Guide
Cookie consent: comply with PECR requirements
How to comply with cookie consent rules under the Privacy and Electronic Communications Regulations 2003 (PECR). Covers consent banners, strictly necessary exemptions, analytics cookies, and changes under the Data (Use and Access) Act 2025.
If your website uses cookies or similar tracking technologies, you must comply with the Privacy and Electronic Communications Regulations 2003 (PECR). These rules require you to tell visitors about cookies and get their consent before setting non-essential ones.
The Information Commissioner's Office (ICO) enforces PECR. Following the Data (Use and Access) Act 2025, maximum penalties have increased significantly - failing to comply can now result in fines of up to 17.5 million pounds or 4% of global turnover.
What counts as a cookie
PECR applies to:
- Cookies (small text files stored on devices)
- Local storage and session storage
- Tracking pixels and web beacons
- Device fingerprinting
- Any technology that stores or accesses information on a user's device
If you're reading or writing data on someone's device, PECR applies.
Which cookies need consent
The key distinction is between cookies that are strictly necessary (exempt from consent) and all others (consent required).
Strictly necessary cookies (no consent required)
You can set these cookies without asking permission. They must be essential for the service the user has requested:
- Session cookies - maintaining login state while browsing
- Shopping basket cookies - remembering items added to cart
- Load balancing cookies - distributing traffic across servers
- Security cookies - fraud prevention, authentication
- Accessibility cookies - remembering user accessibility preferences
- First-party cookies for form submission - preventing data loss if a form fails
Important: You must still tell users about strictly necessary cookies in your cookie policy - you just don't need consent to set them.
Cookies that always require consent
These cookies cannot be set until the user actively agrees:
- Analytics cookies - Google Analytics, Hotjar, Matomo
- Advertising cookies - ad networks, retargeting
- Social media cookies - Facebook pixel, Twitter tracking
- Third-party tracking - any cookies set by external services
- Personalisation cookies - recommendations based on browsing history
- A/B testing cookies - when used to track user behaviour over time
The test is simple: if the cookie is for your benefit (tracking, analytics, advertising) rather than delivering the service the user requested, you need consent.
DUAA 2025 changes to cookie consent
The Data (Use and Access) Act 2025 introduces important changes to cookie consent rules. Some are already in force; others are being implemented during 2025-2026.
What to do now
Until the ICO publishes detailed guidance on the new exemptions:
- Continue requiring consent for analytics - the exact scope of the exemption is still being defined
- Prepare opt-out mechanisms - even exempt cookies will require an easy way to refuse
- Audit your cookies - understand exactly what each cookie does
- Monitor ICO updates - implementation guidance expected throughout 2025-2026
Critical: Tracking, profiling, and advertising cookies will never be exempt. You will always need consent for these.
Getting valid consent
Cookie consent must meet the UK GDPR standard. It must be:
- Freely given
- Users must have a genuine choice. Do not use 'cookie walls' that block access unless all cookies are accepted.
- Specific
- Be clear about what types of cookies you want to set and why. Blanket consent for 'all cookies' is not valid.
- Informed
- Tell users what cookies do, who sets them, and how long they last before asking for consent.
- Unambiguous
- Require a clear affirmative action (clicking 'Accept'). Continuing to browse or scrolling is not valid consent.
What doesn't count as consent
The ICO has been clear that certain practices do not constitute valid consent:
- Pre-ticked boxes - users must actively opt in
- Implied consent from browsing - 'By continuing to use this site you consent' is not valid
- Scrolling or clicking elsewhere - only an explicit 'Accept' counts
- Bundled consent - users must be able to accept some cookies but not others
- Cookie walls - making website access conditional on accepting all cookies
- Hidden reject options - 'Reject' must be as easy to find as 'Accept'
- Dark patterns - design that manipulates users into accepting
Cookie banner requirements
Your cookie banner must be prominent, clear, and give users genuine control.
-
Display banner before setting non-essential cookies
The banner must appear before any analytics, advertising, or tracking cookies are placed. Do not set these cookies and then ask permission.
-
Explain clearly what cookies you use
Tell users you want to set cookies, what types, and why. Avoid jargon - use plain English like 'We use cookies to track how you use our site'.
-
Offer equally prominent Accept and Reject options
Both buttons should be the same size and visibility. Hiding 'Reject' behind 'Manage settings' while making 'Accept all' prominent is a dark pattern.
-
Allow granular choices
Let users accept some cookie categories but not others. For example, accept analytics but reject advertising.
-
Link to your full cookie policy
Provide a link where users can read detailed information about each cookie, its purpose, and duration.
-
Make it easy to withdraw consent later
Provide a way for users to change their cookie preferences at any time, not just when the banner first appears.
Writing your cookie policy
Your cookie policy must include: what cookies you use (by name), their purpose in plain English, whether first or third party, duration, and how to manage or withdraw consent. Review it whenever you add new services.
Penalties for non-compliance
The ICO takes cookie compliance seriously. Enforcement has increased, and penalties are now much higher.
Common enforcement triggers
The ICO investigates when: cookies are set before consent, no genuine reject option, 'Reject' is hidden, cookie walls block content, or third-party tracking lacks disclosure. The ICO often begins with warnings, but businesses that ignore them face significant fines.
Compliance checklist
Use this checklist to ensure your website complies with PECR cookie requirements:
-
Audit all cookies on your website
Use browser developer tools or a cookie scanning service to identify every cookie set by your site, including third-party cookies.
-
Categorise each cookie
Determine whether each cookie is strictly necessary, analytics, advertising, or social media. Document the purpose and duration.
-
Implement a consent mechanism before non-essential cookies
Ensure your consent management platform blocks analytics and advertising cookies until users actively consent.
-
Provide equal Accept and Reject options
Review your banner design. Both options should be equally prominent with no dark patterns.
-
Enable granular consent
Allow users to accept some categories while rejecting others, rather than forcing an all-or-nothing choice.
-
Create a detailed cookie policy
List all cookies with their names, purposes, who sets them, and how long they last.
-
Provide ongoing consent management
Include a link in your footer or settings where users can change their cookie preferences at any time.
-
Test your implementation
Check that non-essential cookies are truly blocked until consent is given. Use browser developer tools to verify.
-
Review when adding new services
Each time you add analytics, advertising, or embedded content, update your cookie policy and consent mechanism.
Next steps
After ensuring cookie compliance: register with the ICO if needed, review your privacy notice to cover cookie data, consider PECR rules if you send electronic marketing, and monitor ICO guidance for DUAA 2025 updates.