What happens if I don't have a cookie banner in the UK?

The ICO can issue monetary penalty notices of up to £500,000 for serious PECR breaches. Where the cookie activity involves personal-data processing under UK GDPR (which analytics cookies always do), separate UK GDPR fines of up to £17.5 million or 4% of global turnover can apply. The dominant SME risk is a public reprimand following a complaint, not a headline fine.

Did the Data (Use and Access) Act 2025 abolish UK cookie consent?

No. The Act tweaked legitimate-interest tests and clarified some research processing, but it did not change PECR Regulation 6. Press coverage in 2024-2025 implying analytics no longer needs consent was reading the earlier (and now-defunct) DPDI proposals, not the law that actually passed.

Does Google Analytics require a cookie banner in the UK?

Yes. Google Analytics transmits personal data such as IP address and device identifiers to Google servers. Under PECR Regulation 6 and UK GDPR Article 6, this requires prior consent. The analytics script must not load until the visitor actively accepts cookies. The UK-US Data Bridge handles the cross-border transfer side, but the consent requirement is unchanged.

What cookies don't need a banner?

Strictly necessary cookies that keep the site working. Examples include shopping cart, login session, CSRF security tokens plus the cookie that stores the visitor's own consent preference. None of those require a banner. Everything else does.

GDPR & Privacy GDPR & Privacy

Do I Need a Cookie Banner on My UK Website?

Q: Do I need a cookie banner on my UK website?

Yes if your site uses any non-essential cookies. That includes Google Analytics, Facebook Pixel or similar tracking tools. PECR Regulation 6 requires prior informed consent before setting or reading such cookies. Only strictly necessary cookies such as session, cart or security are exempt.

Steven | TrustYourWebsite · 3 May 2026 · Last updated: May 2026

If you run a website for your London restaurant, your Manchester shop or your UK e-commerce store, you have probably seen those cookie banners pop up everywhere and wondered if you actually need one too. The short answer: yes, you almost certainly do. The Information Commissioner's Office (ICO) has been clear about its expectations. The rules are tighter than most UK SME owners realise.

Equal-prominence Reject all and Accept all, plus a link to the cookie policy. This is what the ICO expects.

Does your cookie banner actually work?

We test whether trackers fire before consent and keep running after rejection.

I understand this is a technical scan, not legal advice, and I accept the Terms.

Scan for:

What UK Law Actually Says

The UK does not just follow EU rules loosely. It has its own ePrivacy law that sits on top of UK GDPR. The Privacy and Electronic Communications Regulations 2003 (PECR) transpose the EU ePrivacy Directive into UK law and survived Brexit unchanged. PECR Regulation 6 is the one that matters: you must get the user's prior informed consent before storing or accessing information on their device using cookies or similar technology.

That is why you see the banners. The ICO enforces this. Since 2023 it has been visibly more active than in earlier years.

To check whether your site loads tracking scripts before consent is given, run a free technical scan at /uk/en/scan.

Why the ICO Is Serious About Cookies

In November 2023 the ICO publicly wrote to 53 of the top 100 UK websites warning that their cookie banners failed PECR. By January 2024 the ICO reported that 38 of those sites had become compliant and 4 more had committed to changes. The ICO named the organisations that had done nothing.

In January 2025 the ICO went further and announced enforcement action across the UK's top 1,000 websites. Mid-sized SME sites are now squarely in scope.

The ICO's Deputy Commissioner Stephen Bonner has stated publicly that a site without a clear reject option is "breaking the law". That is about as direct as a UK regulator gets.

For SMEs the largest fines look distant. The highest penalties went to British Airways (£20 million) and Marriott (£18.4 million), but ICO enforcement against smaller businesses is steady. Every monetary penalty notice the ICO has ever issued is published on its enforcement action register with the full reasoning. The dominant SME exposure is not a record-breaking fine. It is a complaint that lands at the ICO and triggers a public reprimand. There is also the operational cost of responding to a formal investigation.

If your site is hosted in the UK, targets UK customers or your business is UK-registered, you are in the ICO's jurisdiction.

Not every cookie is the same. This is where most small-business owners get confused.

The four categories below map directly to PECR Regulation 6. Only the strictly necessary row is exempt from consent. Everything else needs an active opt-in before the cookie is set.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Cookie category</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Typical examples</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Consent required under PECR?</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Common UK mistake</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Strictly necessary</td> <td className="border border-slate-300 px-3 py-2">Shopping cart, login session, CSRF token, the consent cookie itself</td> <td className="border border-slate-300 px-3 py-2"><strong>No</strong>. Exempt under PECR Regulation 6(4).</td> <td className="border border-slate-300 px-3 py-2">Treating fraud-detection scripts as strictly necessary when they also profile visitors.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Performance / analytics</td> <td className="border border-slate-300 px-3 py-2">Google Analytics 4, Hotjar, Microsoft Clarity, FullStory</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong>. Prior opt-in before script loads.</td> <td className="border border-slate-300 px-3 py-2">Loading GA4 on every page and relying on the privacy policy as "consent".</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Functional</td> <td className="border border-slate-300 px-3 py-2">Embedded YouTube, live chat (Intercom / Drift), language preference</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong> for third-party embeds. <strong>No</strong> for first-party preference cookies.</td> <td className="border border-slate-300 px-3 py-2">Embedding YouTube without youtube-nocookie or without a consent gate.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Advertising / targeting</td> <td className="border border-slate-300 px-3 py-2">Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Google Ads remarketing</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong>. Highest scrutiny from the ICO in 2025.</td> <td className="border border-slate-300 px-3 py-2">Firing the pixel on page-load and only blocking it after a reject click.</td> </tr> </tbody> </table> </div>

Functional cookies that are first-party do not need consent. These keep your website working:

Shopping cart cookies
Session cookies that keep users logged in
Cookie consent preference cookies (remembering "no" to tracking)
Basic security cookies (CSRF tokens)

You can use these without asking. Just mention them in your privacy policy.

Tracking and analytics cookies do need consent. These include:

Google Analytics
Facebook or Meta Pixel
TikTok Pixel
LinkedIn Insight Tag
Hotjar
Microsoft Clarity
FullStory
Advertising and retargeting cookies
Any cookie that tracks user behaviour across sites

If you run Google Analytics on your website, you need explicit consent before the script loads. Same for Facebook Pixel if you run ads. PECR Regulation 6 is clear: "prior consent" means before the tracking happens, not after.

The Data (Use and Access) Act 2025 did not change this. The earlier Data Protection and Digital Information Bill collapsed in 2024 and had floated an analytics exemption. That exemption never became law.

Do I Actually Need One? A Decision Tree

Run through this flow once. If any branch lands on Banner required, you need a PECR-compliant cookie banner before the next visitor arrives.

Most UK SME websites end up at "Banner required" because Google Analytics 4 alone is enough to trigger PECR Regulation 6.

Common UK Business Scenarios

Google Analytics on Your SME Site

You own a small hotel, a retail shop or a service business in the UK. You have added Google Analytics to see traffic. Under PECR you need a cookie banner that:

Clearly explains what Google Analytics does
Lets visitors choose to accept or reject equally easily
Only loads the analytics script if they say yes

Simply having a privacy policy that mentions Google Analytics is not enough. That is a common mistake.

Facebook Pixel on Your Shopify Store

You are selling products online and using Facebook Pixel to retarget visitors with ads. The Pixel drops a cookie to track behaviour. This needs consent under PECR. Your banner must give people a real choice, not pre-ticked boxes or an "accept all" button with a buried "reject" link.

Local Business Website With No Tracking

If your website genuinely has no cookies except functional ones, no analytics, no ads and no retargeting, you may not need a banner at all. You still need to mention your cookie use in your privacy policy. Most UK SME sites use at least Google Analytics, so a banner is the safer assumption.

The ICO expects cookie banners to be honest and to give a real choice.

The banner must:

Tell people what is happening before it happens (not after)
List each cookie purpose clearly. Use plain labels such as "Analytics", "Advertising" or "Marketing"
Let people reject non-essential cookies as easily as accepting them. That means the same number of clicks plus the same visual prominence
Never use pre-ticked boxes for non-essential cookies
Never hide the reject button or make it harder to find
Respect people's choices and not nag them again if they have declined

The ICO's November 2023 letter campaign focused specifically on banners that buried the "reject all" button or required multiple clicks to say no while "accept all" was one click. That is the dark pattern the ICO has named.

What You Need Right Now

Here is what to actually do to stay compliant with UK law:

Step 1: Audit your cookies

List every tracking script on your site:

Google Analytics plus Google Tag Manager
Facebook Pixel
TikTok Pixel or other ad pixels
Chat bots that drop cookies (Intercom, Drift, Tawk.to)
Hotjar
Microsoft Clarity or other session-recording tools
Email-capture forms that use tracking

Step 2: Separate essential from non-essential

Functional first-party cookies (cart, session, security) do not need consent in the banner. Tracking cookies do. They must not load until someone agrees.

Step 3: Choose a compliant cookie banner tool

Use a tool built for UK GDPR and PECR. Examples include:

CookieYes (UK-based)
Cookiebot
Termly
OneTrust
Iubenda

These tools handle script blocking correctly. Avoid free or DIY solutions that do not properly defer script loading.

Step 4: Write a clear privacy policy

Your privacy policy must explain:

What cookies you use and why
How long they stay on the device
Who you share data with (for example Google for Analytics)
People's rights to withdraw consent at any time
The right to lodge a complaint with the ICO

Your cookie banner should link directly to it.

Step 5: Test your banner

Make sure:

The reject button actually stops tracking cookies from loading
The accept and reject choices are equally visible and easy to find
Your analytics and pixels do not fire until consent is given

Test this using browser developer tools (F12 then Network tab). Tracking scripts should not appear before the visitor has clicked anything.

The Practical Bottom Line

If you are running a business website in the UK with any kind of tracking, you need a cookie banner that actually works. Most UK business sites use at least one tracking tool. The ICO's track record since 2023 shows it enforces this. The 2025 follow-up campaign across the top 1,000 sites proved the regulator means it.

The investment in a proper cookie banner tool (typically £8-25 per month) is far cheaper than the operational cost of an ICO investigation or a public reprimand. Your UK visitors expect it. They see it on every major site. A banner that works properly builds trust rather than creating friction.

Get the audit done this week, pick a tool next week and you are compliant.

Most ICO cookie investigations start with a data subject complaint. Someone visits your site, notices that Google Analytics or a Facebook Pixel fires before they have clicked anything on the banner. They then file a complaint at ico.org.uk/concerns. The ICO sends your business an information notice, typically with a 30-day response deadline.

For a first-time complaint about an SME site, the likely outcome if you co-operate promptly and fix the problem is a reprimand. A reprimand is a formal written statement that you breached PECR, published publicly on the ICO's enforcement page. No fine, but your company name appears on a regulator's enforcement record.

Where fines do follow, they have typically come after repeated non-compliance or wilful non-engagement with the ICO. Some cases involve cookie activity that was part of a broader pattern of data-protection failings. The Sky Betting and Gaming undertaking (2024) involved a range of cookie-related issues beyond a missing banner. The pattern is consistent. Businesses that engage promptly and fix the issue fare far better than those that dispute or ignore.

If you receive an ICO letter about cookies, respond within the deadline. Fix the banner before or during your response. Document what you changed. That approach resolves the majority of SME cookie complaints without a fine. For more on how ICO investigations work, see ICO investigation process explained.

Sources

This is technical analysis, not legal advice.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

PECR Cookie Rules UK: What the ICO Actually Enforces

PECR cookie rules UK: what Regulation 6 requires, how it differs from UK GDPR and what the ICO actually enforces on non-essential cookies.

Cookie Banner Rules in the UK: What the ICO Requires in 2026

Cookie banner rules in the UK: ICO requirements for accept/reject parity, no pre-ticked boxes, no cookie walls, plus PECR enforcement up to 2025.

Cookie consent in the UK: ICO rules your website must follow

Cookie consent rules for UK websites. PECR Regulation 6 requirements, ICO guidance, what 'strictly necessary' means and how to test your banner.

Analytics Without Consent UK: What the ICO Allows in 2026

Google Analytics needs consent under UK PECR. Server-log and cookieless tools like Plausible may not. The ICO's position and a decision framework.