Cookie consent is not optional. The UK's Privacy and Electronic Communications Regulations (PECR), working alongside the GDPR, set clear rules about when and how you can set cookies on a visitor's device. The Information Commissioner's Office (ICO) enforces these rules, and it has been stepping up enforcement significantly.
The legal framework: PECR and GDPR
PECR implements the EU ePrivacy Directive in UK law. It requires that before you store or access information on a user's device (which includes setting cookies), you must provide clear and comprehensive information about what you are doing and obtain the user's consent.
The only exception is for cookies that are "strictly necessary" for the service the user has requested. A shopping cart cookie on an e-commerce site is strictly necessary. A Google Analytics cookie is not. A Facebook tracking pixel is not. These require informed consent before they are loaded.
The GDPR adds another layer: any personal data collected through cookies (and tracking cookies do collect personal data) must have a lawful basis for processing. For most tracking cookies, that lawful basis is consent. And under the GDPR, consent must be freely given, specific, informed, and unambiguous.
Recent ICO enforcement actions
The ICO has moved beyond warnings. In recent years it has issued substantial fines and enforcement notices to organisations that failed to obtain proper cookie consent.
Between 2023 and 2025, the ICO issued fines to multiple companies for cookie consent failures. These cases shared common themes: cookies being set before the user interacted with a consent banner, "accept all" being presented as the only easy option, reject options being buried or requiring multiple clicks, and pre-ticked consent categories that users had to manually opt out of.
The maximum fine under PECR is £500,000. Under the GDPR, fines can reach £17.5 million or 4% of global annual turnover. While the ICO has not yet imposed the maximum for a cookie-only violation, the trajectory is clear: enforcement is increasing, and the regulator expects businesses to take this seriously.
What a compliant cookie setup looks like
Compliance is not complicated, but it requires attention to detail. Here is what the ICO expects:
- No cookies before consent. Non-essential cookies must not be set until the user has actively consented. This means no Google Analytics, no Facebook Pixel, no advertising cookies firing before the banner interaction.
- Clear banner with reject option. The consent banner must offer a reject option that is as prominent and easy to use as the accept option. A single "Accept All" button with "Manage Settings" in tiny text does not meet the standard.
- Granular consent. Users should be able to consent to or reject specific categories of cookies (analytics, marketing, functional) rather than an all-or-nothing choice.
- No dark patterns. Do not use pre-ticked boxes, confusing double negatives, or designs that steer users toward accepting. The ICO has specifically called out dark patterns in cookie banners.
- Easy withdrawal of consent. Users must be able to withdraw consent as easily as they gave it. A persistent settings link in your footer is the standard approach.
- Cookie policy. A detailed cookie policy listing every cookie your site sets, what it does, how long it lasts, and the legal basis for setting it.
Common mistakes the ICO flags
After reviewing hundreds of UK websites, these are the most frequent compliance failures we see:
Consent walls — blocking access to the site entirely until the user accepts cookies. The ICO guidance is clear: you cannot make consent a condition of accessing your service unless cookies are strictly necessary for that service.
Necessary-only default — the correct approach is to load only strictly necessary cookies by default and let the user opt in to everything else. Many sites do the opposite: loading all cookies by default and requiring users to opt out.
Third-party iframes — embedded YouTube videos, Google Maps, and social media widgets set their own cookies. If these load before consent, you are in violation. Consider using click-to-load wrappers for embedded content.
What to do right now
If you are not sure whether your website is compliant, the first step is to find out what cookies your site actually sets. Many businesses are surprised to discover that their site loads tracking cookies, analytics scripts, and third-party pixels without a compliant consent mechanism.
A PulseShield cookie compliance audit scans your website for 20+ known tracking scripts and cookies, checks whether they load before consent, and tells you exactly what needs fixing. You get a professional report you can hand to your web developer or act on yourself.
The ICO has made its position clear: cookie consent is a compliance requirement, not a nice-to-have. With enforcement increasing and fines making headlines, there has never been a better time to check your site. Run a free scan or see our monitoring plans for continuous protection.