What are the ICO cookie consent requirements?

What consent means under PECR

The ICO's guidance on PECR and cookies is clear: you must obtain informed consent before storing or accessing information on a user's device unless that storage is strictly necessary for the service they have requested.

Under PECR, valid consent has the same meaning as under the UK GDPR. It must be:

• Freely given — the user must have a genuine choice. You cannot make access to your website conditional on accepting all cookies (known as a "cookie wall").
• Specific — consent must be given for each distinct purpose. A blanket "accept all cookies" option is acceptable only if the user understands what they are agreeing to and can choose different options for different purposes.
• Informed — the user must be told what cookies are being set, by whom, and for what purpose, before they consent.
• Unambiguous — the user must take a clear, affirmative action. Pre-ticked boxes, implied consent from continued browsing, and "by using this site you accept cookies" notices do not satisfy this requirement.

The specific requirements

The ICO expects your cookie consent implementation to meet all of the following:

Clear information upfront

When a visitor arrives at your site for the first time, you must present clear information about the cookies you use before setting any non-essential cookies. This typically takes the form of a banner or pop-up that:

• Identifies that the site uses cookies
• Explains what the cookies do and why
• Names the cookies or at least the categories
• Tells the user who sets each cookie (first party vs third party)

Genuine choice

The user must be able to accept or reject non-essential cookies with equal ease. This means:

• The "Reject" button must be as prominent as the "Accept" button — same size, same visibility, same number of clicks
• Granular controls must be available for different cookie categories
• The user must be able to accept some categories and reject others

Right to withdraw consent

Users must be able to change their cookie preferences at any time after their initial choice. This requires:

• A persistent link (typically in the site footer) that reopens the cookie settings
• The ability to switch from "accept" to "reject" (or vice versa) at any point
• Any previously set non-essential cookies must be deleted when consent is withdrawn

What the ICO looks for during enforcement

When the ICO investigates a website's cookie practices, it examines several specific areas:

• Whether non-essential cookies are set before the user interacts with the consent mechanism
• Whether the consent mechanism presents accept and reject options equally
• Whether the cookie categories and purposes are clearly explained
• Whether consent can be withdrawn easily
• Whether third-party cookies on the site are covered by the consent mechanism

The ICO has taken enforcement action against organisations for each of these failings individually and in combination.

Explicit vs implied consent

Before the UK GDPR came into effect, many websites used implied consent — the idea that continuing to browse implied agreement to cookies. The ICO no longer accepts this approach.

Explicit consent requires an active step from the user: clicking "Accept", ticking a box, or selecting specific cookie categories. The user must do something that clearly demonstrates their agreement. Silence, inactivity, or pre-ticked boxes do not count.

If your current cookie banner relies on continued browsing as consent, it does not meet the ICO's requirements and should be updated.

Analytics cookies and consent

A common question is whether Google Analytics cookies require consent. The ICO's position is that they do. Google Analytics sets first-party cookies (_ga, _gid, _gat) that track user behaviour across pages and sessions. Even though the data may be anonymised, the cookies themselves are not strictly necessary for the website to function.

If you use Google Analytics, you must:

• Not load the Google Analytics tracking code until the user has explicitly consented
• Present analytics as a separate category the user can accept or reject independently
• Stop collecting data and delete existing analytics cookies if the user later withdraws consent

Google Consent Mode v2

Google Consent Mode v2 is a technical solution that adjusts how Google tags behave based on the user's consent state. When a user rejects analytics cookies, Consent Mode signals Google's tags to operate in cookieless mode, using modelling to fill gaps in the data rather than setting cookies.

Consent Mode v2 can help you continue to get useful insights from Google Analytics while respecting user choices. However, it is not a substitute for a proper consent mechanism. You still need a compliant banner that captures the user's choice and passes it to Consent Mode.

Google now requires Consent Mode v2 for advertisers using Google Ads conversion tracking and remarketing in the European Economic Area and the UK.

How to audit your own cookie usage

A cookie audit is the first step to compliance. Follow these steps:

1. List every cookie — use your browser's developer tools (Application tab > Cookies) or a dedicated cookie scanner to list every cookie your site sets, including first-party and third-party cookies.
2. Categorise each cookie — assign each cookie to a category: strictly necessary, analytics, advertising, functional, or performance.
3. Identify the purpose — document what each cookie does and why it is needed.
4. Identify who sets it — note whether the cookie is set by your site (first-party) or by an external service (third-party).
5. Check timing — verify that no non-essential cookies are set before the user interacts with your consent banner.
6. Review your banner — check that your consent banner meets all the ICO's requirements listed above.

PulseShield's cookie compliance scanner automates this process by crawling your site, identifying every cookie, and flagging compliance issues.

Related guidance

If you are still deciding whether you need a cookie banner, our guide to cookie consent requirements covers the basics. For the broader regulatory picture, our comparison of GDPR and PECR explains how the two regulations work together.