PECR Cookie Rules in the UK: What the ICO Actually Enforces

Cookie law in the UK predates GDPR by 12 years. The Privacy and Electronic Communications Regulations 2003 (PECR), specifically Regulation 6, is what requires UK websites to obtain consent before setting non-essential cookies. UK GDPR then applies to how the personal data those cookies collect is processed. Both sit under the same regulator, the ICO, which can enforce them simultaneously.

The distinction matters for two reasons. First, PECR has its own fine ceiling of £500,000, separate from UK GDPR's £17.5 million ceiling. Second, the ICO's actual enforcement record on cookies has been almost entirely under PECR, not UK GDPR directly. Understanding which statute applies to which failure shapes how you structure your legal defence if the ICO comes calling.

To check whether your site currently loads tracking scripts before consent is given, run a free technical scan, it tests the actual browser request sequence, not just whether a banner is visible.

PECR vs UK GDPR: same regulator, different statutes

The UK has two parallel legal instruments governing cookies and they work differently.

PECR Regulation 6 creates the specific consent requirement for placing cookies (and other technologies that store or access information on a user's device). It comes from the UK's transposition of the EU's ePrivacy Directive 2002/58/EC. The key test is whether the cookie is "strictly necessary" for the service the user has explicitly requested. If not, prior consent is required.

UK GDPR then applies to the personal data those cookies collect and transmit. An analytics cookie that sends IP address and device fingerprint data to Google is processing personal data. The lawful basis for that processing, in most cases, consent, must satisfy UK GDPR's validity requirements, which include being specific, informed, freely given and unambiguous.

In practice this means a typical analytics setup has two compliance layers: PECR requires consent before the cookie is set and UK GDPR requires that the consent obtained is valid for the purposes of processing the data that follows.

The ICO can take action under either statute. For website cookie failures, it typically acts under PECR for the consent capture mechanism and under UK GDPR if the underlying data processing activities involve additional breaches (inadequate retention periods, no data processor agreements, etc.).

The ICO's enforcement record on cookies

The ICO's most significant cookie-enforcement action to date was not a fine, it was the November 2023 letter campaign. The ICO wrote to 53 of the UK's top 100 websites requiring them to bring their cookie banners into compliance with PECR and UK GDPR. The letter named specific banner patterns the ICO considered non-compliant and set a deadline for organisations to confirm they had made changes.

This approach, public identification combined with a compliance deadline rather than an immediate fine, reflects the ICO's general stance on cookies for large commercial websites. For SMBs, the process typically starts with a data subject complaint about a specific site and an ICO information notice rather than a sector-wide sweep.

Where the ICO has issued cookie-related fines, they have come through the PECR route and have mostly targeted organisations running unsolicited direct-marketing campaigns, not businesses with merely incomplete banners. Cookie-banner non-compliance on commercial sites has generally resulted in reprimands and required changes rather than fines.

This should not be read as the ICO being permissive. The November 2023 campaign and the ICO's subsequent monitoring of the organisations named in it, made clear that persistent non-compliance after an explicit warning would result in enforcement action. The ICO has indicated it will increase its cookie-enforcement activity from 2025 onward.

What Regulation 6 actually requires

PECR Regulation 6 prohibits storing or accessing information on a user's device unless that user has first been given full, clear information about the purpose and has actively consented. The statute requires the information to be complete enough that the user genuinely understands what they are agreeing to, not just a vague notice that cookies exist.

The ICO interprets this to mean:

Consent must be prior. Cookies cannot load before the user has made a choice. A banner that appears after scripts have already fired does not comply, even if the user is subsequently asked to accept or reject.

Consent must be a genuine choice. Reject must be as easy as accept. This means equal visual prominence, equal number of clicks and no dark patterns that nudge users towards acceptance. A large green "Accept all" button alongside a small grey "Manage preferences" link requiring three further clicks does not meet this standard.

No pre-ticked boxes. The user must actively indicate agreement. Opt-out mechanisms (where cookies are set by default and the user has to uncheck a box to stop them) do not satisfy PECR. The House of Lords judgment in Linguaphone Institute v Data Protection Registrar [1995] (pre-dating PECR but relevant to consent standards) and the CJEU ruling in Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände [2019] Case C-673/17 both support this interpretation, though the latter is an EU case and technically advisory in UK courts post-Brexit.

Consent must be informed. The user must know what they're consenting to before they consent. A banner that says only "We use cookies" with an accept button doesn't satisfy this, the categories of cookie and their purposes must be described.

Withdrawal must be as easy as consent. Users who initially accept cookies must be able to revoke that acceptance easily. A link in the privacy policy footer that opens a consent management panel satisfies this in most implementations, as long as the revocation actually stops the scripts from loading.

Strictly necessary cookies

Strictly necessary cookies are exempt from the consent requirement in PECR Regulation 6. The ICO's guidance on what qualifies is narrow.

Session cookies that keep a user logged in or maintain a shopping basket while they browse are strictly necessary. CSRF tokens and other security cookies that protect the integrity of form submissions qualify. The cookie that records whether the user has accepted or rejected cookies is itself strictly necessary.

Analytics, advertising, A/B testing, heatmapping, personalisation, social-media tracking, affiliate tracking and performance-monitoring cookies are not strictly necessary. They improve the service or support the business model, but they are not required to deliver the service the user asked for. All of these require consent.

Google Analytics 4, Hotjar, Meta Pixel, Microsoft Clarity, LinkedIn Insight Tag, Stripe's fraud-detection script (if loading before checkout) and most CDN-embedded scripts from third parties fall outside the strictly necessary carve-out.

The Data (Use and Access) Act 2025 and what it didn't change

The Data (Use and Access) Act 2025 generated significant speculation that cookie consent requirements in the UK might be relaxed. They weren't.

Earlier versions of the legislation, the Data Protection and Digital Information (No.2) Bill, which lapsed at the 2024 general election, had proposed a "recognised legitimate interest" for analytics that would have removed the consent requirement for web analytics tools. That provision did not make it into the Data (Use and Access) Act.

The Act's provisions relevant to cookies are modest: it clarified that "subscriber" in PECR includes businesses as well as individuals (relevant for B2B contexts) and it made minor changes to the enforcement regime. The core rule, prior consent for non-essential cookies, is unchanged.

ICO guidance published alongside the Act's passage confirmed that websites should continue to operate cookie banners on the basis of the existing PECR requirements until further notice.

Setting up a compliant banner

A PECR-compliant banner has a few non-negotiable components. The ICO publishes detailed guidance on cookies and similar technologies at ico.org.uk. That document is the definitive reference for any implementation question not covered here.

It appears before any non-essential scripts load. This requires a consent management platform (CMP) that blocks scripts at the technical level, not just visually hides a banner. Many low-cost cookie plugins display a banner but don't actually gate the script execution, open your browser's Network tab and reload the page without clicking anything to verify this for your own site.

It has clearly labelled Accept and Reject options on the first layer. Both should be immediately visible without scrolling. The ICO has been explicit that layered consent flows where rejection requires multiple clicks are non-compliant.

It describes what is being consented to. Cookie categories (analytics, advertising, functional) and their general purposes must be visible at the first layer or immediately accessible.

It allows withdrawal. A footer link to a consent preferences panel, visible on every page, is the standard approach. The panel must allow the user to change a previous acceptance to a rejection, and that change must take effect immediately for any scripts that haven't yet loaded.

It stores consent records. You should be able to demonstrate, for any given user, when they consented, what they consented to and through which mechanism. Most commercial CMPs handle this automatically.

For a comparison with how France's CNIL enforces identical requirements for EU-based websites, see our EU GDPR compliance checklist.

---

This is technical analysis, not legal advice. Consult a solicitor for specific guidance on PECR compliance.