UK Cookie Law Explained Simply

Cookie law is one of those things that most website owners either ignore entirely or overcomplicate. Here's what it actually requires — no jargon.

What is UK cookie law?

In the UK, cookies are governed by two sets of rules:

UK GDPR — applies to cookies that process personal data (analytics, advertising, tracking)

PECR (Privacy and Electronic Communications Regulations) — the specific UK law about cookies and electronic marketing. This is the one that requires consent banners.

Together, they mean: before you set any non-essential cookie on a user's device, you need their consent.

What counts as a cookie?

For legal purposes, "cookies" includes:

• Traditional browser cookies
• Local storage
• Session storage
• Pixels and tracking scripts
• Fingerprinting techniques

If it stores or retrieves information from a user's device, cookie law applies.

Essential vs non-essential — the critical distinction

Essential cookies don't need consent. These are cookies that are strictly necessary for your website to function:

• Session cookies (keeping users logged in)
• Cart/basket cookies
• Security cookies (CSRF tokens)
• Load balancing cookies

Non-essential cookies require consent before being set. This includes:

• Analytics (Google Analytics, Hotjar, Mixpanel)
• Advertising and retargeting (Meta Pixel, Google Ads)
• Social media embeds
• Live chat tools (Intercom, Crisp)
• Personalisation cookies

The rule: if your site still works without the cookie, it's non-essential.

What does valid consent look like?

Under PECR, consent must be:

• Freely given — users can say no without being blocked from your site
• Specific — they know what they're consenting to
• Informed — they understand what the cookies do
• Unambiguous — a clear positive action, not just scrolling or continuing to browse

This means pre-ticked boxes don't count. "By continuing to use this site you consent" doesn't count. A cookie banner that only has an "Accept" button doesn't fully count.

A compliant banner gives users a genuine choice to accept or decline non-essential cookies.

What your cookie policy needs to include

A cookie policy is a document (usually a separate page) that lists:

• Every cookie your site uses
• Whether it's essential or non-essential
• What it does and why
• Who sets it (you or a third party)
• How long it lasts
• How users can change their preferences

Common mistakes

Setting Google Analytics before consent — extremely common, technically non-compliant. GA should only fire after the user accepts analytics cookies.

No decline option — if there's only an "Accept All" button, your banner isn't compliant.

Cookie policy that doesn't list all cookies — if you've recently added Hotjar or a Facebook Pixel and haven't updated your policy, you're out of date.

Ignoring it entirely — the ICO (UK's data protection authority) has issued enforcement notices for cookie consent violations, including to small businesses.

Does this apply to me if my site is small?

Yes. Size doesn't determine whether PECR applies — using cookies does. If your site uses Google Analytics, you're subject to cookie law.

The practical risk of enforcement for a small site is low, but customer trust is real. A clean consent banner signals that you take privacy seriously.

Generate your cookie policy

InkTerms creates a personalised cookie policy listing the specific cookies your site uses — analytics, advertising, session, and third-party — along with a consent banner setup guide.

Need this document for your business? InkTerms generates it in minutes — tailored to your answers, in plain English.