Guide

How to Comply With UK Cookie Law on Your Website

UK cookie law is governed primarily by the Privacy and Electronic Communications Regulations (PECR), enforced by the Information Commissioner’s Office (ICO). If your website sets non-essential cookies — and almost all websites do — you are required to obtain informed, freely given consent from visitors before those cookies are placed.

Compliance isn’t as complicated as it might seem, but it does require a systematic approach. Here’s how to get it right.

Step 1: Audit What Cookies Your Website Sets

Before you can manage consent properly, you need to know exactly what cookies your website sets, why, and from which third parties. Use a cookie scanning tool — Cookiebot, CookieYes, and OneTrust all offer free scanning options — to generate an inventory. The scan will categorise cookies as strictly necessary, functional, analytics, or advertising/marketing.

Common non-essential cookies on small business websites include Google Analytics (_ga, _gid), Google Ads conversion tracking, Facebook Pixel, YouTube embedded videos, LinkedIn Insight Tag, and live chat tools such as Intercom or Tidio. Each of these requires prior consent before being loaded.

Repeat this audit whenever you add a new plugin, embed a third-party widget, or change your analytics setup. Cookie inventories change over time, and your consent mechanism must reflect what’s actually being set.

Step 2: Implement a Compliant Consent Mechanism

A compliant consent mechanism must: present users with a clear, prominent notice before any non-essential cookies are set; offer an equally easy-to-use option to accept or decline; allow granular control by cookie category where multiple categories are in use; not use pre-ticked boxes or dark patterns (such as making the accept button more prominent than the reject option); and record and store consent so you can demonstrate it was given.

The most reliable way to implement this for most small business websites is through a dedicated consent management platform (CMP) such as Cookiebot, CookieYes, or Complianz (a popular WordPress plugin). These tools handle the technical blocking of non-essential cookies until consent is received and maintain consent logs automatically.

If you use Google Analytics, connect it through Google Tag Manager and configure your CMP to block the GA tag until consent is given. This is the correct technical implementation — loading analytics on page load and then asking for consent is not compliant.

Step 3: Write a Cookie Policy and Keep It Updated

Your cookie banner must link to a full cookie policy. This document should list every category of cookie your site uses, explain what each one does, state who sets it and where their data is processed, and explain how visitors can change or withdraw their consent. Most CMP tools generate a draft cookie policy based on their scan results — review it for accuracy and integrate it with your privacy policy or publish it as a standalone page.

Update your cookie policy whenever your cookie inventory changes. An outdated policy that no longer reflects what your site actually sets creates legal exposure and undermines visitor trust. Schedule a review every six months as a minimum.

Withdrawing consent should be as easy as giving it. Your cookie banner should remain accessible (typically via a floating button or link in your footer) so visitors can change their preferences at any time. A visitor who initially accepted all cookies must be able to withdraw that consent without difficulty.

FAQs

Common questions.

Does UK cookie law apply to my website if my business is small?
Yes. PECR applies to any website that sets non-essential cookies and targets UK users, regardless of the size of the business. The ICO’s enforcement focus has been on larger organisations, but the legal obligation applies universally. Compliance is also straightforward and low-cost for small sites — the main effort is the initial setup.
Can I use Google Analytics without a cookie banner?
Google Analytics sets non-essential cookies and requires user consent under UK PECR before those cookies can be loaded. You can use Google Analytics 4 in a “cookieless” or “consent mode” configuration that limits tracking for users who decline, but you cannot load standard GA cookies before consent is given and remain compliant.
What is a “dark pattern” in a cookie banner?
Dark patterns are design or wording choices that nudge users towards accepting cookies rather than exercising genuine free choice. Common examples include: making the accept button bright and prominent while the decline option is greyed out or hidden; requiring multiple clicks to decline while acceptance takes one; or using confusing language that makes declining seem harder than it is. The ICO actively discourages dark patterns and they undermine the validity of any consent collected.
Related guides

More on web design & ux.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation