PECR Cookies Explained: UK Cookie Compliance

byAlex Solo25 March 20269 min read

Startups Regulatory Compliance Data & Privacy

Contents

What Are “PECR Cookies” And Why Do They Matter For Your Business?
- Why This Comes Up So Often For Small Businesses
When Do You Need Consent Under PECR (And When You Don’t)?
What Does Valid Cookie Consent Look Like Under PECR And UK GDPR?
- Common Cookie Banner Mistakes (That Can Create Risk)
- Do You Need An “Accept All” And “Reject All” Button?
How To Set Up A Compliant Cookie Banner And Cookie Policy (A Practical Checklist)
What Other Legal Documents Should You Review Alongside Cookie Compliance?
What Are The Risks If You Get PECR Cookies Wrong?
- A Quick Scenario That’s Common In Startups
Key Takeaways

If you run a small business or startup, your website probably uses cookies in some form - whether that’s for analytics, advertising, embedded videos, live chat, or just remembering what’s in someone’s basket.

But once you’re using cookies, you’re also stepping into UK privacy compliance. And one of the most commonly searched (and most commonly misunderstood) parts of that is PECR cookie compliance.

Don’t stress - cookie compliance doesn’t have to be a legal headache. If you understand what PECR expects, what counts as “consent”, and how to set up a compliant banner and cookie policy, you can protect your business from avoidable complaints and regulator attention, while still getting the insights you need to grow.

What Are “PECR Cookies” And Why Do They Matter For Your Business?

When people talk about “PECR cookies”, they’re referring to the rules on cookies and similar tracking technologies under the Privacy and Electronic Communications Regulations 2003 (usually shortened to PECR).

In plain English: PECR tells you when you can put cookies on a user’s device, and when you need to ask first.

PECR works alongside the UK GDPR and the Data Protection Act 2018. That means cookie compliance is usually a two-part issue:

PECR – focuses on storing/reading information on a user’s device (cookies, pixels, SDKs, similar tech).
UK GDPR – focuses on the processing of personal data (which cookies often involve, directly or indirectly).

Why This Comes Up So Often For Small Businesses

Even a simple website can trigger PECR cookie obligations. Common examples include:

analytics tools tracking visits and behaviour
advertising and retargeting pixels
embedded media (like videos) that place tracking cookies
social sharing tools
live chat widgets and customer support tools

If your business is trying to market smarter, improve conversion rates, or measure performance, you’re likely using tools that rely on cookies. So it’s worth getting the legal foundation right early - not when you’re already scaling.

The practical starting point is this: PECR generally requires you to get consent before you set cookies.

There’s one important exception - cookies that are “strictly necessary” for providing a service the user has requested.

These are cookies that are genuinely essential to make the site or service work as the user expects. For example:

cookies that keep a user logged in during a session
security cookies (e.g. to prevent fraud or protect accounts)
shopping basket cookies that remember items during checkout
load balancing cookies that help the site function properly

Even when consent isn’t required, you still need to be transparent about them (more on this when we talk about your cookie policy and privacy information).

Most of the cookies businesses use for growth and marketing are not “strictly necessary”. This includes:

analytics cookies (tracking user behaviour to improve the site)
marketing/advertising cookies (targeting ads, measuring campaigns, retargeting)
personalisation cookies (remembering preferences that aren’t essential)
social media cookies (especially where they track users across sites)

If these cookies are used, the safer assumption is: you’ll need consent before they’re placed.

What About “Similar Technologies”?

PECR doesn’t just apply to classic browser cookies. The rules also cover other tools that store or access information on a device, such as:

tracking pixels
mobile app SDKs
device fingerprinting (in many cases)
local storage technologies

So if your startup operates a mobile app or uses more advanced tracking, cookie compliance isn’t just a “website footer” issue - it’s a broader product and marketing compliance issue.

This is where many businesses accidentally get it wrong. It’s not enough to have a banner that says “By using this site you accept cookies”. For most non-essential cookies, you need proper consent.

Valid cookie consent should be:

Informed – the user understands what cookies are being used and why.
Freely given – the user has a real choice (not forced or pressured).
Specific – ideally by category (e.g. analytics vs marketing) rather than a single “all or nothing” for everything non-essential.
Unambiguous – a clear affirmative action (clicking “Accept”, toggling on categories).
Documented – you can show what was consented to and when (this matters if you’re challenged).

If you’re reviewing your setup, these are classic red flags:

pre-ticked boxes for analytics or marketing cookies
cookies firing before the user has a choice (except strictly necessary cookies)
no “Reject” option, or making rejection much harder than acceptance
vague wording like “We use cookies to improve your experience” with no real detail
bundled consent where one click consents to multiple unrelated purposes

As your business grows, these “small” issues can become bigger - especially if you’re investing in marketing, partnering with larger organisations, or going through due diligence with investors.

Do You Need An “Accept All” And “Reject All” Button?

In practice, providing a clear way to accept and a clear way to reject non-essential cookies is one of the simplest ways to reduce compliance risk.

You also want to make it easy for users to change their mind later (for example, via a “Cookie Settings” link in your footer).

If you’re a small business owner, you’re probably not trying to become a privacy lawyer - you just want a setup that’s sensible, compliant, and doesn’t kill conversions.

Here’s a practical approach that works for most startups and SMEs.

Step 1: Audit What Cookies You Actually Use

You can’t manage what you don’t know you’re using. Start by identifying:

what cookies are set by your site (first-party)
what cookies are set by third parties (embedded tools, advertising platforms, social media widgets)
the purpose of each cookie
how long each cookie lasts

This is often the step that surprises people - especially when third-party plugins add tracking you didn’t intentionally choose.

Step 2: Categorise Cookies Properly

Most businesses split cookies into categories like:

Strictly Necessary
Analytics
Functional/Preferences
Marketing

Then, configure your banner so that only strictly necessary cookies run by default, and everything else requires opt-in.

Your cookie banner is just the front door. Your Cookie Policy is where you explain the detail in a way users can actually understand.

A strong cookie policy usually covers:

what cookies are (in plain language)
what categories you use and why
a table of cookies (name, provider, purpose, expiry)
how to change cookie preferences
how users can manage cookies through browser settings

The goal is transparency - not burying people in technical jargon.

Cookies often involve personal data (directly or indirectly). That’s why your Privacy Policy also needs to align with what your website is doing.

For example, if you collect analytics data, run targeted marketing, or share data with service providers, your privacy wording should reflect:

what data is collected
your purposes for using it
your lawful basis under UK GDPR (this depends on the processing - for cookie placement and similar tracking, consent is commonly used for non-essential cookies)
who you share data with (where relevant)
international transfers (if applicable)

This is a technical implementation issue, but it’s crucial for PECR cookie compliance.

In practical terms, you may need to configure your website tools so that:

analytics scripts only load after consent
advertising tags are blocked until opted in
embedded media is set to privacy-enhanced mode or click-to-load (where appropriate)

If you’re not sure whether your cookies are firing too early, a cookie audit can usually confirm it quickly.

Step 6: Keep Records And Review Regularly

Cookie setups change over time - especially in startups where new tools get added fast.

Build in a habit of reviewing your cookies when you:

launch a new website feature
add marketing tags or conversion tracking
change your booking system, ecommerce platform, or CRM
add embedded content or third-party widgets

If you’re growing quickly, it can also help to put broader privacy compliance foundations in place (for example, a GDPR package that reflects how your business actually operates).

Cookie compliance isn’t isolated. It sits inside your wider legal setup - especially if you operate online, market to consumers, or rely on third-party providers.

Website Terms And Customer-Facing Documents

If you sell online or capture leads through a website, your Website Terms and Conditions should match how your platform works - including any rules on account use, acceptable behaviour, and liability settings.

This won’t replace your cookie policy (they’re different documents), but it helps ensure your overall site compliance is joined up and professional.

Supplier And Processor Contracts

If third-party providers process personal data for you (for example, marketing platforms, analytics providers, customer support tools), you may also need a Data Processing Agreement in place.

This is particularly relevant for businesses scaling their marketing stack or building a more complex digital product. The legal issue here isn’t just “the cookie” - it’s what happens to the data collected via that cookie.

Internal Practices (Especially If Staff Touch Marketing And Customer Data)

As soon as you have a team, privacy compliance is easier when everyone is on the same page about how tools and data are used.

That might mean documenting internal practices for setting up tracking, approving new tools, and handling customer data responsibly. This isn’t strictly required for cookies, but it becomes more important as you hire, delegate marketing, or engage contractors.

What Are The Risks If You Get PECR Cookies Wrong?

For many small businesses, the real risk isn’t that someone is actively trying to “catch you out”. It’s that cookie issues are easy to spot, easy for users to complain about, and easy for regulators to investigate.

If your business gets PECR cookie compliance wrong, the risks can include:

ICO complaints (from customers, competitors, or privacy-focused users)
enforcement action (particularly if your setup is clearly non-compliant and you ignore warnings)
reputational harm (privacy trust matters, especially for new brands)
commercial friction during investment or partnership due diligence
wasted marketing spend if your tracking is unreliable or not properly configured

A Quick Scenario That’s Common In Startups

Imagine your startup invests heavily in paid ads, sets up conversion tracking, and starts scaling. A few months later, you discover your cookie banner doesn’t actually block marketing cookies until consent, and you’ve got no proper records of consent.

Now you’re trying to fix it while scaling - under pressure - and you may also need to revisit your privacy wording, data sharing arrangements, and tracking configuration.

It’s almost always easier (and cheaper) to set up properly from day one.

Key Takeaways

Under the PECR rules on cookies, you generally need consent before placing non-essential cookies on a user’s device.
Strictly necessary cookies usually don’t require consent, but you still need to be transparent about them.
Valid consent should be informed, freely given, specific, and recorded - and non-essential cookies shouldn’t fire until a user opts in.
A compliant setup usually involves a properly configured banner, a clear Cookie Policy, and a Privacy Policy that matches what your website actually does.
Cookie compliance often links to wider legal foundations, including data processing terms with suppliers and consistent online terms.
Getting it right early helps reduce complaint risk, avoids costly rework later, and supports smoother growth and due diligence.

This article is general information only and isn’t legal advice. If you’d like advice on your specific setup, speak to a lawyer.

If you’d like help getting your cookie banner, Cookie Policy, and privacy compliance set up properly for your business, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call