How to Comply With UK Cookie Law on Your Website
UK cookie law is governed primarily by the Privacy and Electronic Communications Regulations (PECR), enforced by the Information Commissioner’s Office (ICO). If your website sets non-essential cookies — and almost all websites do — you are required to obtain informed, freely given consent from visitors before those cookies are placed.
Compliance isn’t as complicated as it might seem, but it does require a systematic approach. Here’s how to get it right.
Step 1: Audit What Cookies Your Website Sets
Before you can manage consent properly, you need to know exactly what cookies your website sets, why, and from which third parties. Use a cookie scanning tool — Cookiebot, CookieYes, and OneTrust all offer free scanning options — to generate an inventory. The scan will categorise cookies as strictly necessary, functional, analytics, or advertising/marketing.
Common non-essential cookies on small business websites include Google Analytics (_ga, _gid), Google Ads conversion tracking, Facebook Pixel, YouTube embedded videos, LinkedIn Insight Tag, and live chat tools such as Intercom or Tidio. Each of these requires prior consent before being loaded.
Repeat this audit whenever you add a new plugin, embed a third-party widget, or change your analytics setup. Cookie inventories change over time, and your consent mechanism must reflect what’s actually being set.
Step 2: Implement a Compliant Consent Mechanism
A compliant consent mechanism must: present users with a clear, prominent notice before any non-essential cookies are set; offer an equally easy-to-use option to accept or decline; allow granular control by cookie category where multiple categories are in use; not use pre-ticked boxes or dark patterns (such as making the accept button more prominent than the reject option); and record and store consent so you can demonstrate it was given.
The most reliable way to implement this for most small business websites is through a dedicated consent management platform (CMP) such as Cookiebot, CookieYes, or Complianz (a popular WordPress plugin). These tools handle the technical blocking of non-essential cookies until consent is received and maintain consent logs automatically.
If you use Google Analytics, connect it through Google Tag Manager and configure your CMP to block the GA tag until consent is given. This is the correct technical implementation — loading analytics on page load and then asking for consent is not compliant.
Step 3: Write a Cookie Policy and Keep It Updated
Your cookie banner must link to a full cookie policy. This document should list every category of cookie your site uses, explain what each one does, state who sets it and where their data is processed, and explain how visitors can change or withdraw their consent. Most CMP tools generate a draft cookie policy based on their scan results — review it for accuracy and integrate it with your privacy policy or publish it as a standalone page.
Update your cookie policy whenever your cookie inventory changes. An outdated policy that no longer reflects what your site actually sets creates legal exposure and undermines visitor trust. Schedule a review every six months as a minimum.
Withdrawing consent should be as easy as giving it. Your cookie banner should remain accessible (typically via a floating button or link in your footer) so visitors can change their preferences at any time. A visitor who initially accepted all cookies must be able to withdraw that consent without difficulty.
Common questions.
Does UK cookie law apply to my website if my business is small?
Can I use Google Analytics without a cookie banner?
What is a “dark pattern” in a cookie banner?
More on web design & ux.
Want a hand putting this into practice?
Book a free, no-obligation consultation with a Norwich-based specialist.
Let's put your business in a better light.
Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.