UK Website Cookie Policy: GDPR & PECR Compliance Requirements

If you run a business website, chances are your site uses cookies (or similar tracking tech) even if you haven’t intentionally “set up tracking”. Things like analytics, embedded videos, live chat widgets, booking tools, and advertising pixels can all drop cookies.

That’s why having a proper cookie policy for your website isn’t just a nice-to-have. For many UK small businesses, it’s part of building your legal foundations early - and staying compliant as you grow.

Below, we’ll break down (in plain English) what a website cookie policy is, how GDPR and PECR fit in, what your policy should include, and what you should be doing on your website to collect cookie consent properly.

What Is A Website Cookie Policy And When Do You Need One?

A website cookie policy is a document that explains how your website uses cookies (and similar technologies), why you use them, and what choices users have.

It’s usually linked in your website footer and referenced through your cookie banner or consent pop-up.

So, What Are Cookies (In Simple Terms)?

Cookies are small text files stored on a user’s device when they visit your website. They can help your website:

• Remember preferences (like language, region, or login status)
• Keep shopping baskets working properly
• Track website traffic and usage (analytics)
• Deliver personalised ads or measure ad performance

Some cookies are set by you (often called “first-party cookies”), while others are set by third parties whose tools you use (for example, marketing or social media plugins).

When Do You Need A Website Cookie Policy?

In practice, if your website uses anything beyond strictly necessary cookies, you should have a website cookie policy and a cookie consent mechanism.

Even if you only use analytics to understand how people use your site, you’ll usually still need to explain it clearly and manage consent properly.

And if your business website collects any personal data (like names, email addresses, IP addresses, or online identifiers), you’ll also typically need a Privacy Policy that works alongside your cookie policy.

Which UK Laws Apply To Cookies? (UK GDPR, Data Protection Act 2018, And PECR)

Cookies can feel like a “tech” issue, but they’re a legal compliance issue too. In the UK, cookies are mainly governed by:

• Privacy and Electronic Communications Regulations (PECR)
• UK GDPR (and the Data Protection Act 2018)

PECR: The Cookie-Specific Rules

PECR is the key set of rules that deals specifically with storing information on a user’s device (which includes cookies) and accessing that information.

In general, PECR requires you to:

• Provide clear and comprehensive information about cookies; and
• Get the user’s consent before placing cookies, unless the cookie is strictly necessary for providing a service the user asked for.

That “strictly necessary” exception is narrower than many businesses expect. It usually covers things like security, load balancing, or shopping cart functionality - not marketing cookies, and not most analytics cookies.

UK GDPR: How You Process Personal Data Through Cookies

UK GDPR kicks in when cookies (or similar tracking tech) involve personal data. This can include:

• IP addresses
• Device identifiers
• Online identifiers (including cookie IDs)
• Behavioural data that can be linked back to a person

So if you’re using cookie-based tools to profile users, measure conversions, run retargeting ads, or track user journeys, you’re likely dealing with personal data processing.

That means you must comply with UK GDPR principles like transparency, purpose limitation, data minimisation, security, and accountability.

If you want a practical way to get your website compliance foundations in order, a tailored GDPR package can help you align your cookie approach with the rest of your privacy compliance (rather than treating cookies as a one-off banner problem).

What Your Website Cookie Policy Should Include (A Practical Checklist)

A strong website cookie policy is clear, specific to your site, and easy for a normal person to understand. It should match what your website actually does (this is where many template policies fall down).

Here’s what your website cookie policy should generally include.

1) A Plain-English Explanation Of Cookies And Similar Technologies

Your cookie policy should explain what cookies are and (if relevant) mention other technologies you use, such as:

• Pixels
• Local storage
• SDKs (common in apps)
• Tags

This is about transparency - users should understand what’s going on when they use your website.

2) What Cookies Your Website Uses And Why

This is the heart of the cookie policy.

Best practice is to list cookies by category and purpose, for example:

• Strictly necessary cookies (essential for site operation)
• Functional cookies (remembering settings)
• Analytics/performance cookies (site measurement and improvements)
• Marketing/advertising cookies (targeted ads, conversion tracking)

For each cookie (or cookie group), you should explain:

• Its name (where practical)
• What it does
• Who sets it (you or a third party)
• How long it lasts (session vs persistent cookies, and expiry periods)

If your cookie policy is vague (“we may use cookies for analytics and marketing”), it may not meet the “clear and comprehensive information” standard expected under PECR.

3) Third-Party Cookies And Third-Party Tools

Many business sites rely on third parties for functionality. Your cookie policy should call out where third parties may set cookies or collect information through your site.

Common examples include:

• Analytics tools
• Advertising and conversion tracking tools
• Embedded video players
• Live chat tools
• Social media embeds

If third parties are involved, your cookie policy should be consistent with your broader privacy documentation and any relevant data processing arrangements you have in place.

4) How Users Can Manage Cookies (Consent, Settings, Opt-Out)

Your website cookie policy should clearly explain how users can:

• Accept or reject non-essential cookies via your cookie banner/preferences centre
• Change their mind later (withdraw or adjust consent)
• Use browser settings to manage or delete cookies

A key point here is control. Under PECR and UK GDPR expectations, users should have meaningful choices, not a “take it or leave it” experience.

5) How Your Cookie Policy Links Up With Your Privacy Policy

Your cookie policy and privacy policy should work together (and not contradict each other).

For example, the cookie policy focuses on what gets stored on devices and what tracking occurs, while the privacy policy covers the broader picture: what personal data you collect, your lawful bases, who you share data with, data retention, and user rights.

It’s common to include a line in your cookie policy directing users to your Privacy Policy for more information about how you handle personal data.

6) Updates, Version Control, And Contact Details

Your cookie policy should include:

• The date it was last updated
• How you’ll notify users of material changes (where appropriate)
• Contact details for privacy queries (for example, a business email address)

This matters because cookies on websites tend to change over time - new plugins, new ad campaigns, new booking tools - and your cookie policy should keep pace.

If you want a ready-to-use document that’s designed for websites and ecommerce businesses, a tailored Cookie Policy can be a practical starting point (especially if you’re scaling and adding new tools regularly).

How To Collect Cookie Consent Properly (Not Just A Banner That Looks Nice)

A common trap is thinking the legal requirement is “having a cookie banner”. The legal requirement is about providing information and getting valid consent for non-essential cookies.

To meet PECR and align with UK GDPR standards for consent, your approach should generally include the following.

Make It Clear What You’re Asking For

Your cookie banner (or pop-up) should explain, in plain English:

• That cookies are used
• What they’re used for (by category)
• That users can accept, reject, or manage preferences

A banner that only says “We use cookies to improve your experience” is usually too vague.

Get Consent Before Non-Essential Cookies Are Dropped

For most businesses, a key compliance step is ensuring non-essential cookies (like marketing and most analytics cookies) don’t load until the user consents.

This is partly legal, and partly technical - meaning you may need the right configuration in your website platform or a consent management tool that properly controls tags.

Give Users A Real Choice (Including “Reject”)

Consent needs to be freely given. If the interface pushes users into accepting cookies (for example, an “Accept” button but no “Reject” option), that can create compliance risk.

A good standard approach is:

• Accept All
• Reject All
• Manage Preferences (granular choices by cookie category)

Keep Records Of Consent

UK GDPR is built around accountability. In many cases, it’s sensible to keep an auditable record that consent was obtained, including:

• What the user consented to
• When they consented
• What version of your cookie notice/policy was shown

You don’t necessarily need to build a complex system as a small business, but you should be able to explain and evidence your consent set-up if questions are raised later.

Make It Easy To Withdraw Or Change Consent

A compliant setup usually includes an always-accessible way for users to adjust cookie choices later (for example, a “Cookie Settings” link in the footer).

If users can accept cookies in one click but can’t withdraw without digging through browser settings, your consent setup may not hold up well.

Common Website Cookie Policy Mistakes (And How To Avoid Them)

Cookie compliance is one of those areas where small businesses often do the right thing in spirit, but still get caught out on details.

Here are common mistakes we see - and what to do instead.

Mistake 1: Using A Generic Template That Doesn’t Match Your Website

Many cookie templates don’t include a real cookie list, don’t name third parties, or use generic statements that don’t reflect what your site actually does.

Fix: Audit the cookies your site uses (including third-party plugins), then tailor your cookie policy to match. If you update your website, re-check your cookie policy.

Mistake 2: Treating Analytics Cookies As “Essential” Without Thinking It Through

Businesses often assume analytics cookies are essential because “we need analytics”. But “essential” in PECR terms is about what is strictly necessary to provide a service requested by the user - not what’s useful for your business.

Fix: Treat analytics carefully: explain them properly, consider consent requirements, and configure your tools to respect user choices.

Mistake 3: No “Reject” Button (Or A Hard-To-Find One)

If your banner makes rejecting cookies difficult, you’re increasing risk and potentially frustrating visitors.

Fix: Offer a clear reject option at the same level as accept, and allow users to choose categories.

Mistake 4: Forgetting The Rest Of Your Website Legals

Cookies often sit within a bigger compliance picture. If you’re collecting enquiries, taking payments online, or running an online store, you’ll likely also need:

• website terms that set out how users can use your site and what you’re responsible for; and
• privacy documentation aligned to your personal data processing.

Fix: Make sure your cookie policy is consistent with your Website Terms and Conditions and privacy practices.

Mistake 5: Ignoring Data Retention And “How Long” Information Is Kept

Your cookie policy should explain cookie durations, and your privacy compliance should also cover how long you retain personal data.

Fix: Make sure your approach is consistent across documents and reflects your real practices, including data retention periods.

Key Takeaways

• A website cookie policy explains what cookies your website uses, why you use them, and how users can control them.
• In the UK, cookies are mainly regulated by PECR, with UK GDPR applying where cookies involve personal data.
• For most non-essential cookies (especially marketing cookies, and usually analytics cookies), you generally need consent before cookies are set.
• Your cookie policy should be specific and usually includes cookie categories, purposes, third-party cookies, durations, and how users can accept/reject/withdraw consent.
• A cookie banner alone isn’t enough - your setup should offer genuine choices, prevent non-essential cookies loading before consent, and let users change their preferences later.
• Cookie compliance works best when it’s aligned with your wider website legal foundations, including your privacy policy and website terms.

If you’d like help getting your cookie policy and consent approach right (without drowning in legal jargon), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.