QUICK ANSWER
Yes. Under PECR and the UK GDPR, you must obtain informed consent before setting non-essential cookies on a visitor's device. This includes analytics cookies (Google Analytics), advertising cookies (Facebook Pixel), and most third-party tracking cookies. Only strictly necessary cookies — like session cookies for a shopping basket — are exempt.
The law on cookies in the UK
Two sets of regulations govern cookies on UK websites:
- PECR (Privacy and Electronic Communications Regulations) — the UK implementation of the EU ePrivacy Directive. PECR Regulation 6 requires that you must not store or access information on a user's device unless you have provided clear and comprehensive information about the purposes of the storage and obtained their consent.
- UK GDPR — works alongside PECR. It defines what counts as valid consent: it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and implied consent do not meet this standard.
These rules apply to every website accessible to UK visitors, regardless of where the website or business is based. If your site is available in the UK, you need to comply.
What counts as a "non-essential" cookie?
Any cookie that is not strictly necessary for the basic functioning of the website is non-essential and requires consent. Common examples of non-essential cookies that require consent:
- Analytics cookies — Google Analytics (_ga, _gid), Hotjar, Mixpanel
- Advertising cookies — Facebook Pixel, Google Ads remarketing,DoubleClick
- Social media cookies — embedded Twitter feeds, Facebook like buttons, LinkedIn share widgets
- Personalisation cookies — remembering user preferences, recently viewed items, language selection
- Third-party tracking cookies — any cookie set by a domain other than the one you are visiting
If you are unsure whether a specific cookie is essential, the Information Commissioner's Office (ICO) advises treating it as non-essential and seeking consent.
What is exempt?
Only cookies that are strictly necessary for a service explicitly requested by the user are exempt. The ICO gives these examples:
- Session cookies that keep you logged in as you navigate a website
- Shopping basket cookies that remember items you have added
- Security cookies that prevent cross-site request forgery
- Load-balancing cookies that distribute traffic across servers
- Language preference cookies set during the initial visit (controversial, but generally accepted)
The exemption is narrow. If a cookie provides any benefit to the website owner rather than the visitor — such as analytics data — it is not exempt, even if it also benefits the user indirectly.
What happens if you do not comply?
The ICO can issue fines of up to £500,000 under PECR for cookie consent failures. In practice, the ICO typically starts with enforcement notices requiring changes within a set timeframe, followed by fines for persistent non-compliance.
Beyond fines, non-compliance erodes visitor trust. Research consistently shows that UK consumers care about how their data is used, and visible non-compliance damages brand reputation.
What a compliant cookie banner looks like
A compliant cookie consent mechanism must include:
- Equally prominent accept and reject options — the "Reject" button must be just as visible and easy to click as the "Accept" button. Hiding it behind a link or on a secondary screen is not compliant.
- No pre-ticked boxes — every non-essential cookie category must be unchecked by default. The user must actively opt in.
- Granular controls — visitors should be able to accept or reject different categories of cookies independently (for example, accept analytics but reject advertising cookies).
- Clear information — the banner must explain what cookies are used and for what purpose, in plain language.
- Right to withdraw consent — visitors must be able to change their preferences at any time after their initial choice, typically through a persistent settings link in the footer.
Common mistakes to avoid
- Loading cookies before consent — if your analytics or advertising scripts fire before the visitor interacts with the banner, you are already in breach. Scripts should only load after the user explicitly accepts.
- Dark patterns — making the accept button large and green while the reject button is small, grey, or hidden behind multiple clicks. The ICO has specifically called out this practice as non-compliant.
- Cookie walls — blocking access to your content unless the visitor accepts all cookies. The ICO considers this to be invalid consent because it is not freely given.
- Ignoring third-party cookies — you are responsible for cookies set on your site by embedded third-party services such as YouTube videos, Google Maps, and social media widgets.
Checking your compliance
A cookie audit identifies every cookie your website sets, when it is set, and whether consent is obtained first. PulseShield's cookie compliance scanner crawls your site and flags every non-essential cookie along with compliance issues such as cookies loaded before consent and missing reject options.
For the full regulatory requirements, see our detailed guide to the ICO's cookie consent requirements. If you are building a compliance checklist for your whole site, our guide to GDPR website compliance covers cookies alongside the wider data protection obligations.