PECR Cookie Rules UK: What the ICO Actually Enforces

PECR cookie rules in the UK predate GDPR by 15 years. The Privacy and Electronic Communications Regulations 2003 (PECR), specifically Regulation 6, is what requires UK websites to obtain consent before setting non-essential cookies. UK GDPR then applies to how the personal data those cookies collect is processed. Both sit under the same regulator, the ICO, which can enforce them at the same time.

The distinction matters for two reasons. First, PECR has its own fine ceiling of £500,000, separate from UK GDPR's £17.5 million ceiling. Second, the ICO's actual enforcement record on cookies has been almost entirely under PECR, not UK GDPR directly. Understanding which statute applies to which failure shapes how you structure your legal defence if the ICO comes calling.

To check whether your site currently loads tracking scripts before consent is given, run a free technical scan. It tests the actual browser request sequence, not just whether a banner is visible.

PECR vs UK GDPR at a glance

The UK has two parallel legal instruments governing cookies. They work differently.

PECR vs UK GDPR in practice

PECR Regulation 6 creates the specific consent requirement for placing cookies and other technologies that store or access information on a user's device. It comes from the UK's transposition of the EU's ePrivacy Directive 2002/58/EC. The key test is whether the cookie is "strictly necessary" for the service the user has explicitly requested. If not, prior consent is required.

UK GDPR then applies to the personal data those cookies collect and transmit. An analytics cookie that sends IP address and device fingerprint data to Google is processing personal data. The lawful basis for that processing, in most cases consent, must satisfy UK GDPR's validity requirements. Those requirements include being specific, informed, freely given and unambiguous.

In practice a typical analytics setup has two compliance layers. PECR requires consent before the cookie is set. UK GDPR requires that the consent obtained is valid for the purposes of processing the data that follows.

The ICO can take action under either statute. For website cookie failures, it typically acts under PECR for the consent capture mechanism. It acts under UK GDPR if the underlying data processing activities involve additional breaches such as inadequate retention periods or no data processor agreements.

The ICO's enforcement record on cookies

The ICO's most significant cookie-enforcement action to date was not a fine. It was the November 2023 letter campaign. The ICO wrote to 53 of the UK's top 100 websites requiring them to bring their cookie banners into compliance with PECR and UK GDPR. The letter named specific banner patterns the ICO considered non-compliant. It set a deadline for organisations to confirm they had made changes.

This approach combines public identification with a compliance deadline rather than an immediate fine. It reflects the ICO's general stance on cookies for large commercial websites. For SMBs the process typically starts with a data subject complaint about a specific site and an ICO information notice rather than a sector-wide sweep.

Where the ICO has issued cookie-related fines, they have come through the PECR route. They have mostly targeted organisations running unsolicited direct-marketing campaigns, not businesses with merely incomplete banners. Cookie-banner non-compliance on commercial sites has generally resulted in reprimands and required changes rather than fines.

This should not be read as the ICO being permissive. The November 2023 campaign and the ICO's subsequent monitoring made clear that persistent non-compliance after an explicit warning would result in enforcement action. The ICO has indicated it will increase its cookie-enforcement activity from 2025 onward.

What Regulation 6 actually requires

PECR Regulation 6 prohibits storing or accessing information on a user's device unless that user has first been given full clear information about the purpose and has actively consented. The statute requires the information to be complete enough that the user genuinely understands what they are agreeing to. A vague notice that cookies exist is not enough.

The ICO interprets this to mean five things in practice.

Consent must be prior. Cookies cannot load before the user has made a choice. A banner that appears after scripts have already fired does not comply, even if the user is subsequently asked to accept or reject.

Consent must be a genuine choice. Reject must be as easy as accept. This means equal visual prominence, equal number of clicks and no dark patterns that nudge users towards acceptance. A large green "Accept all" button alongside a small grey "Manage preferences" link requiring three further clicks does not meet this standard.

No pre-ticked boxes. The user must actively indicate agreement. Opt-out mechanisms do not satisfy PECR. The CJEU ruling in Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände [2019] Case C-673/17 supports this interpretation. It is technically advisory in UK courts post-Brexit but the ICO treats its reasoning as persuasive.

Consent must be informed. The user must know what they are consenting to before they consent. A banner that says only "We use cookies" with an accept button does not satisfy this. The categories of cookie and their purposes must be described.

Withdrawal must be as easy as consent. Users who initially accept cookies must be able to revoke that acceptance easily. A link in the privacy policy footer that opens a consent management panel satisfies this in most implementations. The revocation must actually stop the scripts from loading.

Strictly necessary cookies: what qualifies

Strictly necessary cookies are exempt from the consent requirement in PECR Regulation 6. The ICO's guidance on what qualifies is narrow.

Session cookies that keep a user logged in or maintain a shopping basket while they browse are strictly necessary. CSRF tokens and other security cookies that protect the integrity of form submissions qualify. The cookie that records whether the user has accepted or rejected cookies is itself strictly necessary.

Analytics, advertising, A/B testing, heatmapping, personalisation, social-media tracking, affiliate tracking and performance-monitoring cookies are not strictly necessary. They improve the service or support the business model. They are not required to deliver the service the user asked for. All of these require consent.

Google Analytics 4, Hotjar, Meta Pixel, Microsoft Clarity, LinkedIn Insight Tag, Stripe's fraud-detection script if loading before checkout and most CDN-embedded scripts from third parties fall outside the strictly necessary carve-out.

The Data (Use and Access) Act 2025 and what it did not change

The Data (Use and Access) Act 2025 generated significant speculation that cookie consent requirements in the UK might be relaxed. They were not.

Earlier versions of the legislation under the Data Protection and Digital Information (No.2) Bill, which lapsed at the 2024 general election, had proposed a "recognised legitimate interest" for analytics. That would have removed the consent requirement for web analytics tools. The provision did not make it into the Data (Use and Access) Act.

The Act's provisions relevant to cookies are modest. It clarified that "subscriber" in PECR includes businesses as well as individuals, which is relevant for B2B contexts. It made minor changes to the enforcement regime. The core rule, prior consent for non-essential cookies, is unchanged.

ICO guidance published alongside the Act's passage confirmed that websites should continue to operate cookie banners on the basis of the existing PECR requirements until further notice.

Setting up a compliant banner

A PECR-compliant banner has a few non-negotiable components. The ICO publishes detailed online tracking guidance at ico.org.uk. That document is the definitive reference for any implementation question not covered here.

The banner appears before any non-essential scripts load. This requires a consent management platform (CMP) that blocks scripts at the technical level, not just visually hides a banner. Many low-cost cookie plugins display a banner but do not actually gate the script execution. Open your browser's Network tab and reload the page without clicking anything to verify this for your own site.

It has clearly labelled Accept and Reject options on the first layer. Both should be immediately visible without scrolling. The ICO has been explicit that layered consent flows where rejection requires multiple clicks are non-compliant.

It describes what is being consented to. Cookie categories such as analytics, advertising and functional must be visible at the first layer or immediately accessible. Their general purposes must be described in the same place.

It allows withdrawal. A footer link to a consent preferences panel, visible on every page, is the standard approach. The panel must allow the user to change a previous acceptance to a rejection. That change must take effect immediately for any scripts that have not yet loaded.

It stores consent records. You should be able to demonstrate, for any given user, when they consented, what they consented to and through which mechanism. Most commercial CMPs handle this automatically.

For a comparison with how France's CNIL enforces identical requirements for EU-based websites, see our EU GDPR compliance checklist.

---

This is technical analysis, not legal advice. Consult a solicitor for specific guidance on PECR compliance.