Types Of Website Cookies In The UK

If you sell online, run a marketing site or even just embed a YouTube video, your website probably sets cookies. Knowing the different types of internet cookies - and which ones need consent - is essential if you want to stay on the right side of UK privacy law and build trust with customers.

In this guide, we’ll break down the main types of web cookies in plain English, explain when consent is legally required under PECR and UK GDPR, and share practical steps to get your cookie banner and notices right without slowing down your growth.

What Are Cookies And Why Do They Matter For Your Business?

Cookies are small text files stored on a user’s device. They help websites remember user actions and preferences, link sessions, and track interactions for analytics or advertising. Similar technologies - like local storage, pixels, tags, SDKs in mobile apps and device fingerprinting - are treated much the same way under UK privacy rules.

For UK businesses, three legal regimes matter most:

• Privacy and Electronic Communications Regulations 2003 (PECR) - sets the rules on storing or accessing information on a user’s device (cookies and similar technologies). This is where consent usually comes in.
• UK GDPR and the Data Protection Act 2018 - apply when cookies process personal data (for example, IPs, online identifiers, profile data). This covers transparency, lawful bases, minimisation, security and user rights.
• ICO guidance - the UK regulator’s guidance explains what “valid consent” looks like and what a compliant banner needs to do in practice.

In short: for most non-essential cookies you must get consent before setting them. Consent can’t be bundled into your terms, it can’t be “opt-out,” and it must be as easy to refuse as to accept.

The Main Types Of Internet Cookies (And What They Do)

Let’s demystify the common types of cookies website owners use. You’ll often see these grouped by purpose, by who sets them (first vs third party) and by duration (session vs persistent).

By Purpose

• Strictly Necessary Cookies - Essential for your site to function or provide a service explicitly requested by the user (e.g. keeping a shopping cart, load balancing, security, logging in). These typically do not require consent under PECR, but you still need to explain them in your notices.
• Functionality (Preference) Cookies - Remember choices like language or region. These are not strictly necessary and generally require consent.
• Performance/Analytics Cookies - Measure how users engage with your site (pages viewed, time on page, events). Most analytics cookies require consent unless implemented in a way that genuinely prevents personal data collection and cross-site tracking.
• Advertising/Targeting Cookies - Track users for profiling, retargeting and interest-based ads across websites/apps. These require prior consent.
• Social Media Cookies - Set by embedded social widgets or share buttons. Typically treated like targeting cookies and require consent.
• Security/Fraud Prevention Cookies - Help detect suspicious activity, enforce rate limits or authentication. Where truly essential to provide the service, these may be strictly necessary.

By Who Sets Them

• First-Party Cookies - Placed by your own domain. Often used for basic site operations and your own analytics.
• Third-Party Cookies - Placed by another domain (e.g. an ad network or analytics provider). Common for advertising, social media, and some embedded services.

By Duration

• Session Cookies - Deleted when the browser closes. Often used for a single visit or login session.
• Persistent Cookies - Remain on the device for a set period (days to years) unless manually cleared. Frequently used for remembering preferences or tracking.

Similar Technologies You Should Treat Like Cookies

• Local Storage/Session Storage - Browser storage that can hold larger data than a cookie.
• Pixels/Tags/Beacons - Snippets of code that trigger when pages or emails are viewed.
• SDKs (Mobile Apps) - Software components embedded in apps for analytics, ads or crash reporting.
• Device Fingerprinting - Uses device/browser characteristics to track users without cookies.

PECR applies to “storing or accessing information” on a device - not just traditional cookies. So treat these technologies with the same care you apply to cookies.

Which Cookies Need Consent Under UK Law?

Under PECR, you must obtain consent before setting any cookies that are not “strictly necessary” to provide a service the user explicitly requested. That means functionality, analytics (in most cases), advertising/targeting and social media cookies all require consent first.

Valid consent under UK GDPR must be:

• Freely given - No nudging or forcing via “accept or leave” walls unless access is genuinely optional and there’s a fair equivalent.
• Specific and informed - Granular choices (e.g. separate toggles for analytics vs ads) with clear explanations of what each category does and who receives data.
• Unambiguous - Active opt-in only (no pre-ticked boxes). Scrolling or implied consent is not enough.
• As easy to refuse as accept - “Reject” must be as prominent as “Accept,” ideally on the first layer. You can read more about designing a banner with this in mind in our guide to cookie banners.

You also need to let users change their mind easily at any time (e.g. a persistent “Cookie Settings” link) and keep records of consents. If you’re using third-party tools (ad platforms, analytics suites), ensure those vendors support consent signals and don’t drop non-essential cookies until a user opts in. The ICO has also indicated that “reject all” should be available with equal prominence, so consider adding a visible reject all option in the first layer of your banner.

How To Make Your Cookie Banner Compliant (Without Ruining UX)

Good banners don’t have to be ugly or conversion-killing. They do, however, need to put users in control. A compliant design typically includes:

• First-layer choices - Accept all, reject all, and “manage settings.”
• Granular toggles - At least separate controls for analytics and advertising cookies; more categories if you use them.
• Plain-English descriptions - Why each category is used and what it means for the user.
• No tracking until consent - Block non-essential scripts by default.
• Easy withdrawal - A visible link or icon to reopen settings from any page.

From a legal perspective, avoid dark patterns (designs that push users to “accept all”). From a technical perspective, many Consent Management Platforms (CMPs) can help block tags until consent is received and pass consent states to your marketing stack.

Don’t forget that cookies sit inside your broader privacy compliance. You’ll need a clear Cookie Policy and a comprehensive Privacy Policy that explain what data you collect, why you collect it, who you share it with and how users can exercise their rights.

What Your Cookie And Privacy Notices Should Cover

Transparency is crucial. A user should be able to scan your notices and quickly understand what you do. Make sure your Cookie Policy and Privacy Policy cover at least:

• Types of cookies website uses - Categorise by purpose (strictly necessary, functionality, analytics, advertising, social) and include typical lifespans.
• Third parties involved - Name key providers that place cookies or receive data (e.g. ad platforms, analytics vendors).
• Lawful bases - Consent for non-essential cookies; legitimate interests might apply for strictly necessary operations (explain this clearly).
• How to control cookies - Link to your on-site controls and explain browser settings.
• International transfers - Whether data leaves the UK and what safeguards you rely on.
• User rights - Access, deletion, objection, and withdrawal of consent.

Because cookie inventories change as you add tools, set a recurring review to update both notices. If you need support, our GDPR Package or Data Protection Pack can help you put everything in place quickly and correctly.

Practical Steps To Audit And Manage Cookies (A Simple Checklist)

Here’s a no-nonsense process you can run as a small business owner to bring your site in line:

1) Map Your Cookies And Tracking

• Use your CMP scanner or browser dev tools to list cookies, local storage, pixels and SDKs.
• Group them by purpose, provider, duration and whether they’re first/third party.
• Confirm which ones fire before consent and fix that behaviour.

2) Decide What’s Strictly Necessary

• Cart, checkout, authentication, security controls and load balancing can be essential if they’re needed to deliver the service requested by the user.
• Most analytics and advertising technologies are not essential - plan to gate them behind consent.

3) Configure A Consent Management Platform

• Implement a CMP that can block non-essential scripts until consent is recorded.
• Offer “accept all,” “reject all,” and granular toggles with clear, balanced language (no nudging).
• Support consent withdrawal at any time and log consent status for auditing.

4) Update Your Notices

• Publish or refresh your Cookie Policy to mirror your current set-up.
• Align your Privacy Policy with UK GDPR transparency requirements.

5) Sort Your Contracts And Vendors

• Check your vendors’ roles (controller vs processor). When a provider processes personal data for you, put a robust Data Processing Agreement in place.
• Review ad-tech terms for onward transfers outside the UK and ensure appropriate safeguards.
• Prefer privacy-friendly settings (IP anonymisation, regional data centres, limited data retention).

6) Consider Risk Assessments

• For high-risk profiling or widespread tracking, consider a Data Protection Impact Assessment (DPIA).
• Document decisions - why a cookie is essential, why you rely on consent, and how users can opt out.

7) Train Your Team And Re-Audit Regularly

• Make sure marketing and developers understand that new tools can’t go live without consent gating.
• Re-scan quarterly (or whenever you add tags) and update settings and notices accordingly.

Common Scenarios (And How To Handle Them)

“We Only Use Analytics - Do We Still Need Consent?”

In most set-ups, yes. If your analytics tool collects or shares personal data or enables cross-site tracking, treat it as non-essential. Configure it to wait for opt-in. If your provider offers a mode that truly avoids personal data and cross-site tracking, carefully review the documentation and keep a record of your assessment.

“We Send Marketing Emails - Is That The Same As Cookies?”

Email marketing is governed by PECR too, but through separate rules (consent and the “soft opt-in” for existing customers). It often intersects with cookies because email pixels and link tracking collect analytics on opens and clicks. Make sure your approach to email marketing laws and cookie tracking is consistent and transparent.

“We Run A Mobile App - Do These Rules Apply?”

Yes. Storing or accessing data on a user’s device via SDKs or local storage is covered. Provide a clear consent flow within your app, with granular controls and an easy way to withdraw consent (e.g. a settings screen). Your in-app notices should mirror your website approach.

“We Need Conversions - Won’t A Big Banner Hurt Us?”

A balanced, user-friendly design can preserve conversions and trust. Keep the first layer concise, offer reject and manage buttons with equal prominence, and explain benefits plainly (e.g. “Analytics help us improve our site”). Avoid manipulating users - it risks non-compliance and damages brand credibility.

Do’s And Don’ts For Cookie Compliance

• Do collect consent before setting non-essential cookies.
• Do provide a “reject all” option with equal prominence to “accept all.”
• Do use granular categories and plain-English explanations.
• Do maintain accurate records of consent state and provide easy withdrawal.
• Don’t rely on implied consent (scrolling or continuing to browse).
• Don’t pre-tick boxes or hide the reject button behind extra clicks.
• Don’t forget to keep your notices and inventory up to date as your stack changes.

How Cookie Compliance Fits With Your Wider Legal Setup

Cookie compliance is one piece of your broader legal foundation. Alongside your cookie controls, make sure you’ve covered other essentials like clear online terms, refunds and advertising standards, and data protection processes. If privacy and marketing compliance feel heavy, getting proper documents and a repeatable process in place early will save you headaches later. Avoid generic templates - tailored documents help ensure that your disclosures match how your site actually works, from your Cookie Policy to your Privacy Policy.

Key Takeaways

• Understand the types of cookies internet users encounter on your site: strictly necessary, functionality, analytics, advertising and social - plus first vs third party, and session vs persistent.
• Under PECR, you need consent before setting non-essential cookies. Consent must be informed, granular and freely given - with reject as easy as accept.
• Design your banner to block non-essential cookies by default, provide “accept all,” “reject all” and granular choices, and allow easy withdrawal.
• Keep your Cookie Policy and Privacy Policy accurate and up to date, clearly listing cookie categories, providers, lawful bases and user rights.
• Put the right contracts and safeguards in place with vendors - including a Data Processing Agreement where appropriate - and review international transfers.
• Schedule regular audits of your tags and notices, and train your team so new tools don’t go live without consent controls.
• If you’re unsure, get tailored help - setting up compliance early is faster and cheaper than fixing it after the fact.

If you’d like help auditing your cookies, drafting a compliant Cookie Policy and Privacy Policy, or configuring a banner that meets UK requirements, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.