Can the ICO fine me for cookie violations?

Yes. Under PECR the ICO can issue monetary penalty notices of up to £500,000 for serious breaches. Where cookie activity involves processing personal data under UK GDPR, which analytics cookies always do, the ICO can apply UK GDPR enforcement powers, with fines up to £17.5 million or 4% of global turnover.

Do I need a cookie banner if I only use Google Analytics?

Yes. Google Analytics sets cookies that transmit personal data (IP addresses, device identifiers) to Google. PECR Regulation 6 requires explicit prior consent before the script loads. The UK-US Data Bridge handles the cross-border transfer, but the consent requirement is unaffected.

What cookies don't need consent?

Strictly necessary cookies are those essential for the service the user has specifically requested. This includes session cookies for login, shopping basket cookies, security cookies (CSRF tokens) and the cookie that stores the visitor's consent preference itself. Analytics, advertising, social-media and preference cookies all require consent.

What is a dark pattern in a cookie banner?

A dark pattern is a design technique that nudges users towards accepting cookies rather than making a genuinely free choice. Examples include a large prominent Accept button alongside a small grey Manage link, pre-ticked analytics checkboxes, using 'Allow' instead of 'Accept' to soften the impression of data collection and requiring 5 clicks to reject vs 1 click to accept. The ICO's November 2023 top-100 letter campaign focused specifically on these.

GDPR & Privacy GDPR & Privacy

Cookie consent in the UK: ICO rules your website must follow

Steven | TrustYourWebsite · 3 May 2026 · Last updated: May 2026

<div className="my-6 rounded-lg border border-slate-200 bg-slate-50 p-5"> <div className="mb-2 flex items-center gap-2 text-slate-700 font-semibold"> <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <circle cx="10" cy="10" r="9" stroke="currentColor" strokeWidth="2" /> <path d="M10 6v5M10 13.5v.5" stroke="currentColor" strokeWidth="2" strokeLinecap="round" /> </svg> <span>Quick summary</span> </div> <ul className="list-disc space-y-1 pl-5 text-sm text-slate-800"> <li><strong>Rule:</strong> PECR Regulation 6 requires prior consent before any non-essential cookie or tracker loads.</li> <li><strong>Regulator:</strong> ICO (UK GDPR + PECR). November 2023 letters to 53 of the top 100 UK sites set the modern enforcement benchmark.</li> <li><strong>Fine ceiling:</strong> £500,000 under PECR. Up to £17.5 million or 4% of global turnover where UK GDPR also applies.</li> <li><strong>Most common failure:</strong> Google Analytics loads before the visitor has chosen. Our scanner tests this directly.</li> </ul> </div>

Cookie consent in the UK is governed by PECR Regulation 6 (Privacy and Electronic Communications Regulations 2003), reinforced by UK GDPR where cookies involve personal-data processing. The ICO has made cookie compliance a stated enforcement priority since November 2023, when it wrote to 53 of the top 100 UK websites warning them their banners did not comply.

If you want to skip the explanation, run a free PECR cookie banner check on /uk/en/scan and the scanner will tell you whether your site complies.

Here is what your website must do.

Under PECR Regulation 6, you must obtain the user's prior consent before storing or accessing any information on their device that is not strictly necessary for the service they have specifically requested.

In practice: no tracking scripts, analytics cookies, advertising pixels or social-media widgets should load until the visitor actively accepts them.

Strictly necessary cookies (no consent needed):

Session cookies for login and shopping basket
Security cookies (CSRF tokens, authentication)
Load-balancing cookies
The cookie that stores the visitor's consent preference

Everything else requires consent:

Google Analytics, Google Tag Manager
Facebook / Meta Pixel, TikTok Pixel
LinkedIn Insight Tag
Hotjar, Microsoft Clarity, FullStory
Advertising and retargeting scripts
Social-share buttons that set cookies
Google Fonts loaded from Google's servers (transmits IP addresses)

The "strictly necessary" test, step by step

<div className="my-6 rounded-lg border border-slate-200 bg-white p-5"> <div className="mb-3 flex items-center gap-2 text-slate-700 font-semibold"> <svg width="22" height="22" viewBox="0 0 22 22" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M11 2l2.5 5 5.5.8-4 3.9.9 5.5L11 14.6 6.1 17.2l.9-5.5-4-3.9L8.5 7 11 2z" stroke="currentColor" strokeWidth="1.6" strokeLinejoin="round" /> </svg> <span>Does this cookie need consent?</span> </div> <ol className="list-decimal space-y-2 pl-5 text-sm text-slate-800"> <li><strong>Did the visitor actively request the service this cookie supports?</strong> If no, consent is required.</li> <li><strong>Would the requested service fail without this specific cookie?</strong> If no, consent is required. "Useful to the operator" is not enough.</li> <li><strong>Is the cookie used for analytics, advertising, personalisation or social features?</strong> If yes, consent is always required even if you label it functional.</li> <li><strong>Does the cookie or its payload reach a third party?</strong> If yes, consent is required because PECR treats third-party storage and access the same as first-party.</li> </ol> <p className="mt-3 text-xs text-slate-500">Adapted from the ICO's <a className="underline" href="https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/">guidance on cookies and similar technologies</a>.</p> </div>

The fastest way to know whether a cookie is lawful is to map its purpose to the consent requirement and the PECR clause that governs it. The table below mirrors how the ICO categorises cookies in its public guidance.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100"> <th className="border border-slate-300 p-2 text-left">Cookie purpose</th> <th className="border border-slate-300 p-2 text-left">Consent required?</th> <th className="border border-slate-300 p-2 text-left">Lawful basis under UK GDPR</th> <th className="border border-slate-300 p-2 text-left">PECR citation</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 p-2">Strictly necessary (login session, basket, CSRF)</td> <td className="border border-slate-300 p-2">No</td> <td className="border border-slate-300 p-2">Performance of a contract or legitimate interests</td> <td className="border border-slate-300 p-2"><a className="underline" href="https://www.legislation.gov.uk/uksi/2003/2426/regulation/6/made">Reg. 6(4) exemption</a></td> </tr> <tr> <td className="border border-slate-300 p-2">Analytics (Google Analytics, Plausible cookies, Matomo with cookies)</td> <td className="border border-slate-300 p-2">Yes</td> <td className="border border-slate-300 p-2">Consent</td> <td className="border border-slate-300 p-2">Reg. 6(1)-(2)</td> </tr> <tr> <td className="border border-slate-300 p-2">Advertising / retargeting (Meta Pixel, Google Ads, LinkedIn Insight)</td> <td className="border border-slate-300 p-2">Yes</td> <td className="border border-slate-300 p-2">Consent</td> <td className="border border-slate-300 p-2">Reg. 6(1)-(2)</td> </tr> <tr> <td className="border border-slate-300 p-2">Personalisation (saved layout, recommended content)</td> <td className="border border-slate-300 p-2">Yes</td> <td className="border border-slate-300 p-2">Consent</td> <td className="border border-slate-300 p-2">Reg. 6(1)-(2)</td> </tr> <tr> <td className="border border-slate-300 p-2">Functional (chosen language, accessibility preference)</td> <td className="border border-slate-300 p-2">Yes, unless tied to a specifically requested feature</td> <td className="border border-slate-300 p-2">Consent (default) or contract</td> <td className="border border-slate-300 p-2">Reg. 6(1)-(2)</td> </tr> <tr> <td className="border border-slate-300 p-2">Consent record cookie itself</td> <td className="border border-slate-300 p-2">No</td> <td className="border border-slate-300 p-2">Legal obligation (proof of consent)</td> <td className="border border-slate-300 p-2">Reg. 6(4) exemption</td> </tr> </tbody> </table> </div>

ICO position on dark patterns

The ICO has been explicit: cookie banners that use design techniques to steer users towards accepting cookies are dark patterns that undermine valid consent.

The ICO considers these practices problematic:

Practice	Why it's a dark pattern
Accept button is larger or more colourful than Reject	Creates visual pressure to accept
"Reject" requires 3-5 clicks, "Accept" requires 1	Asymmetric effort undermines free choice
Checkboxes for optional cookies pre-ticked	Consent must be an active opt-in
"Manage Preferences" hidden in small print	Obscuring the reject path
Banner reappears repeatedly until user accepts	Harassment pattern
"We value your privacy" language before accept prompt	Misleading framing

The ICO's approach aligns with EDPB Guidelines 03/2022 on deceptive design patterns, which the ICO has indicated it follows in substance even after Brexit.

The ICO enforcement mechanism: what it can do

This is important and often misunderstood:

Under PECR (cookie regime): The ICO can issue direct monetary penalty notices of up to £500,000 for serious breaches. PECR is the older instrument and has its own enforcement track. The ICO has issued PECR fines regularly against companies running unsolicited marketing campaigns. Cookie-specific PECR fines are rarer but the legal basis exists.

Under UK GDPR (Data Protection Act 2018): Where cookie activity involves processing personal data (which analytics cookies always do, as they transmit IP addresses), the ICO can apply UK GDPR enforcement powers. These include fines up to £17.5 million or 4% of global annual turnover.

In practice, the ICO has used the public reprimand as its dominant cookie enforcement tool. Reprimands are public, stay on the ICO's record and are issued without going through the formal monetary-penalty process. The November 2023 top-100 letter campaign and its follow-up across the UK's top 1,000 websites in January 2025 were effectively coordinated reprimand exercises.

Consent under PECR and UK GDPR must be:

Freely given: refusing cookies must be as easy as accepting them
Specific: separate consent for analytics, marketing, functional cookies
Informed: users must understand what they're consenting to
Unambiguous: a clear affirmative action, not pre-ticked boxes or continued browsing
Withdrawable: users must be able to change their mind at any time

A cookie banner that says "By continuing to use our website, you consent to cookies" does not meet the standard. The CJEU ruling in Planet49 (C-673/17) is still good law in the UK because it pre-dates the end of the Brexit transition. The ICO continues to cite it.

Common implementation failures for UK websites

Failure 1: Google Analytics loads on every page visit

The most frequent violation. GTM is installed, Google Analytics fires on page load, before any consent interaction. Fix: implement Google Consent Mode v2 with proper denial defaults.

Failure 2: Banner exists but doesn't block scripts

The banner appears, the user clicks "Reject", but tracking scripts load anyway. This happens when the consent platform is misconfigured or overridden by hard-coded analytics tags. Our scanner tests this specifically.

Failure 3: Cookie preferences not remembered

The banner reappears on every visit. Either the consent cookie isn't being set or it has a very short expiry. The consent record should be stored for at least 6-12 months.

Failure 4: Free WordPress plugin with default settings

Many free cookie plugins default to compliance-light configurations: pre-ticked boxes, no "Reject All" button or banners that don't actually block scripts. Check your specific plugin's documentation.

Our scanner tests whether your banner actually works

Most tools check whether a banner exists. We check whether it works by simulating a visitor clicking "Reject All" and then measuring what scripts and cookies are still active.

This is how the ICO investigates complaints: they test the actual behaviour, not just the presence of a banner.

Test your cookie banner for free at /uk/en/scan

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100"> <th className="border border-slate-300 p-2 text-left">Year</th> <th className="border border-slate-300 p-2 text-left">ICO action</th> <th className="border border-slate-300 p-2 text-left">Targets</th> <th className="border border-slate-300 p-2 text-left">Outcome</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 p-2">2019</td> <td className="border border-slate-300 p-2"><a className="underline" href="https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/">Guidance on cookies and similar technologies</a> published</td> <td className="border border-slate-300 p-2">All UK websites</td> <td className="border border-slate-300 p-2">Set the consent standard. Enforcement remained quiet.</td> </tr> <tr> <td className="border border-slate-300 p-2">2021-2022</td> <td className="border border-slate-300 p-2">Reprimand-led approach</td> <td className="border border-slate-300 p-2">Mixed sectors</td> <td className="border border-slate-300 p-2">Public reprimands. No cookie-specific monetary penalty notices.</td> </tr> <tr> <td className="border border-slate-300 p-2">Nov 2023</td> <td className="border border-slate-300 p-2">Top-100 letter campaign</td> <td className="border border-slate-300 p-2">53 of the top 100 UK sites</td> <td className="border border-slate-300 p-2">30 days to comply. ICO cookie enforcement became operational.</td> </tr> <tr> <td className="border border-slate-300 p-2">Jan 2024</td> <td className="border border-slate-300 p-2"><a className="underline" href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/01/ico-warns-organisations-to-proactively-make-advertising-cookies-compliant/">Follow-up announcement</a></td> <td className="border border-slate-300 p-2">Sites warned in November 2023</td> <td className="border border-slate-300 p-2">38 became compliant, 4 committed to changes, the rest publicly named.</td> </tr> <tr> <td className="border border-slate-300 p-2">Jan 2025</td> <td className="border border-slate-300 p-2"><a className="underline" href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/01/ico-takes-action-to-tackle-cookie-compliance-across-the-uk-s-top-1-000-websites/">Top-1,000 sweep announced</a></td> <td className="border border-slate-300 p-2">UK's top 1,000 websites</td> <td className="border border-slate-300 p-2">AI-assisted scanning of cookie banners. Wider enforcement footprint.</td> </tr> <tr> <td className="border border-slate-300 p-2">2025</td> <td className="border border-slate-300 p-2">Data (Use and Access) Act passed</td> <td className="border border-slate-300 p-2">UK data protection regime</td> <td className="border border-slate-300 p-2">Cookie consent obligations unchanged. The earlier DPDI Bill proposals were dropped.</td> </tr> <tr> <td className="border border-slate-300 p-2">2026</td> <td className="border border-slate-300 p-2">SME priority shift</td> <td className="border border-slate-300 p-2">Smaller UK sites with analytics-before-consent</td> <td className="border border-slate-300 p-2">Banners that were acceptable in 2022 are not acceptable in 2026.</td> </tr> </tbody> </table> </div>

Where the ICO differs from EU regulators

The ICO doesn't operate in a vacuum. The EDPB coordinates EU DPAs and publishes common guidelines. The ICO takes its own positions but has historically aligned with EDPB on cookies.

Analytics cookies. The Belgian APD treats Google Analytics as non-essential and requires consent without exception. The French CNIL allows first-party analytics under strict conditions. The ICO sits closer to the APD position: analytics cookies require consent.

Cookie walls. The CNIL accepts them case by case since the Conseil d'État ruling of 19 June 2020. The APD prohibits them. The ICO's position is that cookie walls fail PECR's "freely given" test where the visitor has no realistic alternative. In practice the ICO has not issued a formal cookie-wall sanction but the position is closer to the APD than to the CNIL.

Consent renewal. The CNIL recommends six months. The APD prefers six months. The ICO has historically accepted up to twelve months. This is one of the few places the UK regime is genuinely more permissive.

Cross-device tracking. All regulators agree it needs consent. Divergence is in the expected user interface, not the rule.

For a UK site targeting only the UK, follow ICO guidance. For a UK site targeting the EU, configure for the strictest of the ICO, CNIL and APD positions, which is almost always the APD position today.

Four mistakes UK SMEs keep making

After several hundred scans on UK business sites these four issues appear in roughly 80% of audits.

Analytics before consent. Google Analytics, Plausible or Matomo is loaded in the <head> and fires on every page view regardless of the cookie banner state. The fix is loading the script only after the consent event. Most consent platforms support this. Home-grown banners often don't.

"Accept all" but no "Reject all" at level one. The user sees Accept in a bright button. The alternatives are Manage or Settings in a muted link. The ICO position is that reject must be as easy as accept. If reject requires a second click, it isn't.

Pre-ticked boxes in the settings panel. The main banner has Accept and Manage. The user clicks Manage. The panel shows four categories all pre-toggled to on. Pre-ticked has been unambiguously prohibited since the Planet49 ruling and has no place on any UK site in 2026.

No proof of consent. The site stores a cookie called cookie_consent=accepted with a date. That's a preference record, not a proof. If the ICO asks how you know user X consented on 12 March 2025, you need a timestamped log with the banner version shown, the choices offered and the user's selection. Consent platforms do this automatically.

The free PECR cookie banner check catches all four in one pass. For manual testing, open the browser devtools Network tab, reload the page and watch what fires before you click anything. If third-party requests to Google Analytics, Meta or similar domains appear before consent, you have problem number one.

Sources

This is technical analysis, not legal advice.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

PECR Cookie Rules UK: What the ICO Actually Enforces

PECR cookie rules UK: what Regulation 6 requires, how it differs from UK GDPR and what the ICO actually enforces on non-essential cookies.

Cookie Banner Rules in the UK: What the ICO Requires in 2026

Cookie banner rules in the UK: ICO requirements for accept/reject parity, no pre-ticked boxes, no cookie walls, plus PECR enforcement up to 2025.

Do I Need a Cookie Banner on My UK Website?

Do UK websites need a cookie banner? Yes if you run Google Analytics, Facebook Pixel or any tracking. What PECR Regulation 6 and the ICO actually require.

Third-party tracking on UK websites: find and consent

Find trackers (Google Analytics, Facebook Pixel, YouTube, Maps). UK PECR Reg 6 and UK GDPR Article 6 consent rules.