Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Cookies are a powerful tool for understanding your website traffic and improving conversions. But under UK law, you can’t just drop cookies and get on with your day - you’ll need a clear, accessible Cookie Policy and a compliant consent mechanism.
If you’re looking for a practical, UK‑focused cookie policy template and step‑by‑step guidance, you’re in the right place. In this guide, we’ll explain what the law requires, what your Cookie Policy must cover, and how to implement consent in a way that actually works for your business.
Getting your website legals right from day one means fewer headaches later - and it helps you build trust with your customers.
What Is A Cookie Policy (And Do UK Businesses Need One)?
A Cookie Policy explains to visitors what cookies and similar technologies your site uses, why you use them, and how people can control them. It’s separate from (but closely linked to) your Privacy Policy.
Under the Privacy and Electronic Communications Regulations (PECR) and UK GDPR, most cookies (analytics, advertising, personalisation) require informed, prior consent. You’ll also need to provide clear information - that’s where your Cookie Policy comes in.
In short:
- Strictly necessary cookies: No consent required, but you should still describe them in your Cookie Policy.
- All other cookies (including analytics and advertising): Consent required before setting them.
Practically speaking, almost every small business site runs analytics or embeds third‑party tools that set cookies. So you’ll need both a compliant banner and a well‑drafted Cookie Policy. It should sit alongside your Privacy Policy and your Website Terms and Conditions.
Cookie Policy Template UK: The Essential Clauses To Include
Below is a UK‑friendly structure you can use as a starting point. Every business is different, so tailor the details to your actual cookies, vendors, and processes.
1) About This Policy
Briefly state who you are (legal entity and contact details), what the policy covers (cookies and similar technologies such as pixels and local storage), and the date it was last updated.
2) What Are Cookies?
Explain cookies in plain English - small files stored on a user’s device which help with site functionality, performance, and personalisation. Mention related technologies (pixels, web beacons, SDKs, local storage) as part of your scope.
3) Types Of Cookies We Use
- Strictly Necessary: Required for the site to function (e.g. security, shopping cart, load balancing). Consent not required.
- Preferences/Functionality: Remember choices (e.g. language). Consent required.
- Analytics/Performance: Measure site usage (e.g. page views, bounce rate). Consent required under PECR, even if “low risk”.
- Advertising/Targeting: Track activity to deliver personalised ads. Consent required.
4) The Cookies We Set (Cookie Table)
List your actual cookies in a table or bullet list. For each cookie, include:
- Cookie name and provider (e.g. _ga by Google)
- Purpose (e.g. analytics to understand page performance)
- Type (first‑party/third‑party; session/persistent)
- Duration (e.g. 2 years)
Keep this section up to date - regulators expect the inventory to be accurate. If your marketing stack changes, update your table.
5) How You Can Control Cookies
Explain how users can manage cookies via your on‑site controls (e.g. your consent banner or preference centre) and via their browser settings. Make it easy to withdraw consent at any time (for instance, through a persistent “Cookie Settings” link in your footer).
6) Third‑Party Cookies
Call out that third parties may set cookies when users visit your site (e.g. ad networks, embedded videos, social plugins). Link to those providers’ policies where possible and explain that cookie choices in your banner will affect whether third‑party tags load.
7) International Transfers
If cookie data may be transferred outside the UK (for example, to US‑based analytics providers), note this and reference safeguards (such as the UK International Data Transfer Agreement or Addendum to the EU SCCs) in your Privacy Policy. Keep the Cookie Policy concise and cross‑refer to the details in your Privacy Policy.
8) Changes To This Policy
Say you’ll update the policy when your cookies or legal requirements change, and show the “last updated” date at the top.
9) Contact Us
Include an email or form for privacy queries and cookie complaints. Consider an address if you receive written requests.
Copy‑Ready Cookie Policy Template (UK)
Use this as a starting point and tailor it to your site (replace the placeholders in brackets):
Last Updated:
About This Cookie Policy
This Cookie Policy explains how (“we”, “us”, or “our”) uses cookies and similar technologies on . It should be read together with our Privacy Policy, which explains how we use personal data.
What Are Cookies?
Cookies are small text files that are placed on your device to store data. We also use similar technologies such as pixels, tags, local storage and SDKs (collectively “cookies”).
Types Of Cookies We Use
We use the following categories of cookies:
Strictly Necessary – required for our website to function (no consent needed).
Preferences/Functionality – remember your settings and choices (consent needed).
Analytics/Performance – help us understand how our website is used (consent needed).
Advertising/Targeting – used to deliver personalised ads and measure their effectiveness (consent needed).
The Cookies We Set
We keep this list updated, but it may become out of date if our providers change their services:
- _ga (Google) – Analytics – Used to distinguish users – Persistent – 2 years
- _gid (Google) – Analytics – Used to distinguish users – Persistent – 24 hours
- – Strictly necessary – Supports core site features – Session – Expires when you close your browser
- – Advertising – Delivers targeted ads – Persistent –
How To Control Cookies
You can manage your cookie preferences via our “Cookie Settings” tool at any time. You can also control cookies through your browser settings. If you block certain cookies, parts of our site may not function properly.
Third‑Party Cookies
Some cookies are set by third parties, such as analytics providers and advertising networks. These providers may use your data for their own purposes. Please refer to their privacy and cookie policies for more information.
International Transfers
Some providers may process your data outside the UK. Where this occurs, we rely on appropriate safeguards. See our Privacy Policy for details.
Updates To This Policy
We may update this Cookie Policy to reflect changes to our cookies or legal requirements. Please check back regularly to stay informed.
Contact Us
If you have any questions about our use of cookies, please contact us at .
Important: Templates are a starting point. To stay compliant, map your actual cookies and keep this policy accurate and up to date.
Do I Need A Cookie Banner And Consent Management?
Yes - if you use any non‑essential cookies (analytics, ads, social media), PECR requires prior consent. That means you should not set those cookies until the user has actively opted in.
A compliant approach usually includes:
- A clear, prominent banner on first visit that explains categories of cookies and offers true choice (Accept/Reject/Manage Settings).
- Granular controls (e.g. toggles for Analytics, Advertising) so users can opt in by category.
- Cookie scripts blocked by default until consent is obtained.
- Easy withdrawal of consent (for example, a persistent “Cookie Settings” link in the footer).
- Consent logs showing what a user chose, when, and from which IP/device.
The Information Commissioner’s Office (ICO) has been clear: pre‑ticked boxes and implied consent (e.g. “by continuing to use this site, you agree…”) aren’t valid. You need an affirmative action to set non‑essential cookies.
If you’re designing or updating your banner, make sure your approach to cookie banners is practical and legally robust, including offering clear, equally prominent Reject All Cookies buttons.
How Cookie Policies Fit With UK GDPR And PECR
Two core laws apply to cookies in the UK:
- PECR governs the use of cookies and similar technologies. It requires prior consent for non‑essential cookies and clear, comprehensive information.
- UK GDPR (and the Data Protection Act 2018) governs how you process personal data collected via cookies - transparency, lawful basis, minimisation, retention, security, and data subject rights.
Key compliance points for small businesses:
- Lawful Basis: For non‑essential cookies, the lawful basis is almost always consent (not legitimate interests). For strictly necessary cookies, you rely on necessity.
- Transparency: Your Cookie Policy must be accurate and consistent with your Privacy Policy. Don’t say you “only set essential cookies” if you run analytics or ad tags.
- Vendors And Processors: If third parties process personal data for you (e.g. analytics platforms), you’ll usually need a Data Processing Agreement and to check their transfer safeguards.
- Data Subject Rights: Be ready to handle access and deletion requests relating to cookie‑derived personal data. Your preference centre and records should support this.
- Security: Protect identifiers stored in cookies and any associated profiles. Limit retention to what you actually need.
It’s normal to feel overwhelmed by the interplay between PECR and UK GDPR. Focus on the fundamentals: don’t set non‑essential cookies before consent, be transparent, and document your decisions.
Practical Steps To Implement Your Cookie Policy
Here’s a straightforward process you can follow to get your cookie compliance in order without grinding your marketing to a halt.
Step 1: Run A Cookie Audit
Scan your site (and key user journeys) to identify all cookies and trackers. Look beyond your main pages - check blog templates, landing pages, forms, and any embedded third‑party widgets. Confirm:
- Cookie names, providers, categories, and durations
- Which scripts load them (tag manager, theme, plugin)
- Whether they’re essential or non‑essential
Step 2: Choose And Configure A Consent Tool
Select a consent management platform (CMP) that can block scripts until consent is given, offer granular opt‑ins, and record consent. Configure it to:
- Display an initial banner with Accept/Reject/Manage options
- Provide a preference centre (with categories and descriptions)
- Respect browser language and geolocation if helpful
- Offer easy revocation via a footer link
Make sure the design offers equal prominence to acceptance and rejection. You’ll avoid dark patterns and reduce legal risk.
Step 3: Update Your Policies
Draft or update your Cookie Policy and align it with your Privacy Policy. Include your cookie inventory and explain how users can control their choices. If you want a lawyer‑drafted policy tailored to your stack, ask about a bespoke Cookie Policy or an end‑to‑end Data Protection Pack.
Step 4: Block Before Consent
In your tag manager, ensure non‑essential tags only fire after consent. Test on different browsers and devices. If you use server‑side tagging or app SDKs, configure those pathways too.
Step 5: Keep Records
Maintain logs to show when and how users gave consent (and for which categories). Record policy versions and banner designs in case the ICO asks for evidence of your approach.
Step 6: Maintain And Review
Set a reminder to review your Cookie Policy and consent settings at least every 6–12 months, or sooner if you add new tools. When you change your stack, update the cookie table and re‑present consent if appropriate.
Where Should I Put The Cookie Policy?
Place a permanent link in your site footer, near your Privacy Policy and Terms. Also link to it from your banner and preference centre so users can find it quickly.
Do I Need A Cookie Policy If I Only Use “Essential” Cookies?
If you truly only use strictly necessary cookies, you won’t need consent. However, it’s still best practice to publish a short Cookie Policy explaining what’s set and why - it demonstrates transparency and avoids user confusion.
Common Mistakes (And How To Avoid Them)
Even well‑intentioned businesses slip up on cookie compliance. Here are the pitfalls we see most often - and quick fixes you can apply.
- Setting Analytics Before Consent: Make sure analytics tags don’t fire until users opt in. Configure your tag manager conditions carefully and test.
- No “Reject All” Option: Offer an equally prominent reject route on the first layer of the banner. See our guidance on making Reject All Cookies buttons clear and lawful.
- Out‑of‑Date Cookie Table: Your policy must match reality. If you add a new A/B testing tool or ad network, update the inventory.
- Imprecise Wording: Avoid generic lines like “we may use cookies.” Be specific about types, purposes and durations, and link to third‑party policies where relevant.
- Ignoring Third‑Party Embeds: Video players, social buttons and chat widgets often set cookies. Map and control them via your CMP.
- Missing Contracts With Vendors: When a provider acts as your processor, put a compliant Data Processing Agreement in place and review transfer safeguards.
If any of this sounds daunting, don’t stress - once your system is set up, maintenance is straightforward. And if you prefer to focus on growth, we can get the legals sorted for you.
Related Website Legals To Put In Place
Cookie compliance is one part of your wider website legal framework. To stay protected and credible, small businesses often combine:
- Privacy Policy explaining your data practices across all channels
- Website Terms and Conditions covering acceptable use, IP, and liability
- Cookie Policy aligned with your consent banner
- Data Processing Agreement with processors handling personal data
- Data Protection Pack or internal policies and records to demonstrate UK GDPR compliance
Your banner design should also follow practical, user‑friendly principles - check our article on compliant cookie banners for layout and wording tips your users will appreciate.
Key Takeaways
- Under PECR, you need consent before setting non‑essential cookies (including analytics and advertising) - and your Cookie Policy must provide clear, accurate information.
- Use a UK‑friendly cookie policy template as a base, then tailor it to your real cookie inventory, vendors, and retention periods; keep it updated as your stack changes.
- Implement a proper consent banner with Accept/Reject/Manage options, block scripts until consent, and give users an easy way to change their choices later.
- Align your Cookie Policy with your Privacy Policy and ensure you have the right contracts in place with processors (e.g. a Data Processing Agreement).
- Avoid common pitfalls: pre‑ticked boxes, analytics loading before consent, and outdated cookie tables; maintain consent logs and review your setup regularly.
- If you want a tailored policy and end‑to‑end support, consider a bespoke Cookie Policy and a practical Data Protection Pack to protect your business from day one.
If you’d like help drafting a robust Cookie Policy and setting up a compliant consent flow, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.
