Can the ICO fine me for cookie violations?

Yes. Under PECR the ICO can issue monetary penalty notices of up to £500,000 for serious breaches. Where cookie activity involves processing personal data under UK GDPR — which analytics cookies always do — the ICO can apply UK GDPR enforcement powers, with fines up to £17.5 million or 4% of global turnover.

Do I need a cookie banner if I only use Google Analytics?

Yes. Google Analytics sets cookies that transmit personal data (IP addresses, device identifiers) to Google. PECR Regulation 6 requires explicit prior consent before the script loads. The UK-US Data Bridge handles the cross-border transfer, but the consent requirement is unaffected.

What cookies don't need consent?

Strictly necessary cookies are those essential for the service the user has specifically requested. This includes session cookies for login, shopping basket cookies, security cookies (CSRF tokens), and the cookie that stores the visitor's consent preference itself. Analytics, advertising, social-media and preference cookies all require consent.

What is a dark pattern in a cookie banner?

A dark pattern is a design technique that nudges users towards accepting cookies rather than making a genuinely free choice. Examples: large prominent Accept button alongside a small grey Manage link; pre-ticked analytics checkboxes; using 'Allow' instead of 'Accept' to soften the impression of data collection; requiring 5 clicks to reject vs 1 click to accept. The ICO's November 2023 top-100 letter campaign focused specifically on these.

GDPR & Privacy GDPR & Privacy

Cookie consent in the UK: ICO rules your website must follow

Steven | TrustYourWebsite · 3 May 2026

Cookie consent in the UK is governed by PECR Regulation 6 (Privacy and Electronic Communications Regulations 2003), reinforced by UK GDPR where cookies involve personal-data processing. The ICO has made cookie compliance a stated enforcement priority since November 2023, when it wrote to 53 of the top 100 UK websites warning them their banners did not comply.

Here is what your website must do.

Under PECR Regulation 6, you must obtain the user's prior consent before storing or accessing any information on their device that is not strictly necessary for the service they have specifically requested.

In practice: no tracking scripts, analytics cookies, advertising pixels, or social-media widgets should load until the visitor actively accepts them.

Strictly necessary cookies (no consent needed):

Session cookies for login and shopping basket
Security cookies (CSRF tokens, authentication)
Load-balancing cookies
The cookie that stores the visitor's consent preference

Everything else requires consent:

Google Analytics, Google Tag Manager
Facebook / Meta Pixel, TikTok Pixel
LinkedIn Insight Tag
Hotjar, Microsoft Clarity, FullStory
Advertising and retargeting scripts
Social-share buttons that set cookies
Google Fonts loaded from Google's servers (transmits IP addresses)

ICO position on dark patterns

The ICO has been explicit: cookie banners that use design techniques to steer users towards accepting cookies are dark patterns that undermine valid consent.

The ICO considers these practices problematic:

Practice	Why it's a dark pattern
Accept button is larger or more colourful than Reject	Creates visual pressure to accept
"Reject" requires 3-5 clicks; "Accept" requires 1	Asymmetric effort undermines free choice
Checkboxes for optional cookies pre-ticked	Consent must be an active opt-in
"Manage Preferences" hidden in small print	Obscuring the reject path
Banner reappears repeatedly until user accepts	Harassment pattern
"We value your privacy" language before accept prompt	Misleading framing

The ICO's approach aligns with EDPB Guidelines 03/2022 on dark patterns, which the ICO has indicated it follows in substance even after Brexit.

The ICO enforcement mechanism: what it can do

This is important and often misunderstood:

Under PECR (cookie regime): The ICO can issue direct monetary penalty notices of up to £500,000 for serious breaches. PECR is the older instrument and has its own enforcement track. The ICO has issued PECR fines regularly against companies running unsolicited marketing campaigns; cookie-specific PECR fines are rarer but the legal basis exists.

Under UK GDPR (Data Protection Act 2018): Where cookie activity involves processing personal data (which analytics cookies always do, as they transmit IP addresses), the ICO can apply UK GDPR enforcement powers. These include fines up to £17.5 million or 4% of global annual turnover.

In practice, the ICO has used the public reprimand as its dominant cookie enforcement tool. Reprimands are public, stay on the ICO's record, and are issued without going through the formal monetary-penalty process. The November 2023 top-100 letter campaign was effectively a coordinated reprimand exercise.

Consent under PECR and UK GDPR must be:

Freely given: refusing cookies must be as easy as accepting them
Specific: separate consent for analytics, marketing, functional cookies
Informed: users must understand what they're consenting to
Unambiguous: a clear affirmative action, not pre-ticked boxes or continued browsing
Withdrawable: users must be able to change their mind at any time

A cookie banner that says "By continuing to use our website, you consent to cookies" does not meet the standard. The CJEU ruling in Planet49 (C-673/17) is still good law in the UK because it pre-dates the end of the Brexit transition; the ICO continues to cite it.

Common implementation failures for UK websites

Failure 1: Google Analytics loads on every page visit

The most frequent violation. GTM is installed, Google Analytics fires on page load, before any consent interaction. Fix: implement Google Consent Mode v2 with proper denial defaults.

Failure 2: Banner exists but doesn't block scripts

The banner appears, the user clicks "Reject", but tracking scripts load anyway. This happens when the CMP (consent management platform) is misconfigured or overridden by hard-coded analytics tags. Our scanner tests this specifically.

Failure 3: Cookie preferences not remembered

The banner reappears on every visit. Either the consent cookie isn't being set, or it has a very short expiry. The consent record should be stored for at least 6-12 months.

Failure 4: Free WordPress plugin with default settings

Many free cookie plugins default to compliance-light configurations: pre-ticked boxes, no "Reject All" button, or banners that don't actually block scripts. Check your specific plugin's documentation.

Our scanner tests whether your banner actually works

Most tools check whether a banner exists. We check whether it works by simulating a visitor clicking "Reject All" and then measuring what scripts and cookies are still active.

This is how the ICO investigates complaints: they test the actual behaviour, not just the presence of a banner.

Test your cookie banner for free →

2018-2020. Light-touch enforcement during the immediate post-GDPR period. Most ICO action was on data breaches, not cookies.

2019. ICO published Guidance on the use of cookies and similar technologies — its first detailed cookie position post-GDPR. The guidance set out the consent standard but enforcement remained quiet.

2021-2022. Reprimand-led approach. The ICO began naming non-compliant banners in cases that crossed its threshold but stayed away from monetary penalties for cookie banners specifically.

November 2023. The top-100 letter campaign. The ICO publicly wrote to 53 of the top 100 UK websites warning that their banners failed PECR. This was the moment ICO cookie enforcement crossed from theoretical to operational.

January 2024. Follow-up: 38 of the warned sites had become compliant; 4 more had committed to changes; the ICO publicly identified the rest.

2025. The Data (Use and Access) Act passed. Cookie consent obligations did not change. Press coverage suggesting otherwise was based on the earlier (and abandoned) DPDI Bill.

2026. Current ICO priorities include cookie banner dark patterns, consent-renewal cycles, and analytics-before-consent on SME sites. Banners that were acceptable in 2022 aren't acceptable in 2026.

Where the ICO differs from EU regulators

The ICO doesn't operate in a vacuum. The EDPB coordinates EU DPAs and publishes common guidelines. The ICO takes its own positions but has historically aligned with EDPB on cookies.

Analytics cookies. The Belgian APD treats Google Analytics as non-essential and requires consent without exception. The French CNIL allows first-party analytics under strict conditions. The ICO sits closer to the APD position: analytics cookies require consent.

Cookie walls. The CNIL accepts them case by case since the Conseil d'État ruling of 19 June 2020. The APD prohibits them. The ICO's position is that cookie walls fail PECR's "freely given" test where the visitor has no realistic alternative. In practice the ICO has not issued a formal cookie-wall sanction but the position is closer to the APD than to the CNIL.

Consent renewal. The CNIL recommends six months. The APD prefers six months. The ICO has historically accepted up to twelve months. This is one of the few places the UK regime is genuinely more permissive.

Cross-device tracking. All regulators agree it needs consent. Divergence is in the expected user interface, not the rule.

For a UK site targeting only the UK, follow ICO guidance. For a UK site targeting the EU, configure for the strictest of the ICO, CNIL and APD positions — that's almost always the APD position today.

Four mistakes UK SMEs keep making

After several hundred scans on UK business sites these four issues appear in roughly 80% of audits.

Analytics before consent. Google Analytics, Plausible or Matomo is loaded in the <head> and fires on every page view regardless of the cookie banner state. The fix is loading the script only after the consent event. Most CMPs support this. Home-grown banners often don't.

"Accept all" but no "Reject all" at level one. The user sees Accept in a bright button. The alternatives are Manage or Settings in a muted link. The ICO position is that reject must be as easy as accept. If reject requires a second click, it isn't.

Pre-ticked boxes in the settings panel. The main banner has Accept and Manage. The user clicks Manage. The panel shows four categories all pre-toggled to on. Pre-ticked has been unambiguously prohibited since the Planet49 ruling and has no place on any UK site in 2026.

No proof of consent. The site stores a cookie called cookie_consent=accepted with a date. That's a preference record, not a proof. If the ICO asks how you know user X consented on 12 March 2025, you need a timestamped log with the banner version shown, the choices offered and the user's selection. CMPs do this automatically.

The free scan catches all four in one pass. For manual testing, open the browser devtools Network tab, reload the page, and watch what fires before you click anything. If third-party requests to Google Analytics, Meta or similar domains appear before consent, you have problem number one.

Sources

This is technical analysis, not legal advice.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your site free

Website Guides

Can You Run Analytics Without Consent in the UK? The ICO's Position

The ICO's position on running analytics without consent in the UK. Why Google Analytics requires prior consent, what server-side and privacy-preserving alternatives qualify as exempt, and how to decide.

Complete GDPR Website Audit: Step-by-Step Checklist

A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.

Cookie banner dark patterns in the UK: ICO enforcement in 2026

The 12 cookie banner dark patterns per EDPB taxonomy. ICO top-100 letter campaign, PECR enforcement and what the scanner detects after clicking reject all.

The core rule: consent before cookies