Avoid losing your Google Ads features and performance: Google now enforces Consent Mode v2. Act now →

UK cookie guidelines

When using cookies and similar technologies, businesses and website operators in the UK must comply with three key laws:

The Information Commissioner’s Office covers all three legislations, which each plays a distinct role in regulating how organizations handle personal data and storage and access technologies like cookies.

How the DPA 2018, UK GDPR and PECR interrelate

With multiple laws in place, the rules for setting cookies in the UK can be complex. Here’s a high-level breakdown:
  • DPA 2018 establishes the UK’s overarching data protection framework, supplementing UK GDPR with additional provisions, but is less relevant to cookie compliance.
  • PECR governs “storage and access technologies” like cookies, pixels, device fingerprinting, and scripts/tags, determining when consent is required
  • UK GDPR regulates how personal data collected via cookies and similar technologies is processed.
PECR applies first, determining whether consent is needed for setting cookies, regardless of whether personal data is involved. Even if no personal data is processed, PECR still applies (e.g., cookies used solely for analytics or tracking).
UK GDPR only becomes relevant when the collected data can identify an individual (like IP addresses or behavioral data), ensuring personal data is processed lawfully.
Illustration of the UK

Brief overview of the Data Protection Act 2018 (DPA 2018)

The Data Protection Act 2018 implements the UK’s overarching data protection framework, and complements UK-GDPR by providing additional rules and exemptions, particularly for:
  • Law enforcement and intelligence services.
  • UK-specific data protection provisions.
  • Special exemptions for research, journalism, and national security.

Privacy and Electronic Communications Regulations (PECR)

PECR is the UK’s implementation of the EU’s ePrivacy Directive, governing electronic communications, marketing, and the use of cookies and similar tracking technologies. It complements UK GDPR by specifically regulating online tracking and consent mechanisms.

The primary focus of PECR is to ensure that individuals’ privacy is respected when businesses store or access information on their devices.

What does the PECR cover?

PECR applies to a range of electronic communication activities, including cookies and tracking technologies, electronic marketing, and traffic and location data.
Among these areas, cookies and tracking technologies are especially relevant to website operators and digital marketers, as PECR sets the rules on when and how cookies, pixels, device fingerprinting, scripts, or tags can be used.

Who does the PECR apply to?

PECR applies to:
  • Any UK-based organization or business using cookies, sending direct marketing communications, or offering electronic communication services.
  • Organizations outside the UK that target UK residents through cookies or electronic marketing.
  • Telecom and internet service providers who must comply with security and data handling rules.

Rules for cookies and consent under the PECR

Under PECR, businesses must obtain user consent before setting most cookies, except those strictly necessary for the basic operation of a website. Consent is always required for cookies unless they are:
  • Strictly necessary for the website to function (e.g., session cookies for shopping carts).
  • Used solely for communication transmission (e.g., load balancing cookies).
PECR aligns with UK GDPR standards, meaning cookie consent must be:
  • Freely given: Users must have a genuine choice.
  • Specific and informed: Users must understand what they are consenting to.
  • Unambiguous: Consent must be an active, affirmative action (e.g., ticking a box or clicking “Accept”).
  • Easy to withdraw: Users must be able to change their preferences easily.

Pre-ticked checkboxes or implied consent (e.g., “By using this site, you agree…”) are not valid.

Comply with the PECR today

Collect valid user consent to cookies and similar technologies with Cookie Information’s cookie banner.

Try 14 days free

UK General Data Protection Regulation (UK GDPR)

The UK GDPR is the UK’s data privacy law that governs how organizations collect, process, and store personal data. It was introduced after the UK left the European Union and is based on the EU GDPR, with some modifications.
The regulation is designed to protect individuals’ rights by ensuring that organizations handle personal data lawfully, transparently, and securely.

What does the UK GDPR cover?

The UK GDPR applies to the processing of personal data – which means any activity involving the collection, storage, use, sharing, or deletion of personal data. Personal data includes any information that can identify an individual, such as:
  • Names.
  • Addresses.
  • Phone numbers.
  • IP addresses.
  • Online identifiers and location data.
The regulation also distinguishes special category data, which includes sensitive personal information like health records, racial or ethnic origin, political opinions, and biometric data used for identification. Special category data requires stricter protections.

Who does the UK GDPR apply to?

The UK GDPR applies to:
  • Organizations based in the UK that process personal data.
  • Organizations outside the UK that offer goods or services to UK residents or monitor their behavior (e.g., tracking website visitors in the UK).
  • Data controllers and data processors:
    • A controller decides how and why personal data is processed.
    • A processor handles data on behalf of the controller.
    • Both have legal responsibilities under the UK GDPR.
Some organizations may need to appoint a UK representative if they are based outside the UK but process UK residents’ personal data. This is so the ICO can have a point of contact with your company for data protection issues.

Rules for consent and processing personal data under the UK GDPR

Under the UK GDPR, organizations must obtain explicit consent from individuals before processing their personal data, unless there is another lawful basis. When relying on consent, it must be:
  • Freely given: No pressure or pre-ticked boxes.
  • Specific: Clearly state what the data will be used for.
  • Informed: Provide full details about the processing.
  • Unambiguous: Use clear, affirmative action (e.g., ticking a box).
  • Easy to withdraw: Individuals must be able to withdraw consent at any time.

In sensitive personal data, explicit consent is required, and blanket consent without specifying the purpose of processing is unacceptable. 

Individuals have the right to withdraw consent at any time, and the process for withdrawing consent should be as easy as giving it. Organizations must inform about the right to withdraw before consent is given.

Enforcement and penalties

The Information Commissioner’s Office (ICO) actively enforces compliance with PECR and the UK GDPR. Organizations failing to adhere to these regulations may face various enforcement actions, including warnings, reprimands, enforcement notices, and monetary penalties.
For serious infringements, fines can reach up to £17.5 million or 4% of the annual worldwide turnover, whichever is higher.
The ICO’s proactive approach underscores the necessity for organizations to regularly review and update their data protection practices, ensuring compliance with evolving regulations and safeguarding user privacy.
fines digital markets act

ICO's 2025 crackdown on cookie compliance

In January 2025, the UK’s Information Commissioner’s Office (ICO) conducted a review of the top 200 UK websites. They found that 134 failed to meet cookie compliance standards, with some breaching key data protection laws.

This initiative is part of the ICO’s broader strategy to ensure the UK’s top 1,000 websites adhere to compliant cookie practices, respecting users’ rights. The ICO identified several common violations during this review:

  • Lack of clear consent: Many websites did not provide users with straightforward options to understand and manage their consent preferences, often using vague or hidden consent banners.
  • Pre-ticked consent boxes: Some sites assumed user consent by employing pre-ticked boxes or default settings, without offering easy opt-out mechanisms.
  • Non-compliant cookie banners: Numerous websites featured cookie notices lacking essential information about the types and purposes of cookies used, or failed to offer genuine choices for users to refuse cookies.
  • Insufficient granularity in cookie preferences: Users were often unable to select specific categories of cookies (e.g., marketing, analytics, functional), facing an all-or-nothing choice instead.
  • Difficulty in withdrawing consent: Some websites did not provide clear or accessible methods for users to withdraw their consent after it was initially given.
Illustration of data servers

How to comply with the UK cookie guidelines in practice

The Information Commissioner’s Office (ICO) provides detailed guidance on effectively managing consent for the use of storage and access technologies, such as cookies, under the Privacy and Electronic Communications Regulations (PECR) and the UK General Data Protection Regulation (UK GDPR).

How to request consent

The approach to requesting consent should be tailored based on the technology’s function and the organization’s relationship with its users. Essential principles include:
  • Clear and comprehensive information: Users must be fully informed about the technologies in use, their purposes, and any third parties involved.
  • Granular consent options: Provide users with specific choices for each purpose, allowing them to consent to some technologies while declining others.
  • User-friendly mechanisms: Employ methods such as banners, pop-ups, or message boxes that are noticeable yet not overly disruptive to the user experience.

Managing consent mechanisms

Organizations should ensure that consent mechanisms:
  • Respect user choices: Implement systems that accurately record and enforce user preferences.
  • Allow easy withdrawal: Users must be able to withdraw consent as effortlessly as they granted it.
  • Maintain records: Keep detailed logs of user consents, including what information was provided and how consent was obtained.

By adhering to these guidelines, organizations can ensure compliance with PECR and UK GDPR, fostering trust and transparency with their users.

A Consent Management Platform (CMP) like Cookie Information’s helps you effortlessly collect and log valid user consents, ensuring compliance with the PECR and UK GDPR. It includes a customizable cookie banner and ready-to-use cookie policy, giving your users clear information to make informed consent choices. With granular consent settings and an intuitive banner widget, users have full control over their preferences at any time.

Ensure compliance with the UK cookie guidelines today

With Cookie Information’s Consent Management Platform you can set up a cookie consent banner on your website in minutes. 

Try it free for 14 days – no commitments or hidden fees.

Start a free trial

Købmagergade 19
1150 Copenhagen K, Denmark
VAT: DK-38758292 

Contact
Facebook Cookie Information Linkedin Cookie Information Youtube Cookie Information

PRODUCTS

RESOURCES

COMPANY

COMPARE

LEGAL