If you manage a website – whether you’re a business owner, marketer, developer, or part of a compliance team – it’s essential to understand your legal obligations regarding cookies.
These small data files (and similar technologies) are widely used, but even tools as basic as Google Analytics can impose strict rules.
This article outlines the key legal requirements around cookie consent and offers practical tips to help your business comply with the law. While we focus on consent, remember that cookie compliance under PECR and the UK GDPR is broader and can get complex. For tailored advice, our data protection solicitors are here to support you.
We’ll consider the following:
- Which UK laws apply to cookies and consent?
- When do you need consent for cookies?
- When can you use cookies without consent?
- Practical tips for getting cookie consent right
- Do your cookie banners comply with the law?
- What action do you need to take to obtain cookie consent?
- What to include in your cookie policy
- The risks of getting cookie consent wrong
Which UK laws apply to cookies and consent?
Almost all websites use cookies, which can benefit businesses and users and make things much easier. Cookies help you understand visitor behaviour and improve your site. For users, they enhance the experience by remembering preferences and personalising content, saving time.
There are various types of cookies, including session cookies, persistent cookies, first-party cookies, and third-party cookies. However, cookies also raise privacy concerns, which is why rules are in place to regulate their use.
Cookies are broadly divided into two categories:
- Essential cookies – These are strictly necessary to provide an online service (an ‘information society service’) that the user has specifically requested, such as remembering the contents of the shopping cart.
- Non-essential cookies – This includes analytics, advertising, and social media cookies.
It’s important to understand this distinction, as it plays a key role in determining when consent is required under the law.
When do you need consent for cookies?
Under PECR, you must obtain valid consent before placing cookies or accessing information stored on a user’s device unless a specific exemption applies.
These requirements apply to the ‘terminal equipment’ of ‘subscribers or users’. Terminal equipment is typically the computer or mobile device on which the cookie is set. A subscriber is the individual who pays for the internet service to the device, while the user is the person using the device when the cookies are active.
PECR consent requirements align closely with UK GDPR rules – meaning consent must be freely given, specific, informed, and unambiguous and provided through a clear, positive action by the user.
When can you use cookies without consent?
PECR provides very limited exemptions where consent isn’t required, as outlined in the ICO’s guidance:
- The cookie is used solely for carrying out the transmission of communication over an electronic communications network.
- The cookie is strictly necessary to provide an ‘information society service’ (e.g. a service over the internet) requested explicitly by the subscriber or user.
These exemptions are narrowly applied and must be assessed carefully. Analytics, advertising, or convenience cookies do not qualify and will always require consent. If you’re unsure whether consent is needed, it’s best to seek legal advice to avoid unnecessary risk.
Practical tips for getting cookie consent right
PECR is a complex piece of legislation with a range of rules.
In practical terms, there are several considerations your business should keep in mind when using cookies, including:
- Cookie transparency: Your site must clearly explain which cookies it uses, why it uses them, and how long they remain active on a user’s device in plain and comprehensive language. A cookie policy is the simplest way to provide this information.
- Consent mechanism: Ensure you obtain consent through a clear and active step, such as the user clicking an ‘Accept’ button or selecting their preferences. Do not assume consent from continued browsing or user inactivity – scrolling, swiping, and similar actions are not valid. Never use pre-ticked boxes.
- Consent separation: Keep cookie consent separate from general terms or privacy notices. Avoid ‘cookie walls’, where access to your website is blocked until users consent. Consent must be freely given without pressure or coercion.
- User control: Users must be able to manage or withdraw their cookie preferences easily at any time via a clear mechanism. They should be able to choose which cookies to allow, such as accepting analytics cookies but rejecting marketing cookies.
- Cookie deployment: Do not deploy non-essential cookies until users have provided valid consent.
- Consent records: Maintain a clear record of how and when each user consented. Users must also be able to withdraw that consent just as easily. You may need to obtain fresh consent if your use of cookies changes over time.
- Consent management: A consent management tool can help record user preferences and demonstrate compliance. Your cookie policy should also set and explain appropriate retention periods for cookie data.
Do your cookie banners comply with the law?
GDPR and PECR complement one another in the regulation of cookies and similar technology. PECR states clearly that nothing in PECR ‘shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data’. So, if the way a cookie is set up involves processing personal data, you must comply with all relevant GDPR rules on processing. However, PECR will take precedence over the GDPR concerning privacy and electronic communications provisions.
GDPR views cookies as one of several online identifiers and personal data types. Depending on their use, cookies may identify an individual from other users alone or – when combined with other online identifiers – identify that individual from other users, with all the implications for that individual’s privacy that such identification could entail.
If your cookie use amounts to the processing of personal data, you will need a lawful basis for processing the associated data under GDPR. While there are six lawful ways to process data concerning cookies, PECR specifies that consent is the only appropriate ground for processing. To process cookie data, you cannot rely on other GDPR processing grounds (such as legitimate interests).
What action do you need to take to obtain cookie consent?
Many businesses use cookie banners as a practical tool. However, it’s important you remember that a cookie banner must not set non-essential cookies before consent is given. It should clearly offer users an easy way to reject or accept cookies – with both options presented equally. Ensuring that any banner used on your site complies with legal requirements is vital.
In addition to these essential considerations, other issues may arise when using cookies, for example:
- Third-party cookies: If your website uses third-party cookies (such as those from advertising services or social media platforms), you must clearly name all third-party providers and explain what they do with users’ data. Your cookie policy should include an up-to-date list of these third parties.
- Special category data: If your cookies result in processing special category personal data (such as health information or political opinions), additional strict legal requirements will apply.
What to include in your cookie policy
Your business must clearly inform users about the use of cookies. This information should be accessible, straightforward, and easy to understand – avoiding technical or confusing language. Typically, you would do this through a clear, standalone cookie policy that outlines the types of cookies you use, how long they last, and how users can manage their settings.
Your cookie policy should include clear information such as:
- That you are using cookies.
- Exactly what each cookie does and its purpose.
- Which third parties (e.g. social platforms) are placing cookies on your website?
- How users can control or withdraw their consent.
- How long will each cookie last, and will it allow third-party access?
This information must be provided before cookies or similar technologies are set or accessed on the user’s device.
Before drafting your policy, you should conduct a full audit to identify which cookies your site uses, what they do, and whether they are essential or non-essential. You’ll also need to determine whether each cookie is first-party or third-party, session or persistent, and confirm the purpose of each (e.g. advertising, analytics, etc.). This is the best way to ensure the information you provide – and the compliance steps you take – accurately reflect the cookies used by your business.
You may need support from technical experts, such as website developers, to carry out a thorough audit.
The risks of getting cookie consent wrong
Several pitfalls can quickly land your business in hot water when using cookies – for example, setting non-essential cookies without consent or failing to explain how cookies are used clearly.
The ICO is focusing on cookies, and enforcement action is increasing. If your business breaches PECR, you could face fines of up to £500,000, reputational damage, and a loss of trust from your users.
The proposed Data Use and Access (DUA) Bill may relax certain rules by allowing implied consent for low-risk analytics cookies – but it could also introduce much higher fines in line with GDPR levels, thereby increasing the potential risk. It’s also important to stay ahead of future developments.
Cookie compliance can be complex, particularly with evolving laws and growing regulatory scrutiny.
If you’re unsure whether your cookie practices are compliant, seeking legal advice should be a top priority. If you'd like help reviewing your consent mechanisms, our data protection solicitors are here to support you.
