PECR Explained — UK Cookie Law Beyond GDPR
Most UK businesses know about GDPR. Many assume cookie consent is a GDPR question. It’s not — or rather, it’s both. Cookie consent is primarily governed by PECR, a separate regulation that sits alongside GDPR and covers the narrower question: can you place a cookie on someone’s device?
PECR (the Privacy and Electronic Communications Regulations 2003) doesn’t care what data you collect or how you use it — that’s GDPR’s job. PECR cares about the placement decision itself: do you have the right to put a tracking script on this user’s device before they’ve asked for it?
The distinction matters because PECR is stricter. Where GDPR allows consent as one lawful basis among several, PECR requires consent for almost all cookies. There’s no “legitimate interest” escape route. You can’t rely on a privacy policy and hope users understand what cookies you’re setting. You need affirmative, prior consent — which is why “accept all” is everywhere and “reject all” is either hidden or missing.
The February 2026 Data Use and Access Act reformed PECR, introducing five new cookie exemptions and dramatically increasing penalties. This is what you need to know.
What PECR Covers
PECR applies to “cookies and similar technologies” — any mechanism that stores or accesses information on a user’s device. This includes:
- HTTP cookies (first-party and third-party)
- Local storage and session storage
- Web beacons and tracking pixels
- Fingerprinting scripts
If it identifies the user or stores behavioral data on their device, PECR applies.
The Consent Rule
The core PECR rule: you cannot place a non-essential cookie without the user’s prior, informed consent.
“Prior” means before the cookie is set. If a page loads analytics or advertising scripts before the user sees a banner, you’ve placed cookies without consent. A banner that appears afterward is decorative, not protective.
“Informed” means the user understands what the cookie does, why you’re placing it, and who benefits from it. A vague “we use cookies to improve your experience” doesn’t meet this standard.
“Consent” under PECR means affirmative, freely given agreement. Pre-ticked boxes don’t count. Assumed consent (silence = agreement) doesn’t count. A banner that offers only “Accept all” with no genuine “Reject all” option doesn’t satisfy the freely given requirement.
The exception: “essential” cookies. These are cookies strictly necessary for a service the user has explicitly requested — shopping baskets, login sessions, security tokens. These don’t require prior consent. Everything else does.
The Five DUAA Exemptions (February 2026)
The Data Use and Access Act introduced five new exemptions to the consent requirement. These are important because they reduce the number of consents you need — but the conditions are specific and often misunderstood.
Analytics cookies (aggregate statistics only). If your analytics cookies only process aggregate statistics (never individual user journeys), provide clear explanation to users, and offer a free opt-out, they don’t require prior consent. This sounds like Google Analytics, but it rarely is. GA4 tracks individual user journeys and sets persistent identifiers. Aggregate-only tools like Plausible or Fathom are more likely to qualify. The burden is on you to prove all three conditions are met.
Security cookies. Cookies that prevent fraud, detect attacks, or enforce security policy don’t require prior consent.
Functionality cookies. Cookies that enable or improve site functionality (language preferences, accessibility settings, form state) don’t require prior consent if they don’t process personal data for other purposes.
Software update cookies. Cookies used only for software updates don’t require prior consent.
Interface customization cookies. Cookies that remember user preferences for site appearance, layout, or interface don’t require prior consent.
These five are narrow. If you use Google Analytics, Facebook Pixel, HubSpot, Hotjar, or any advertising network, none of these exemptions apply. You still need consent.
Who’s in Scope
PECR applies to any organisation placing cookies on the devices of UK residents. This includes:
- UK-based websites serving UK visitors
- Non-UK websites that accept UK visitors and set cookies on their devices
- App-based services that use cookie-equivalent technologies
It doesn’t matter where your business is based. If you place cookies on UK visitors’ devices, PECR applies.
Common misconception: “We’re a tiny business, so enforcement won’t target us.” PECR applies regardless of business size. However, enforcement is more likely to be triggered by customer complaints than proactive ICO action. A visitor who notices cookies firing without consent and complains can escalate to investigation.
What Happens If You Don’t Comply
Before February 2026: PECR breaches could result in fines up to £500,000.
After February 2026 (DUAA): PECR breaches now attract the same penalties as UK GDPR breaches — up to £17.5M or 4% of worldwide turnover, whichever is higher.
This is a significant increase and signals that enforcement posture has changed. The ICO now has stronger tools and clearer authority to penalize cookie violations.
The practical path to enforcement usually isn’t proactive ICO action (at least not yet for SMEs). It’s a customer complaint. A visitor notices your site firing cookies without consent, files a complaint with the ICO, and the ICO opens an investigation. That’s when documentation becomes crucial: do you have records of consent? Do you have proof your mechanism blocks pre-consent scripts?
Enforcement Trends
ICO enforcement of cookie compliance has historically been lighter than GDPR enforcement. The ICO published guidance in 2019 and issued some enforcement notices to egregiously non-compliant sites, but routine cookie violations among SMEs haven’t been a primary target.
This is changing. The DUAA gave the ICO updated tools and stronger authority. More importantly, European regulators have set precedent. France’s CNIL fined Google €150M and Facebook €60M for cookie violations in 2022. Those fines were for GDPR equivalents of PECR violations. The UK is following the same path.
For SMEs, the immediate risk isn’t a £17.5M fine. It’s a complaint-triggered investigation, which is far more likely. And the outcome of that investigation — even if it doesn’t result in a fine — means disclosure of your practices, potential remediation orders, and reputational damage.
Key Dates
| Date | Event |
|---|---|
| 2003 | PECR enacted (implements EU ePrivacy Directive) |
| 2019 | ICO publishes updated cookie guidance |
| February 2026 | DUAA Part 5 takes effect — five new exemptions, £17.5M fines |
| June 2026 | DUAA full implementation expected, including browser-level consent signalling |
| 19 June 2026 | Section 103 takes effect (formal complaints procedure requirement) |
The Interaction With GDPR
PECR governs placement; UK GDPR governs processing. They work together.
PECR requires consent before placement. Once cookies are placed, UK GDPR requires a lawful basis for processing the data they collect. Consent is one lawful basis, but not the only one. However, if PECR has already required consent (which it does for most cookies), then consent is your lawful basis under GDPR as well.
This means cookie compliance spans both regulations:
- PECR: Consent mechanism, genuine choice, prior placement, withdrawal rights
- GDPR: Privacy policy (what data you collect and why), retention policy (how long you keep it), data subject rights (access, deletion, portability)
A compliant site needs both.
What to Check
To assess your PECR compliance:
-
Do non-essential cookies fire before consent? Clear cookies, reload with Network tab visible, and check for third-party requests (Google Analytics, Facebook, advertising networks, etc.) before you interact with any banner. If these fire before consent, you’re non-compliant.
-
Is your consent mechanism functional? Does clicking “Reject all” actually prevent non-essential cookies? Most banners are decorative — they display but don’t block. A functional mechanism uses a consent management platform (CMP) that prevents scripts from executing until consent is given.
-
Do you offer genuine choice? Is “Reject all” as prominent and easy as “Accept all”? If rejecting requires multiple clicks or navigating elsewhere, consent isn’t freely given.
-
Do you explain what cookies do? Do you have a cookie policy listing each cookie, its purpose, provider, and duration? “We use cookies to improve your experience” isn’t enough.
-
Can users withdraw consent? Is there a persistent link (usually in the footer) that opens a preference center where users can change their consent at any time?
If you can’t tick all five, your PECR compliance is incomplete.
What This Means in Practice
PECR consent isn’t a box to check once. It’s an ongoing requirement. Users should be able to manage their preferences across their visit and on return visits. Your consent records should be maintained (audit trail). Your cookie policy should be current as your website changes.
The February 2026 amendments to PECR (via the DUAA) bring the five exemptions and stricter enforcement. Understanding which cookies qualify for exemptions and which still require consent is essential. When in doubt, get consent — it’s the safe path.
If you’re uncertain about PECR compliance on your site, Bartram Web screens for PECR violations (pre-consent tracking, missing cookie policies, non-functional consent mechanisms) and flags them in a report. To stay informed about PECR and GDPR updates, subscribe to our fortnightly newsletter.
Updated 2026-03-23