UK-based business owners, website developers, marketers, and compliance officers operating sites with cookies, analytics, or tracking technologies.
Learn precise PECR/UK GDPR requirements, compliant banner design, privacy notice essentials, ICO enforcement trends, and step-by-step audit process to avoid massive fines and ensure ongoing compliance.
If your business has a website, you need to get cookie consent right. The rules in the UK combine two overlapping regulations, PECR and UK GDPR, and the penalties for getting them wrong just got significantly steeper. As of February 2026, cookie consent UK requirements carry the same maximum fines as a data breach : up to £17.5 million or 4% of global turnover.
This guide explains what the law requires, how to build a compliant cookie banner, and what the ICO is actually enforcing right now.
What are the UK cookie consent rules?
Cookie consent in the UK is governed by two regulations working together: the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK General Data Protection Regulation (UK GDPR).
PECR sets the baseline rule. You must get consent before placing or reading any non-essential cookie on a user's device. This covers traditional cookies, tracking pixels, local storage, and any similar technology. The only exception is for cookies that are strictly necessary to provide a service the user has requested, such as keeping items in a shopping basket or maintaining a secure login session.
UK GDPR then defines what valid consent looks like. It must be informed, specific, and freely given. Pre-ticked boxes don't count. Continuing to browse doesn't count. The user must take a clear, affirmative action to agree.
Please note: The Data (Use and Access) Act 2025 introduced narrow new exceptions for low-risk cookies used for statistical purposes or to adapt a website's appearance. The ICO published draft guidance on these exceptions in July 2025. For most business websites, the core consent requirement still applies.
With those foundations in place, the practical question becomes: what does compliant consent actually look like?
What does valid cookie consent require?
Valid cookie consent under UK law must meet four conditions: it must be informed, specific, freely given, and demonstrated through a clear affirmative action.
You need to tell users what cookies you use and why before they agree. Consent must be granular. A single "accept all" with no alternative is not enough. Users need the ability to accept or reject different categories independently: analytics, marketing, functional, and so on.
Strictly necessary cookies are exempt from consent. Everything else, including analytics and advertising cookies, requires an active opt-in. You also need to make it as easy to withdraw consent as it was to give it. In our experience, a preference centre that users can return to at any time is the standard approach.
How should you design a compliant cookie banner?
A compliant cookie banner gives users a genuine choice without nudging them towards acceptance. The ICO has been clear: accept and reject options must be equally prominent.
That means no dark patterns. The "reject" or "manage preferences" button cannot be smaller, less visible, or buried behind an extra click. Both options should appear on the first layer of the banner with equal visual weight.
The ICO recommends a layered approach:
Layer one (the banner): A brief explanation of what cookies are used for, with clear accept and reject buttonsLayer two (preference centre): Granular controls for each cookie category, with descriptions of what each category doesLayer three (full cookie policy): Detailed information about every cookie, its purpose, duration, and provider
Mobile and accessibility matter too. Banners should be usable on smaller screens, navigable by keyboard, and compatible with screen readers.
Consent design is one side of the equation. The other is your privacy notice , which has its own requirements under UK GDPR.
What must a UK privacy notice include?
A privacy notice is a public-facing document that explains how your organisation collects, uses, and protects personal data . Under Articles 13 and 14 of UK GDPR, it must include specific information.
At minimum, your notice needs to cover the following:
Your identity and contact details (and your Data Protection Officer 's, if applicable)
The purposes of processing and the legal basis for each
Who receives the data (categories of recipients)
Whether data is transferred outside the UK, and what safeguards apply
Retention periods
The individual's rights: access, rectification, erasure, restriction, portability, and objection
The right to withdraw consent at any time
The right to complain to the ICO
Plain language is a legal requirement, the ICO expects privacy notices to be genuinely understandable. A layered approach works well here too: a short summary at the top, with detailed sections below.
Author's tip: Review your privacy notice at least once a year, or whenever you add a new tool, analytics platform, or marketing integration. We tend to see that outdated notices are one of the most common compliance gaps the ICO flags.
Your privacy notice and cookie consent work together. However, in our experience, specific cookie categories, particularly analytics and marketing, raise their own issues.
Do analytics and marketing cookies need consent?
Google Analytics cookies are not exempt from PECR consent requirements. As of March 2026, the ICO's position is clear: analytics cookies require opt-in consent before they fire.
This catches many businesses off guard. Google Analytics 4 deploys cookies by default, and without a properly configured consent management platform, those cookies may load before the user has made a choice, putting you in breach of PECR.
The DUA Act 2025 introduced a narrow exception for cookies used for "statistical purposes," but the ICO's draft guidance suggests this applies only where data is aggregated, not linked to individuals, and used solely by the website operator. Whether standard Google Analytics configurations meet that threshold remains uncertain.
Marketing and remarketing cookies, such as Meta Pixel, are further from any exception. These involve cross-site tracking and behavioural profiling, both of which the ICO considers high-risk. Consent is required, full stop.
Server-side tracking doesn't change the analysis. If the technology stores or accesses information on the user's device, PECR applies regardless of where the processing happens afterwards.
Need help reviewing your website's data protection setup?
If your cookie banner, privacy notice, or data processing agreements need attention, Open Forest can help you get compliant without the legal jargon.
Now that we have outlined the consent obligations, the question is what happens if you get it wrong.
What is the ICO doing about cookie enforcement?
The ICO has moved from guidance to active enforcement on cookie compliance. The ICO has reported significant improvements in compliance among major UK websites following enforcement activity.
The financial stakes have changed substantially. Before the DUA Act 2025, the maximum PECR fine was £500,000. As of February 2026, PECR penalties align with UK GDPR levels: up to £17.5 million or 4% of global turnover, whichever is higher. Cookie compliance now carries the same financial risk as a data breach .
The ICO has also expanded who it can target. Under the new rules, "instigators", the companies whose tracking technology is placed on a website such as ad tech providers, are now directly responsible for consent , not just the website operator.
The ICO shifted toward fewer but significantly larger fines in 2025, with average penalty sizes increasing sharply.
How do you get your cookie setup compliant?
Getting cookie consent right is a process, not a one-off task. Start with an audit of what's currently on your website.
Audit your cookies. Use your browser's developer tools or a scanning tool to identify every cookie and tracker on your site. Categorise them: strictly necessary, analytics, marketing, functional.Choose a consent management platform (CMP). A CMP handles the banner, preference centre, consent storage, and ensures that non-essential cookies don't fire until the user opts in. Look for one that integrates with your analytics and advertising tools.Implement consent before cookies fire. This is the most common failure point. Your CMP must block non-essential scripts by default, only releasing them once valid consent is recorded. Test this thoroughly.Update your privacy notice and cookie policy . Make sure both reflect your current cookie usage, categories, and retention periods.Set a review schedule. Re-audit every quarter, or whenever you add a new tool or marketing integration. In our experience, new cookies appear more often than most businesses realise.
Where this leaves you
UK cookie consent rules are straightforward in principle: get informed consent before placing non-essential cookies. The detail matters though. The DUA Act 2025 raised the stakes with higher fines and broader enforcement powers, while introducing narrow exceptions that most standard setups won't qualify for.
The practical next step is an audit. We recommend that you know what's on your site, make sure your banner gives a genuine choice, and keep your privacy notice current. If your setup hasn't been reviewed since the February 2026 changes, now is the time.
If you need help getting your website's compliance in order, Open Forest can walk you through it.
