Cookie Consent for UK Websites: A Practical Guide

Getting cookie consent right on UK websites is more than a legal formality. The Information Commissioner's Office actively enforces the rules, and users increasingly expect proper consent mechanisms. This guide explains what the law requires and how to implement it properly.

The Two Laws That Apply

UK websites must comply with two overlapping pieces of legislation:

• PECR (Privacy and Electronic Communications Regulations) - governs the use of cookies and similar technologies
• UK GDPR - governs how you process personal data collected through cookies

PECR requires consent before you place non-essential cookies. UK GDPR sets the standard for what valid consent looks like.

What Counts as a Cookie?

The rules apply to any technology that stores or accesses information on a user's device:

• Cookies (session and persistent)
• Local storage
• IndexedDB
• Fingerprinting techniques
• Tracking pixels

If it stores data on the user's device or identifies them across sessions, it needs consent (unless it's strictly necessary).

Essential vs Non-Essential Cookies

Strictly necessary cookies don't require consent. These are cookies that:

• Remember items in a shopping basket
• Maintain a logged-in session
• Remember cookie consent preferences
• Enable security features

Everything else requires explicit consent before being set:

• Analytics cookies (Google Analytics, Hotjar, etc.)
• Advertising cookies (Facebook Pixel, Google Ads, etc.)
• Social media cookies (embedded share buttons, YouTube videos)
• Preference cookies (unless essential for function)

What Valid Consent Looks Like

Under UK GDPR, consent must be:

• Freely given - users must have a genuine choice
• Specific - consent for different purposes should be separate
• Informed - users must know what they're agreeing to
• Unambiguous - requires a clear affirmative action

What This Means in Practice

• Pre-ticked boxes are not valid consent
• Continuing to browse is not valid consent
• Consent buried in terms and conditions is not valid
• Making it harder to reject than accept is not valid consent

Building a Compliant Cookie Banner

First Layer: The Banner

Your cookie banner should appear before any non-essential cookies are set and include:

• Clear explanation that the site uses cookies
• Brief description of cookie purposes
• An "Accept All" button
• A "Reject All" or "Essential Only" button (equally prominent)
• A "Manage Preferences" link for granular control

Second Layer: Preference Centre

The preference centre should allow users to:

• See categories of cookies used
• Toggle each category on or off
• See which specific cookies are in each category
• Save their preferences

Third Layer: Cookie Policy

Your full cookie policy should detail:

• Every cookie your site uses
• What each cookie does
• How long each cookie lasts
• Whether it's first-party or third-party
• How to change browser cookie settings

Implementing Cookie Consent

Option 1: Cookie Consent Platforms

Services like Cookiebot, OneTrust, or Cookie Information handle the complexity for you:

• Automatic cookie scanning
• Compliant banner templates
• Consent logging for proof of compliance
• Monthly fees typically £10-50 depending on traffic

Option 2: Self-Hosted Solutions

Open-source tools like GDPR Cookie Consent or custom implementations give you more control:

• No ongoing costs
• Full control over appearance
• Requires technical knowledge to implement correctly
• You're responsible for keeping the cookie list updated

Technical Implementation

The key technical requirement: non-essential cookies must not fire until consent is given. This typically means:

1. Loading tracking scripts conditionally based on consent status
2. Using a consent management platform's tag manager integration
3. Storing consent status in a cookie (which is itself "strictly necessary")

Common Compliance Failures

Based on ICO enforcement actions, these are the most common mistakes:

• Cookies firing before consent - the banner appears but tracking has already started
• No reject option - users can only accept or "manage preferences"
• Asymmetric choice - bright "Accept All" button, grey "Manage" link
• Cookie walls - blocking access until cookies are accepted
• Ignoring withdrawal - continuing to track after consent is withdrawn

Testing Your Implementation

To verify your cookie consent works properly:

1. Clear all cookies and visit your site in a private browser window
2. Check the network tab in browser developer tools - no analytics or advertising requests should fire
3. Click "Reject All" - non-essential cookies should not be set
4. Verify the consent preference persists across sessions
5. Test that withdrawing consent actually stops tracking

Record Keeping

UK GDPR requires you to be able to demonstrate compliance. Keep records of:

• When consent was given
• What information was provided at the time
• What was consented to
• How consent was obtained

Most cookie consent platforms handle this automatically. If you're building your own solution, you need to implement consent logging.

Penalties

The ICO can issue fines up to £17.5 million or 4% of global turnover for serious GDPR breaches. In practice, enforcement against small businesses typically starts with:

• Warning letters
• Required improvement plans
• Follow-up audits

Fines are reserved for serious or persistent non-compliance. But the reputational damage from ICO action can be significant.

Quick Implementation Checklist

• Cookie banner appears before non-essential cookies fire
• "Reject All" option is as easy to use as "Accept All"
• Granular preferences available for different cookie categories
• Full cookie policy accessible from the banner
• Consent choices are remembered for returning visitors
• Users can change their preferences at any time
• Analytics and advertising only load after consent
• Consent records are stored for compliance evidence