ICO's New Cookie Rules: What UK Website Owners Need to Do

The ICO has finalised the rules on how UK websites use cookies, and the fines for getting it wrong are now much bigger than they used to be. If you run a UK business website with analytics or ad tracking, this affects you.

On 29 April 2026 the Information Commissioner's Office published its final guidance on storage and access technologies. That's the official name for cookies, tracking pixels, device fingerprinting and the little scripts that load when someone visits your site. The guidance has been working its way through two public consultations, and the finished version landed alongside an updated online tracking strategy.

Most of the coverage so far has come from law firms breaking down what it means. The short version: the core rule hasn't changed, but the enforcement teeth have, and a few things that website owners assumed were fine now need a second look.

What actually changed

The headline change happened back in February. Until 5 February 2026, the ICO could only fine you for a cookie breach if it was "serious" and likely to cause "substantial damage or substantial distress." That bar was high enough that the ICO almost never used it for cookies.

That bar is now gone. Under the Data (Use and Access) Act 2025, any cookie contravention can in principle be fined. And the maximum fine under PECR jumped from £500,000 to the same level as UK GDPR, which is £17.5 million or 4% of global turnover, whichever is higher.

To be clear, the ICO has not suddenly started handing out seven-figure fines to corner shops. Its track record on cookie enforcement has been light. But the legal ceiling moved, and the regulator has spent the last year reviewing the UK's 1,000 most-visited sites. So the direction of travel is obvious.

The exceptions that might help you

The DUAA introduced a handful of new exceptions where you don't need consent. The two that matter most for ordinary business websites are the statistical purposes exception and the appearance exception.

The statistical purposes exception covers basic analytics. If you collect aggregate information about how people use your site, purely to improve the site, you may not need a consent banner for that specific cookie. But the ICO drew a hard line here. The exception is about how the service is used, not who uses it. The moment you move into user-level tracking, profiling, ad measurement or anything that follows people across sites, you're back to needing consent.

The appearance exception covers cookies that remember a user's display preference, like dark mode or a language choice. It does not cover adapting your site based on someone's browsing history or inferred interests.

Even when an exception applies, you still have to tell people clearly what you're doing and give them a free, easy way to object.

What this means for your website

The guidance also made a point that catches more businesses than people expect. If you tell a third party, like an analytics provider or an ad platform, to set cookies on your behalf, you're in scope even if you never touch the code yourself. That sweeps in anyone using Google Analytics, a Meta pixel, a tag manager or an embedded YouTube video.

If you've never looked at what your site actually loads, now is a sensible time. The common problems are simple ones: cookies firing before anyone clicks "accept," a banner with a big "accept" button and a buried "reject" link, or no way to say no at all.

You can check what your site loads before consent with our free website scanner. It takes about 30 seconds and shows you which trackers fire and when, with no signup.

Common Questions

Does my small business website need a cookie banner?

If your site sets non-essential cookies, like analytics or advertising, then yes, you need consent before they load. Strictly necessary cookies and some basic analytics may be exempt, but you still have to inform visitors and let them opt out.

Will the ICO actually fine a small business for cookies?

It's unlikely to be the first thing they do. The ICO has historically focused on the largest sites and tends to send warning letters first. But the legal maximum is now £17.5 million, and "we didn't think anyone would check" is no longer much of a defence.

What counts as a tracking pixel?

A pixel is a tiny invisible image or script that loads from another company, like Meta or Google, to track what you do on a site. The ICO's guidance confirms pixels are treated the same as cookies under PECR, so they need consent too.

Do I need consent for Google Analytics?

Possibly not for the most basic aggregate version under the new statistical purposes exception, but most standard Google Analytics setups still collect data that goes beyond that. If in doubt, treat it as needing consent.

My web designer set this up years ago. Am I responsible?

Yes. The site owner is responsible for what the site loads, even if a developer or agency configured it. That's why it's worth checking what's actually running now.

---

Not sure what your site loads before someone clicks accept? Scan your website for free and see every tracker in about 30 seconds.

Related reading:

• How cookie consent works under UK GDPR and PECR
• PECR explained for small business websites
• Free cookie and compliance scanner