GDPRLedger UK UK GDPR Guide Cookies and consent — UK GDPR and PECR
UK GDPR · PECR

Cookies and consent — UK GDPR and PECR

Updated April 2026PECR · UK GDPR Article 7ICO aligned

Cookie consent is where UK GDPR meets PECR. A cookie banner with a clear accept button but a buried reject option does not provide valid consent. The ICO has been increasingly active on cookie enforcement, and the pattern of what it challenges is instructive for any organisation running a website.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

Two overlapping regimes

Cookie use is governed by the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR simultaneously. PECR requires consent before non-essential cookies are set. UK GDPR provides the standard for what valid consent means. Both apply — a cookie consent mechanism must comply with both.

Source: PECR Regulation 6; UK GDPR Article 7; ICO cookie guidance

Strictly necessary cookies

PECR provides an exemption for cookies strictly necessary to provide a service explicitly requested by the user. Session cookies keeping a user logged in and shopping cart cookies are typically strictly necessary. Analytics and advertising cookies are not — they serve the organisation’s purposes, not the user’s requested service, and require consent.

PECR consent must meet the UK GDPR standard — freely given, specific, informed, and unambiguous. Pre-ticked boxes are not valid. Cookie walls that deny access without accepting all cookies are not considered freely given consent. A compliant mechanism includes separate opt-in options per category, an equivalent reject-all option, and the ability to withdraw consent as easily as it was given.

ICO enforcement

The ICO has issued enforcement notices for dark patterns — designs making acceptance easier than rejection, or that bury the reject option. Organisations whose cookie banners require more steps to reject than to accept are at risk. The ICO has indicated that equivalent prominence between accept and reject pathways is expected, and this is a strong factor in its enforcement decisions.

Analytics cookies

Analytics cookies, including Google Analytics, are not strictly necessary and require PECR consent before being set. The fact that data may later be anonymised does not remove the consent requirement — the cookie is set before any anonymisation occurs. Consent must be obtained before the analytics cookie fires.

Record this. Maintain a cookie audit documenting every cookie, its purpose, whether it is strictly necessary, and the consent mechanism in place. Review when the website is updated. Retain consent records — the ICO may request evidence of how consent was obtained and by whom.
Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.
Early access

GDPRLedger is coming soon

Join the early access list and be notified when the programme opens. £129 Standard · £449 Pro · One-off payment · No subscription.

No spam. Your email is used only to notify you of programme launch.