For UK business owners, complying with cookie laws is essential not only to avoid fines but also to build trust with website visitors. The Privacy and Electronic Communications Regulations (PECR) and UK General Data Protection Regulation (UK GDPR) set strict requirements on how cookies can be used and how consent must be obtained. Understanding these rules ensures your website’s cookie policy and consent mechanisms are legally sound and customer-friendly.

Key Fact Details
Legislation UK PECR and UK GDPR
Consent Requirement Prior, informed, freely given, and specific consent before non-essential cookies are set
Types of Cookies Strictly necessary, preferences, statistics, marketing
Cookie Banner Must allow users to accept or reject non-essential cookies with clear options
Cookie Policy Must detail cookie types, purposes, duration, and how users can manage preferences

Cookies are small text files stored on a user’s device when they visit a website. They help improve user experience and enable website functionality, but they can also track users’ behaviour, raising privacy concerns. In the UK, cookie use is governed primarily by two legal frameworks:

  • Privacy and Electronic Communications Regulations (PECR) 2003 – which require obtaining consent before placing non-essential cookies;
  • UK General Data Protection Regulation (UK GDPR) – which classifies cookies as personal data if they identify an individual and sets out data protection principles for their use.

These laws mean that UK websites must usually get clear consent from visitors before using cookies that are not strictly necessary for the website’s operation.

Consent under UK GDPR and PECR must be:

  • Freely given: Visitors must have real choice and control;
  • Specific: Consent should be granular, covering different cookie categories;
  • Informed: Users must be provided with clear information on cookie purposes;
  • Unambiguous: Actions like clicking ‘Accept’ must clearly indicate consent;
  • Revocable: Users should easily withdraw consent at any time.

Pre-ticked boxes or implied consent (e.g., continued use of the site) are not valid. Consent must be recorded and auditable.

Examples of Valid Consent Methods

Common and compliant consent mechanisms include cookie banners or pop-ups that:

  • Explain cookie categories (e.g., preferences, analytics, marketing);
  • Offer clear “Accept all” and “Reject all” options;
  • Allow users to select or deselect specific cookie types;
  • Link to a detailed cookie policy.

Choosing the right cookie banner is critical in meeting legal requirements and providing a good user experience. The banner should appear immediately on the visitor’s first visit and prevent non-essential cookies from being set until consent is given.

Key features of an effective cookie banner include:

  • Clear and concise language explaining cookie use;
  • Easy-to-understand options for accepting or rejecting cookies;
  • Ability to manage preferences and change consent later;
  • Accessibility for all users, including those using assistive technologies.
£200
Free cash when you open & spend

Ready to open your business bank account?

Open a Tide business account free and get up to £200 cash — use Tide referral code REFER200 when signing up or click the link below. Takes under 5 minutes, no credit check.

REFER200
Click to copy code Claim £200 Free →

Read our full Tide review →

*T&Cs apply. Affiliate link.

Your cookie policy is a key document that complements your cookie banner and provides detailed information to users. It must be easily accessible from every page of your website, often linked in the banner itself.

According to ICO guidelines and UK GDPR, a cookie policy should cover:

  • What cookies are: A simple explanation of cookies and their purpose;
  • Types of cookies used: Categorise cookies (e.g., strictly necessary, performance, targeting);
  • Which cookies your website uses: Name, purpose, and duration of each cookie;
  • How users can control cookies: Instructions to opt-out or manage preferences;
  • Third-party cookies: Any cookies set by external services (e.g., Google Analytics, social media plugins);
  • Update information: How often the policy is reviewed and updated.

Practical Steps for Compliance

Ensuring your website complies with cookie regulations involves both technical and administrative measures. Here are key steps UK businesses should take:

  1. Audit your website: Identify all cookies used, their purpose, and duration;
  2. Classify cookies: Group into essential and non-essential categories;
  3. Implement a cookie banner: Use consent management platforms if needed to provide clear options;
  4. Develop a comprehensive cookie policy: Ensure it is accessible and easy to understand;
  5. Keep records of consent: Log user choices and enable easy withdrawal;
  6. Regularly review: Update your cookie audit, policy, and banner as your website or laws change.

These steps help reduce the risk of enforcement action by the Information Commissioner’s Office (ICO) and demonstrate respect for user privacy.

When to Seek Professional Advice

Cookie compliance can be complex, especially if your website uses sophisticated tracking technologies or processes personal data extensively. If you are unsure about how to implement consent mechanisms or draft your cookie policy, it is advisable to consult a legal professional specialising in data protection and digital law.

Legal advice will help tailor your approach to your specific business needs, ensuring you meet all UK legal obligations under PECR and UK GDPR.

Quick Summary:
  • UK PECR and UK GDPR require clear, specific, and informed consent before non-essential cookies are set.
  • Your cookie banner must allow users to accept or reject cookies and manage preferences easily.
  • A detailed cookie policy explaining cookie types, purposes, and management options is mandatory.
  • Keep records of consent and regularly review your cookie practices.
  • Seek professional legal advice for complex situations or if you use advanced tracking technologies.

Do I need a cookie banner if my website only uses essential cookies?

No, under UK law, strictly necessary cookies that enable basic website functions do not require consent. However, you should still inform users about these cookies in your cookie policy to maintain transparency.

Can I rely on implied consent through continued website use?

No, implied consent is not valid under PECR and UK GDPR. Consent must be actively given through a clear action, such as clicking an ‘Accept’ button on a cookie banner.

How often should I update my cookie policy?

You should review and update your cookie policy whenever you add new cookies or change how you use them. It is also good practice to review it at least annually to stay compliant with evolving legislation and guidance.

Official Sources
* GOV.UK: Set up a business  ·  * HMRC: Income Tax rates  ·  * HMRC: Corporation Tax  ·  * HMRC: VAT registration