Cookie Banner Requirements in the UK: What Your Website Needs to Do

The UK rules in plain English: PECR, UK GDPR and who enforces cookie compliance

In the UK, cookie banner requirements mainly come from two laws that work together: PECR (Privacy and Electronic Communications Regulations) and the UK GDPR. In simple terms, PECR sets the “cookie rules” (when you need permission), and UK GDPR sets the standards for what valid permission (consent) looks like and how you handle personal data.

PECR: If you store or access information on a user’s device (cookies, pixels, SDKs, similar tech), you generally need to (1) give clear information about what you’re doing and why, and (2) get the user’s consent before placing anything that isn’t “strictly necessary”. The common exception is for cookies that are genuinely essential to provide a service the user requested (for example, keeping items in a basket or maintaining a logged-in session).

UK GDPR: When cookies involve personal data (which is typical for analytics and advertising identifiers), consent must be freely given, specific, informed and unambiguous. Practically, that means no pre-ticked boxes, no “by continuing you agree” for non-essential cookies, and no bundling consent for unrelated purposes. Users should be able to refuse as easily as accept and be able to change their mind.

Who enforces it: The Information Commissioner’s Office (ICO) enforces PECR and UK GDPR for cookie compliance, including investigations, audits, enforcement notices and fines where appropriate.

When you need a cookie banner (and when you don’t): essential vs non-essential cookies

In the UK, you typically need a cookie banner (or equivalent consent prompt) whenever your site uses non-essential cookies or similar technologies (for example, tracking pixels, SDKs, local storage) that are not strictly required to deliver the service the user asked for. This is driven by the UK ePrivacy rules (PECR) alongside UK GDPR requirements for a lawful basis and transparency.

Essential cookies (often called “strictly necessary”) generally do not require consent and therefore don’t need a banner to obtain permission. Common examples include:

• Keeping items in a shopping basket
• Load balancing and basic security (e.g., fraud prevention)
• Remembering a user’s cookie preferences
• Session cookies needed to log in or complete a transaction

Non-essential cookies usually do require consent before they are set or read. Typical examples include:

• Analytics (e.g., measuring visits and behaviour)
• Advertising and retargeting
• Personalisation beyond what’s necessary (e.g., marketing profiles)
• Social media embeds that track users

Practically, if your site runs analytics or marketing tags, you’ll need a banner that offers a genuine choice (accept/reject) and blocks those tools until consent is given. If you only use essential cookies, you may skip the banner, but you should still explain cookies clearly in your privacy/cookie information. This is general guidance and implementation details can vary by setup.

What a UK-compliant cookie banner must include: consent, transparency and user control

A UK-compliant cookie banner must support valid consent under UK GDPR and the Privacy and Electronic Communications Regulations (PECR). In practice, that means three essentials: meaningful consent, clear information, and genuine user control. (This is general guidance, not legal advice.)

• Consent before non-essential cookies load: analytics, advertising, personalisation and similar cookies should not be set until the user actively agrees. “By continuing to browse” or pre-ticked boxes are not valid consent.
• Equal choice: provide Accept and Reject options with similar prominence. If you offer “Accept all”, you should also offer “Reject all” at the same level, not hidden behind extra clicks.
• Granular controls: allow users to choose by category (e.g., analytics, marketing, functional). Essential cookies can be explained but shouldn’t be optional if they’re genuinely necessary for the service requested.
• Transparency: state what cookies are for, who sets them (you and/or third parties), and link to a cookie policy with details such as names, purposes, durations and third-party recipients where applicable.
• Easy to change or withdraw consent: include a persistent way to reopen preferences (e.g., “Cookie settings” link) and ensure withdrawing consent is as easy as giving it.
• Record-keeping: keep an audit trail of consent choices (what was chosen, when, and from which version of the banner) to demonstrate compliance.

How to set up a compliant cookie banner: step-by-step for analytics, ads and embedded content

1. Audit what loads on your site
   List cookies and similar tech from analytics (e.g., GA4), advertising (e.g., Meta/Google tags), and embedded content (YouTube, Google Maps, chat widgets). Note purpose, provider, lifespan, and whether data leaves the UK.
2. Separate “strictly necessary” from everything else
   Keep essential cookies (security, load balancing, consent storage) always-on. Treat analytics, ads, and most embeds as non-essential and consent-based in the UK.
3. Choose an opt-in banner design
   Provide Accept all and Reject all at the same level (no hiding reject), plus Manage settings. Avoid pre-ticked boxes and “by continuing you agree” wording.
4. Create granular categories
   Use toggles for Analytics, Advertising, and Embedded content (or “Functional/Media”). Default all non-essential toggles to off.
5. Block tags until consent
   Implement consent mode or tag firing rules so analytics/ads scripts and pixels don’t run until the user opts in. For embeds, load a placeholder with a “Click to load” button that triggers consent for that category.
6. Link to a clear cookie policy
   Include a banner link to a cookie policy listing cookies, purposes, retention, third parties, and how to change choices.
7. Record and respect choices
   Store consent logs (timestamp, categories, version) and provide an always-available “Cookie settings” link to withdraw consent. Re-prompt when your cookies/purposes change.

Note: This is general guidance for UK compliance (PECR/UK GDPR). Requirements can vary by implementation and regulator guidance.

How to audit your site’s cookies and trackers (including third parties) before you configure the banner

Start by listing every place cookies or tracking code could be introduced: your CMS/theme, tag manager (e.g., GTM), analytics, ad pixels, embedded video/maps, live chat, A/B testing, consent tools, and any plugins. In the UK, you generally need consent for non-essential cookies, so your audit must separate “essential” from everything else before you decide what the banner should block.

1. Scan in a clean browser session: open an Incognito/Private window, clear site data, then load your homepage and key templates (product, checkout, blog, contact). Use browser DevTools > Application/Storage > Cookies and Local Storage to record what appears on first load.
2. Capture network calls: in DevTools > Network, filter for “collect”, “pixel”, “analytics”, “gtm”, “doubleclick”, “facebook”, “hotjar”, etc. Note third-party domains and when they fire (on load vs after interaction).
3. Use a crawler for coverage: run a cookie scanner across representative URLs to catch page-specific tags (e.g., marketing landing pages). Treat results as a starting point—scanners can miss dynamically injected scripts.
4. Map each item to a purpose and legal basis: for every cookie/identifier, record name, provider (1st/3rd party), lifespan, purpose, and whether it’s essential. Flag anything that sets identifiers before consent.
5. Check tag manager triggers: confirm marketing/analytics tags are not set to “All Pages” by default; plan consent-based triggers and a “deny by default” state.

Practical note: “Essential” is narrow (e.g., security, basket, load balancing). Analytics and advertising are typically non-essential and should not run until consent is given.

Consent management options compared: custom banner vs CMP tools (pros, cons, and best fit)

Custom banner (built in-house or by your web team) can meet UK cookie banner requirements if it captures valid consent for non-essential cookies (e.g., analytics/ads) and makes refusal as easy as acceptance. Pros: full control over design, copy, and performance; can match your brand and accessibility standards; potentially lower ongoing costs if you have development capacity. Cons: higher build and maintenance effort; easy to miss compliance details (granular choices, consent logging, withdrawal, cookie scanning, blocking before consent); updates may be needed as guidance changes. Best fit: simple sites with limited tags, strong in-house dev, and a willingness to maintain documentation and testing.

CMP tools (Consent Management Platforms) typically provide a configurable banner, cookie scanning, categorisation, consent records, and integrations that block tags until consent. Pros: faster route to a robust setup; built-in consent logs and preference centres; easier multi-language and geo rules; regular updates and vendor support. Cons: subscription costs; design constraints; risk of misconfiguration (e.g., “legitimate interest” assumptions, pre-ticked toggles); some tools add script weight. Best fit: sites running multiple marketing/analytics tags, frequent campaigns, multiple domains, or teams that need repeatable governance.

Practical note: whichever route you choose, you still need correct implementation (no non-essential cookies set before consent, clear purposes, easy reject, and a way to change choices). This is general guidance, not legal advice.

Common mistakes that break UK cookie compliance (and how to fix them quickly)

• Assuming “banner shown” = consent collected. If non-essential cookies fire on page load, you’re likely non-compliant. Quick fix: block analytics/marketing tags by default and only load them after an explicit opt-in (e.g., via Consent Mode or tag manager triggers tied to consent).
• Using pre-ticked boxes, “by continuing” consent, or implied consent. UK rules generally require clear, affirmative action for non-essential cookies. Quick fix: use unticked toggles and record a positive opt-in event before setting those cookies.
• Hiding “Reject” behind extra clicks. If “Accept all” is prominent but “Reject” is buried, consent may not be freely given. Quick fix: show “Accept all” and “Reject all” with equal prominence on the first layer.
• Vague categories like “Performance” without specifics. Users need understandable information. Quick fix: list categories with examples (e.g., “Google Analytics”), purposes, and cookie lifespans where practical.
• No proof of consent. If challenged, you should be able to demonstrate what was agreed to and when. Quick fix: log consent state, timestamp, version of the banner text, and user choices (avoid storing unnecessary personal data).
• Making it hard to change your mind. Consent must be as easy to withdraw as to give. Quick fix: add a persistent “Cookie settings” link (footer/header) and apply changes immediately (including deleting non-essential cookies where feasible).

Note: This is general guidance; exact requirements can vary by implementation and regulator interpretation. Consider specialist advice for high-risk tracking or complex adtech setups.

Cookie banner requirements UK: FAQs (Google Analytics, GA4, consent mode, Shopify, WordPress, and enforcement)

Do UK websites need a cookie banner?

Typically, yes if you use any non-essential cookies (e.g., analytics, advertising, A/B testing). Under UK PECR, you generally need informed consent before setting non-essential cookies, and UK GDPR then governs how you use any personal data collected.

Can I run Google Analytics/GA4 without consent?

In most cases, no. GA4 cookies are usually considered non-essential, so you should block GA4 until the user opts in. Some sites use cookieless measurement or strict configurations, but you should still assess whether identifiers are set and whether consent is required.

Does Google Consent Mode replace a cookie banner?

No. Consent Mode helps Google tags adjust behaviour based on the user’s choice, but you still need a compliant consent mechanism (banner/manager) and clear information. Treat Consent Mode as an implementation tool, not a legal shortcut.

What does “reject all” mean in the UK?

Best practice is to offer an equally prominent “Reject all” alongside “Accept all”, plus granular controls. Pre-ticked boxes and “by continuing to browse” consent are generally not acceptable.

How do I implement this on Shopify or WordPress?

Use a consent management platform that can block scripts until consent and supports Google tags/GA4. On Shopify, avoid hard-coding tracking in theme files without gating. On WordPress, ensure plugins don’t load analytics/marketing scripts before consent.

Who enforces cookie rules in the UK?

The ICO enforces PECR and UK GDPR. Enforcement varies, but the ICO can investigate complaints, issue warnings, and take regulatory action. This is general guidance, not legal advice.