Almost every website sets cookies, and almost every one now greets visitors with a consent banner. But many of those banners get the law wrong. In the UK, cookies are governed mainly by the Privacy and Electronic Communications Regulations (PECR), working alongside the UK GDPR. This guide explains, in plain English, what PECR requires, which cookies need consent, and how to build a banner that actually complies.
This is general information, not legal advice. For your own site, check the ICO's guidance or take professional advice.
PECR and the UK GDPR: how they fit together
People often blur these two, so it helps to separate them.
- PECR sets specific rules for electronic communications — including marketing emails and texts, and the use of cookies and similar technologies that store or access information on a user's device.
- The UK GDPR sets the broader rules for processing personal data.
For cookies, the order is: PECR comes first and decides whether you may set the cookie at all. If that cookie then involves personal data, the UK GDPR also applies to how you handle it. Importantly, PECR borrows the UK GDPR's high standard of consent — so when PECR says you need consent for a cookie, it means the same robust, opt-in consent the UK GDPR requires. Marketers will recognise this overlap from our guide to UK GDPR for marketers.
One line to remember: PECR decides whether you can set a cookie; the UK GDPR governs what you do with any personal data it collects.
Which cookies need consent
Not every cookie is treated the same. PECR draws a line between cookies that are essential and those that are not.
Strictly necessary cookies do not require consent. These are cookies genuinely required to provide a service the user has actively asked for — for example, remembering items in a shopping basket, keeping a user logged in during checkout, or balancing load so the site works. The test is narrow: the cookie must be essential to deliver something the user requested, not merely useful to you.
Non-essential cookies generally do require consent before they are set. This category is broad and includes:
- Analytics cookies that measure how people use your site.
- Advertising and retargeting cookies.
- Social media and embedded-content cookies that track users.
- Many personalisation cookies that are not essential to the core service.
A common mistake is assuming analytics is exempt. In most cases it is not strictly necessary, so it needs consent before loading.
| Cookie type | Consent needed? |
|---|---|
| Strictly necessary (login, basket, security) | No |
| Analytics / measurement | Yes |
| Advertising / retargeting | Yes |
| Third-party embeds that track | Yes |
What a compliant cookie banner looks like
The ICO has been clear that many cookie banners fall short. To comply, a banner should:
- Block non-essential cookies until consent is given. Do not set analytics or advertising cookies on page load and ask afterwards.
- Make refusing as easy as accepting. If there is an "Accept all" button, there should be an equally prominent "Reject all". Burying refusal two clicks deep does not pass.
- Avoid pre-ticked boxes and implied consent. "By continuing to browse you accept cookies" is not valid consent.
- Be specific and informed. Tell users what categories of cookies you use and why, usually with a link to a fuller cookie policy.
- Let users change their mind. Provide a way to withdraw or adjust consent later, as easily as they gave it.
- Record consent. Keep evidence of what each user agreed to.
The principle behind all of this is genuine choice. A banner designed to nudge everyone into clicking "accept" by making refusal awkward is the kind of "dark pattern" regulators have warned against.
Practical steps to get it right
Building compliant cookie handling is mostly methodical work:
- Audit your cookies. List every cookie and tracker your site sets — including ones added by third-party scripts, which are easy to overlook.
- Classify them. Mark each as strictly necessary or not.
- Use a consent tool that genuinely prevents non-essential cookies from firing before consent, rather than one that just shows a banner.
- Write a clear cookie policy explaining each category in plain language.
- Re-check after changes. New marketing tags, embeds or plugins can quietly add trackers.
Getting this balance right — respecting privacy without crippling your analytics — is a recurring challenge for marketing and web teams. London consultancy CM Beyer, for instance, offers a plain-English walkthrough of PECR and cookie consent for UK businesses, which underlines a point worth keeping front of mind: compliance and good user experience usually pull in the same direction, because both reward clarity and honesty. If your site also touches the wider rulebook, see our overview of the UK Online Safety Act.
Why it is worth doing properly
Beyond avoiding regulatory attention, there are practical reasons to take cookie consent seriously. A respectful, transparent approach builds trust with visitors — and trust is increasingly a competitive asset. There is also a data-quality angle: clear consent gives you cleaner, more defensible analytics, which matters if you rely on those numbers for marketing attribution and decisions.
The bottom line
Cookie consent in the UK is governed by PECR, working alongside the UK GDPR. The rule of thumb is simple: cookies that are strictly necessary to deliver what the user asked for need no consent, while analytics, advertising and other non-essential cookies generally do — and that consent must be a clear, freely given opt-in, with refusal as easy as acceptance. Audit your cookies, classify them honestly, use a tool that actually blocks trackers until consent, and explain it all plainly. When in doubt, the ICO's guidance is the authoritative source.