Do I Need a Cookie Banner on My UK Website?

If you run a website for your London restaurant, Manchester shop, or UK e-commerce store, you've probably seen those cookie banners pop up everywhere and wondered if you actually need one too. The short answer: yes, you almost certainly do. The Information Commissioner's Office (ICO) has been clear about its expectations, and the rules are tighter than most UK SME owners realise.

---

What UK Law Actually Says

The UK doesn't just follow EU rules loosely. It has its own ePrivacy law that sits on top of UK GDPR. The Privacy and Electronic Communications Regulations 2003 (PECR) transpose the EU ePrivacy Directive into UK law and survived Brexit unchanged. PECR Regulation 6 is the one that matters: you must get the user's prior informed consent before storing or accessing information on their device using cookies or similar technology.

That's why you see the banners. The ICO enforces this, and post-2023 it has been visibly more active than in earlier years.

To check whether your site loads tracking scripts before consent is given, run a free technical scan at /uk/en/scan.

---

Why the ICO Is Serious About Cookies

In November 2023 the ICO publicly wrote to 53 of the top 100 UK websites warning that their cookie banners failed PECR. By January 2024 the ICO reported that 38 of those sites had become compliant, 4 more had committed to changes, and the ICO named the organisations that had done nothing.

The ICO's Deputy Commissioner Stephen Bonner has stated publicly that a site without a clear reject option is "breaking the law". That's about as direct as a UK regulator gets.

For SMEs the largest fines look distant. The highest penalties went to British Airways (£20 million) and Marriott (£18.4 million), but ICO enforcement against smaller businesses is steady. The dominant SME exposure is not a record-breaking fine. It is a complaint that lands at the ICO and triggers a public reprimand, plus the operational cost of responding to a formal investigation.

If your site is hosted in the UK, targets UK customers, or you're a UK-registered business, you're in the ICO's jurisdiction.

---

Which Cookies Need Consent and Which Don't

Not every cookie is the same. This is where most small-business owners get confused.

Functional cookies don't need consent. These keep your website working:

• Shopping cart cookies
• Session cookies (so users stay logged in)
• Cookie consent preference cookies (remembering "no" to tracking)
• Basic security cookies (CSRF tokens)

You can use these without asking. Just mention them in your privacy policy.

Tracking and analytics cookies do need consent. These include:

• Google Analytics
• Facebook / Meta Pixel
• TikTok Pixel, LinkedIn Insight Tag
• Hotjar, Microsoft Clarity, FullStory
• Advertising and retargeting cookies
• Any cookie that tracks user behaviour across sites

If you run Google Analytics on your website, you need explicit consent before the script loads. Same for Facebook Pixel if you run ads. PECR Regulation 6 is clear: "prior consent" means before the tracking happens, not after.

The Data (Use and Access) Act 2025 didn't change this. The earlier Data Protection and Digital Information Bill, which collapsed in 2024, had floated an analytics exemption. That exemption never became law.

---

Common UK Business Scenarios

Google Analytics on Your SME Site

You own a small hotel, retail shop, or service business in the UK. You've added Google Analytics to see traffic. Under PECR you need a cookie banner that:

1. Clearly explains what Google Analytics does
2. Lets visitors choose to accept or reject equally easily
3. Only loads the analytics script if they say yes

Simply having a privacy policy that mentions Google Analytics isn't enough. That's a common mistake.

Facebook Pixel on Your Shopify Store

You're selling products online and using Facebook Pixel to retarget visitors with ads. The Pixel drops a cookie to track behaviour. This needs consent under PECR. Your banner must give people a real choice, not pre-ticked boxes or an "accept all" button with a buried "reject" link.

Local Business Website With No Tracking

If your website genuinely has no cookies except functional ones (no analytics, no ads, no retargeting), you may not need a banner at all. But you still need to mention your cookie use in your privacy policy. Most UK SME sites use at least Google Analytics, so a banner is the safer assumption.

---

What Your Cookie Banner Actually Needs to Do

The ICO expects cookie banners to be honest and give a real choice.

The banner must:

• Tell people what's happening before it happens (not after)
• List each cookie purpose clearly (e.g. "Analytics," "Advertising," "Marketing")
• Let people reject non-essential cookies as easily as accepting them, with the same number of clicks and same visual prominence
• Never use pre-ticked boxes for non-essential cookies
• Never hide the reject button or make it harder to find
• Respect people's choices and not nag them again if they've declined

The ICO's November 2023 letter campaign focused specifically on banners that buried the "reject all" button or required multiple clicks to say no while "accept all" was one click. That's the dark pattern the ICO has named.

---

What You Need Right Now

Here's what to actually do to stay compliant with UK law:

Step 1: Audit your cookies

List every tracking script on your site:

• Google Analytics, Google Tag Manager
• Facebook Pixel, TikTok Pixel, or other ad pixels
• Chat bots that drop cookies (Intercom, Drift, Tawk.to)
• Hotjar, Microsoft Clarity, or other session-recording tools
• Email-capture forms that use tracking

Step 2: Separate essential from non-essential

Functional cookies (cart, session, security) don't need consent in the banner. Tracking cookies do, and they must not load until someone agrees.

Step 3: Choose a compliant cookie banner tool

Use a tool built for UK GDPR and PECR, such as:

• CookieYes (UK-based)
• Cookiebot
• Termly
• OneTrust
• Iubenda

These tools handle script blocking correctly. Avoid free or DIY solutions that don't properly defer script loading.

Step 4: Write a clear privacy policy

Your privacy policy must explain:

• What cookies you use and why
• How long they stay on the device
• Who you share data with (e.g. Google for Analytics)
• People's rights to withdraw consent at any time
• The right to lodge a complaint with the ICO

Your cookie banner should link directly to it.

Step 5: Test your banner

Make sure:

• The reject button actually stops tracking cookies from loading
• The accept/reject choices are equally visible and easy to find
• Your analytics and pixels don't fire until consent is given

Test this using browser developer tools (F12 → Network tab). Tracking scripts should not appear before the visitor has clicked anything.

---

The Practical Bottom Line

If you're running a business website in the UK with any kind of tracking, you need a cookie banner that actually works. Most UK business sites use at least one tracking tool. The ICO's track record post-2023 shows it enforces this, and the 2024 follow-up to the top-100 letter campaign proved the regulator means it.

The investment in a proper cookie banner tool (typically £8-25/month) is far cheaper than the operational cost of an ICO investigation or public reprimand. Your UK visitors expect it, they see it on every major site, and a banner that works properly builds trust rather than creating friction.

Get the audit done this week, pick a tool next week, and you're compliant.

---

What Happens When the ICO Investigates Cookie Non-Compliance

Most ICO cookie investigations start with a data subject complaint. Someone visits your site, notices that Google Analytics or a Facebook Pixel fires before they've clicked anything on the banner, and files a complaint at ico.org.uk/concerns. The ICO then sends your business an information notice, typically with a 30-day response deadline.

For a first-time complaint about an SME site, the likely outcome if you co-operate promptly and fix the problem is a reprimand, a formal written statement that you breached PECR, published publicly on the ICO's enforcement page. No fine, but your company name appears on a regulator's enforcement record.

Where fines do follow, they have typically come after repeated non-compliance, wilful non-engagement with the ICO, or where the cookie activity was part of a broader pattern of data-protection failings. The Sky Betting and Gaming undertaking (2024) involved a range of cookie-related issues beyond a missing banner. The pattern is: businesses that engage promptly and fix the issue fare far better than those that dispute or ignore.

If you receive an ICO letter about cookies, respond within the deadline, fix the banner before or during your response, and document what you changed. That approach resolves the majority of SME cookie complaints without a fine. For more on how ICO investigations work, see ICO investigation process explained.

Sources

• Privacy and Electronic Communications Regulations 2003 (legislation.gov.uk)
• ICO, Guidance on the use of cookies and similar technologies
• ICO November 2023 letter campaign: top 100 UK websites
• EDPB Guidelines 03/2022 on dark patterns

---

This is technical analysis, not legal advice.