Most businesses reach for GDPR when they think about cookie consent. The law that actually governs cookies in the UK is different: it is the Privacy and Electronic Communications Regulations 2003, or PECR. The consent standard under PECR is more specific than most cookie banners actually deliver.
PECR, not GDPR, governs cookies
PECR was originally transposed from an EU directive, but it survives in UK law as a standalone instrument. Following Brexit, the UK amended PECR so that the consent standard now aligns with UK GDPR rather than the older, weaker standard that preceded it. In practice this means the bar for valid consent is the same — freely given, specific, informed, unambiguous — but PECR Regulation 6 is the operative provision, not the GDPR.
The ICO enforces PECR separately from UK GDPR, and the two penalty regimes are separate. A cookie-consent failure can attract a PECR fine of up to £500,000 and a further UK GDPR fine of up to £17.5 million if the underlying data processing also breached UK GDPR.
Which cookies require consent
Regulation 6 of PECR requires consent before storing information on a device, or accessing information already stored, unless the cookie is strictly necessary for a service the user has explicitly requested.
| Cookie type | Consent required? | Notes |
|---|---|---|
| Session / authentication cookies | No | Strictly necessary — keeps the user logged in during a session |
| Load balancer cookies | No | Strictly necessary — routes requests to the right server |
| Shopping basket / cart cookies | No | Strictly necessary for an e-commerce service to function |
| Analytics cookies (Google Analytics, Plausible with cookies) | Yes | Not strictly necessary; benefit is to the website operator, not the user |
| Advertising / retargeting cookies | Yes | Must be listed individually or by verified category |
| Personalisation cookies | Yes | Strictly necessary only if the user explicitly chose personalisation |
| Social media tracking pixels | Yes | Fires cross-site tracking; consent required before loading |
What valid consent looks like under PECR
The ICO's guidance is direct: consent must be a positive opt-in. Pre-ticked boxes are invalid. "Continuing to use this site means you accept cookies" banners are invalid. A banner where the "Accept" button is prominently green and the "Reject" option is buried or absent is unlikely to satisfy the freely-given requirement.
The ICO also requires that cookies are named or adequately described in your consent mechanism. Saying "we use analytics cookies" without identifying which tool — or at minimum which category — does not meet the specificity requirement.
Consent must be as easy to withdraw as to give. If accepting all cookies takes one click, refusing or withdrawing consent cannot require navigating to a settings page buried in the footer. The ICO has been explicit on this in its enforcement guidance.
Where most sites fail in practice
Google Analytics loads before consent
This is the most common failure. The Google Analytics tag fires on page load — before the user has seen or interacted with the consent banner. GA sets cookies on the device without consent, which is a PECR breach on every page view. A tag manager solution that gates analytics behind a consent event fixes this, but it requires deliberate configuration.
Consent stored in a short-lived cookie
If the cookie that records a user's consent choice expires within a few days, the consent request reappears frequently. This is both poor user experience and an indicator that consent records are not being maintained properly. Industry practice, informed by EDPB guidelines, treats 12 months as a reasonable interval before seeking fresh consent — though no fixed statutory period is prescribed by the ICO.
No mechanism to change a prior consent decision
Once a user has accepted all cookies, they must be able to change that decision without clearing their browser cache. A persistent "cookie preferences" link in your footer, accessible at any time, is the standard approach.
PECR fines: separate from UK GDPR
The ICO can issue fines up to £500,000 under PECR. This is a separate regime from the UK GDPR maximum of £17.5 million. In serious cases — particularly where unlawful cookie tracking has fed large-scale advertising profiling — the ICO can pursue both simultaneously. The Clearview AI case — in which the ICO fined the company for large-scale biometric facial recognition data scraping without a lawful basis — demonstrated how far the ICO is prepared to go; that case concerned mass data collection, not a cookie consent failure. In practice, the ICO applies the most relevant penalty regime to a given set of facts — dual fines on the same conduct for a typical website are theoretical rather than routine.
Does your cookie consent pass the PECR test?
GDPR Radar checks whether your site loads tracking scripts before consent is given, validates your opt-in mechanism, and flags missing cookie categories — all in under 60 seconds.
Check whether your site's cookie consent passes the PECR test →