICO, academic research, and industry audits reveal about tracker and cookie compliance on UK websites. We've compiled the findings to show you where compliance is failing and what it means.

Read article →