Quick Guide to the UK ‘Cookie’ Rules

I can’t write this guide without getting one point straight from the start: despite nearly every mainstream media commentator exclaiming about ‘GDPR and cookies’, the rules for ‘storage and access technologies’ are set out in the Privacy and Electronic Communications Regulations (PECR), not UK GDPR. UK GDPR plays a part, but first and foremost we need to consider PECR.

Why am I saying storage and access technologies? Until recently we’d always banded about the terms; cookie rules, cookie law and cookie guidance with the understanding these equally applied to similar technologies. However, the ICO has dropped this terminology in favour of the term ‘storage and access technologies’. Technically a better description, just not as catchy.

PECR was derived from the 2003 EU ePrivacy Directive, amended in 2009 with the so called ‘cookie law’. Many EU countries have their own rules based on this Directive and there are some differences in local interpretation of the Directive across Europe. This guide focuses on UK law and ICO guidance, but if your site attracts users from Europe or other regions you’ll need to bear in mind different relevant laws in those jurisdictions too.

The rules

In a nutshell; unless an exception applies, PECR requires valid consent for any technology which stores information, or accesses information stored on, the terminal equipment of any subscriber or user. It also requires clear and comprehensive information to be provided about your purposes for using such technologies.

Let’s break this down…

■ Any technology? The rules apply to more than just cookies, extending to tracking pixels, web beacons, plug-ins, link decoration and navigational tracking, web storage, finger printing techniques, scripts and tags, and more.

■ Terminal equipment? This can be a desktop or mobile device, but also connected devices such as smart TVs, wearable fitness trackers, smart speakers, connected vehicles and so on.

■ Subscriber or user? A ‘subscriber’ is the person named on the bill for the internet connection (or telephone line). A ‘user’ is the person using a device to access the service. While these might often be the same person, this is not always true. I pay for the broadband in my house (a subscriber and user) but my son is also a user.

In simple terms, if I’m browsing a website on my tablet and that website drops information onto my tablet, or accesses information stored on my device, the rules will apply. The rules apply regardless of whether you’re processing personal data or not. If personal data is involved, you’ll need to comply with PECR first and then consider relevant UK GDPR requirements.

The five exceptions

You may have spotted I used the words ‘unless and exception applies’. While most storage and access technologies require consent, there are some exceptions. Until February this year, there was only one strictly necessary exception, but PECR has recently been updated to include four more.

1. Strictly necessary exception: this applies when a service can’t technically be provided without certain storage and access technologies being used. The ICO gives the following examples:

■ ensuring the security of terminal equipment;
■ preventing or detecting fraud;
■ preventing or detecting technical faults;
■ authenticating the subscriber or user; and
■ recording information or selections the user makes on an online service.

2. Communication exception: this may apply when the sole purpose is for the transmission of a communication over an electronic communications network. This only applies where this would be impossible without the use of particular storage and access technologies.

3. Statistical purposes exception*: this may apply when the sole purpose of the storage and access technology is to collect statistical information about visitors with a view to improving your service.

This exception applies if you’re an Information Society Services (ISS) provider and could be used to gather information about how many people access your service, what they access, and how long they access it for. The application of this exception in practise is rather limited, as it must be about how your service is used and not to gain analytics about the people who use it. It can’t be used for identifying, tracking or monitoring people.

The ICO says it can apply to third-party analytics services, but with a big caveat; “you must ensure that the third party only assists you in achieving your purpose”.

If relying this exception you could be asked to demonstrate an analytics provider is only acting on your behalf, in other words acting as a processor, not a joint or separate controller. This essentially means this exception will not apply where data is shared with a third-party analytics provider who then use that data for their own purposes, such as Google Analytics.

4. Appearance exception*: this may apply where the sole purpose of particular storage and access technologies is to improve or adapt the appearance or functionality of your service in line with subscriber/user’s preferences.

The ICO says this exception would apply to remembering the language a user/subscriber selects (e.g. on a multilingual website) but would not apply to changing the content you display to a user/subscriber based on known or inferred interests or behaviours about them.

*Important note: With both the statistical purposes and appearance exceptions, it’s still legally necessary to provide clear and comprehensive information and provide people with an easy way to object to these uses.

5. Emergency assistance exception: this would apply when the sole purpose of storage and access technologies is to identify the location of a subscriber/user who requires emergency assistance. For this to apply you must first receive a communication from the subscriber/user requesting emergency assistance or receive another indication they need emergency assistance.

Valid consent

The UK GDPR definition of consent applies under PECR, so where an exception is not being relied upon, consent must be a freely given, specific, informed and an unambiguous indication of a user or subscribers wishes, given by a clear affirmative action.

The ICO says this means we must make sure:

■ consent is given by a clear and positive action (not inaction or default set to on)
■ subscribers/users are told what storage and access technologies you want to use, what these do, and what purposes they will be used for before people give their consent
■ any third parties are named (i.e. any third parties whose technologies we want to ask consent for).
■ subscribers/users are able to refuse the use of non-exempt technologies as easily as they can accept them.
■ users must be provided with ongoing control over any non-exempt storage and access technologies.

Further to this, in order to fully meet the requirement under PECR to provide clear and comprehensive information, the ICO says we should provide the following information:

■ how long we intend to store or access information (e.g. the duration of any cookies we want to set).

What must a consent mechanism be able to do?

The ICO expects consent mechanisms – often known as a Consent Management Platform (CMP) – to be configured to achieve the following:

■ Make it just as easy to refuse consent as it is to accept. e.g. ‘reject all’ should be given equal prominence to ‘accept all’.

■ People must take a positive action to indicate ‘opt-in’ consent
■ Technologies must only be set once consent is gathered (unless they meet an exception) – that means if you’re dropping a cookie onto their device, it should be dropped AFTER you gain consent
■ Granular options are given for different purposes. This is usually achieved by providing a third button to ‘customise’ or ‘manage options’ which takes users to a second overlay which provides descriptions for different categories, such as strictly necessary, analytics, functional and advertising/targeting.
■ Inform people of the identities of all third parties and the ability to control information shared with individual third parties.
■ Inform people how they can manage their preferences in future.

Our 5 steps for compliant storage and access technologies

In the real world how can we make sure we’re following the rules? Here are some straight-forward steps to take.

1. Audit: Do a ‘cookie’ audit. If you don’t know what storage and access technologies your website or application is using you can’t even start to be compliant. Run a diagnostic scan to discover exactly what technologies are currently in use. Establish what they are being used for, which are provided by third party providers, and which involve the sharing of data with the third party (for example Google, Meta, etc).

2. Spring clean: Get rid of the ones you no longer need. This might sound obvious, but you’d be surprised how often we find long-forgotten cookies or similar tech lurking on websites, serving no purpose and still unlawfully dropping cookies onto user devices and needlessly sharing their data with third parties! You might need to check with your colleagues which are still used.

3. Categorise: Categorise the technologies you use – what are they used for?

■ Strictly necessary (essential) – these are vital for the website to operate. For example, a cookie which helps keep the website secure, or technology which allows items to be added to a cart in an online store.
■ Analytics/Statistics/Performance – for example, technologies which allow you to monitor and improve the site performance. If you’re an ISS provider you may wish to identify where you might be able to rely on the statistical purposes exception.
■ Functional – cookies which enable a site to remember user preferences and settings, to enhance their experience on your website. There may be some where you are able to rely on the appearance exemption, should you wish to.
■ Advertising/Targeting – these allowing visitors to be followed from one website to another so tailored advertising can be displayed, or to target the most relevant advertising on your own website. These include digital advertising and social media retargeting.

4. Collect consent: To achieve this, you may wish to select a specialist Consent Management Platform (website ‘plug in’) to handle notifications, consent collection and changes for you. There are many CMPs on the market. Beware that not all of them meet the UK/EU cookie requirements, so care is required to select one that will enable you to comply.

If you use sub-domains on your website, deploy a high number of cookies or you want to exercise some creativity with how it looks, you’re likely to need a premium solution.

5. Notify website users: Provide a clear notification about the cookies and similar technologies you deploy. This should include:

■ the cookies you intend to use
■ the purposes they will be used for
■ any third parties who may also process information stored in or accessed from the user’s device
■ the duration of any cookies you wish to set

There are two approaches to this. You can let the CMP handle both the notification (pop-up) and the provision of more detailed information about cookies, or you can use the CMP for the pop-up and provide a separate more detailed cookie notice.

The risk of non-compliance

The ICO’s primary focus to date has been the potentially harmful tracking of individuals for advertising purposes. Over the past few years the regulator has issued warnings to a multitude of companies operating some of the UK’s most popular websites.

While there have been no specific financial penalties issued, the regulatory claims its warnings have led to many organisations changing their approach to comply with the rules.

In Autumn 2024 the ICO issued a public reprimand to Bonne Terre Ltd, training as Sky Betting and Gaming, for ‘unlawfully processing people’s data through advertising cookies without their consent’. Third-party tracking technologies including cookies were dropped by the SkyBet website onto use devices, which collected personal data (e.g. device id and unique identifiers).

While the site had a cookie notification (pop-up) and a consent management platform (CMP), the ICO investigation found certain cookies were dropped onto user devices before visitors interacted with the CMP. This meant visitors’ personal information was being processed and made available to AdTech vendors without the visitors’ knowledge or prior consent.

This is an area organisations can often get wrong; cookies and other trackers being deployed onto user devices immediately, regardless of the CMP.

The ICO could take further action against organisations, but it seems most likely this will be focused on tracking for advertising purposes and that they will ask you to amend your ways, before issuing a reprimand or potential fine. But this approach could always change.

Could a relaxation of the rules be on the cards?

The ICO has an online tracking strategy, and as part of this recognises online advertising is a key part of the digital economy. It says its work has shown PECR could be amended “to allow certain low risk forms of online advertising to operate without consent, while continuing to require consent for advertising that involves intrusive tracking and profiling people over time and across services”.

The regulator has given advice to the Government on potential changes in May 2026, and we’ll have to see if the evolves into any significant changes in the future.

This is very much an overview of the ‘cookie’ rules. If your operations are sophisticated and extensive there’s plenty more nuanced detail to be found in the ICO Guidance on the Use of Storage and Access Technologies. This includes some helpful examples of cookie banners, showing what the ICO would consider good and bad practice.