What Are Cookies Online? Website Cookie Consent And GDPR Compliance In the UK

If you run a website, chances are it uses cookies (or at least tries to).

They’re one of those “small” technical things that can quickly turn into a big legal and reputational issue if you don’t get them right - especially if you collect leads, run analytics, retarget ads, or operate an online shop.

This guide breaks down what people mean when they ask what are cookies online, why they matter for UK businesses, and how to handle cookie consent in a way that lines up with the UK GDPR and the UK e-Privacy rules (PECR).

What Are Cookies Online (And What Do They Actually Do)?

In simple terms, cookies are small text files that a website stores on a user’s device (like their laptop or phone) when they visit.

Cookies help a website:

• Remember actions and preferences (like items in a basket or login status)
• Measure how people use the site (analytics)
• Personalise content or settings
• Advertise more effectively (marketing/targeting)

When people search “what are cookies online”, what they’re often really asking is: “Why is this website tracking me, and what does it know about me?”

As a small business owner, your job is to make sure your site uses cookies in a way that’s transparent, lawful, and properly documented - not just “whatever the plugin settings were by default”.

Are Cookies Personal Data Under UK GDPR?

Sometimes, yes.

A cookie on its own might just be a random string of characters (an ID). But if that ID can be linked to an identifiable person - directly or indirectly - it can become personal data.

For example, cookies may count as personal data where they:

• are linked to a user account or email address
• track behaviour over time (pages visited, purchases, clicks)
• identify a device via unique identifiers
• are combined with other data you (or a third party) holds

That’s why cookie compliance usually involves both:

• PECR (privacy rules about storing/reading cookies), and
• UK GDPR / Data Protection Act 2018 (rules about processing personal data)

Common Types Of Cookies UK Businesses Use

Most cookie banners group cookies into categories. The categories matter because they affect whether you need consent.

• Strictly necessary (essential) cookies: needed for the website to work (e.g. security, login, shopping basket).
• Preferences (functional) cookies: remember settings like language or region.
• Analytics (performance) cookies: help you understand website usage and improve performance.
• Marketing (advertising) cookies: track users across sites to serve targeted ads or measure ad performance.

One practical tip: don’t assume a cookie is “essential” just because it’s helpful to you. “Essential” is interpreted fairly narrowly.

Why Cookie Compliance Matters For Small Businesses (Not Just Big Tech)

It’s easy to think cookie rules are only a problem for huge online platforms. But in practice, cookie compliance is a day-to-day issue for small businesses too - especially if your website is part of how you generate revenue.

Here’s why it matters.

1) It’s A Legal Requirement (Not Just A Best Practice)

In the UK, cookies are regulated mainly under:

• PECR (Privacy and Electronic Communications Regulations) - rules about placing/reading cookies and similar tech
• UK GDPR and the Data Protection Act 2018 - rules about personal data, lawful bases, transparency and user rights

If you’re using non-essential cookies without proper consent, that’s where your risk increases.

2) Cookie Pop-Ups Are A Trust Moment

Your cookie banner is often the first compliance message a customer sees.

A banner that’s vague, pushy, or confusing can undermine trust - even if your product is brilliant.

3) It Affects Your Marketing Performance

Done properly, cookie consent also affects what data you’re allowed to collect and use.

For example, if your marketing cookies are blocked until consent is given, you may see:

• lower remarketing audience sizes
• less conversion tracking data
• differences between “reported” and “actual” sales

That’s not a reason to cut corners - it’s a reason to plan properly and set expectations with your marketing team.

What UK Laws Apply To Cookies? (UK GDPR + PECR Explained Simply)

Cookie compliance in the UK is mainly a two-law problem:

PECR: The Cookie Consent Rule

PECR requires you to:

• provide clear and comprehensive information about cookies, and
• get consent before storing or accessing cookies on a user’s device unless the cookie is strictly necessary for a service the user requested

So, the default position is: consent is needed for non-essential cookies.

UK GDPR: The Personal Data Rule

If cookies involve personal data (which they often do), the UK GDPR also applies. That means you need to think about:

• lawful basis for processing (consent is common for marketing cookies, and often used for analytics too)
• transparency (privacy information that’s easy to understand)
• data minimisation (don’t collect more than you need)
• data security and third-party controls
• individual rights (including the ability to withdraw consent)

This is where a properly drafted Privacy Policy becomes important, because cookie use is usually part of your broader personal data processing.

What About Other Tracking Tech (Pixels, SDKs, Local Storage)?

Cookies aren’t the only technology covered. PECR applies to storing/accessing information on a device, which can include:

• pixels and tags
• mobile app SDKs
• local storage
• device fingerprinting (often higher risk)

In other words, you can’t “avoid cookie consent” just by using a non-cookie tracker. Regulators generally look at the function, not the label.

Do You Need Cookie Consent In The UK? (And When You Don’t)

Most UK business websites need some form of cookie consent mechanism - but not every cookie requires consent.

When Consent Is Usually Required

You will usually need opt-in consent before enabling cookies that are not strictly necessary, including:

• analytics cookies (in most cases - and particularly where they involve tracking, unique identifiers, or third-party analytics)
• marketing/advertising cookies
• social media tracking
• cross-site tracking and retargeting
• A/B testing cookies (often non-essential)

When Consent Is Not Required (Strictly Necessary Cookies)

Consent is not required for cookies that are strictly necessary to provide a service the user requested.

Common examples include cookies used for:

• shopping basket functionality
• secure login and session management
• fraud prevention and security
• load balancing (keeping the website stable)

Even when consent isn’t required, you still need to be transparent about what’s happening.

What “Valid Consent” Looks Like (In Practice)

Consent under UK GDPR needs to be:

• freely given (no pressure or “cookie walls” unless carefully assessed)
• specific (separate choices for separate purposes/categories)
• informed (clear info about what cookies do and who sets them)
• unambiguous (a clear affirmative action)
• easy to withdraw (users can change their mind later)

For most small business sites, this means:

• you should have an Accept and a Reject option that are both easy to find
• non-essential cookies should be off by default until the user opts in
• you should offer granular controls (at least by category)

If your banner only has “OK” (and no real choice), that’s a red flag.

How To Make Your Website Cookie-Compliant (A Practical Checklist)

Cookie compliance doesn’t have to be overwhelming - but it does need to be deliberate.

Here’s a practical approach most small businesses can follow.

1) Audit Your Cookies (You Can’t Comply With What You Don’t Understand)

Start by identifying what your website is actually doing.

You’ll want to map:

• each cookie or tracker being used
• its purpose (essential / analytics / marketing etc.)
• who sets it (you or a third party)
• how long it lasts (session vs persistent)
• whether data goes outside the UK (common with third-party tools)

This cookie inventory usually feeds directly into your Cookie Policy.

2) Set Up A Proper Cookie Banner And Preference Centre

Most businesses use a cookie consent tool to manage this. Legally, what matters is the outcome:

• non-essential cookies don’t load before consent
• users can accept, reject, or customise
• preferences are recorded and can be updated

If you rely on developers, it’s worth being very clear in writing about what you need. The biggest implementation mistakes we see are technical: scripts firing before consent, or “reject” not actually rejecting anything.

3) Update Your Privacy Information (Cookie Use Rarely Sits Alone)

Your cookie banner is only one layer. You should also make sure your broader privacy information lines up, including:

• what personal data you collect via cookies and trackers
• why you collect it (purposes)
• your lawful bases (often consent for marketing cookies, and often for analytics too)
• who you share it with (including ad networks and analytics providers)
• how users can withdraw consent

That’s why businesses often update their Privacy Policy at the same time as their cookie compliance work.

4) Manage Third Parties (You’re Still Responsible For Your Site)

Lots of cookies come from third parties - embedded videos, maps, booking tools, chat widgets, affiliate tracking, and so on.

If a third-party tool sets cookies through your site, you should treat that as part of your compliance scope.

From a UK GDPR perspective, also consider whether third parties are acting as your processors (processing on your behalf), controllers (using data for their own purposes), or joint controllers (sharing decision-making). Where a supplier is a processor, you’ll usually need a Data Processing Agreement - but it won’t be the right document for every third-party relationship.

5) Make Sure Your Website Legal Documents Match How You Operate

Cookie compliance usually sits alongside other key website documents, especially if you sell online, take enquiries, or allow accounts.

Depending on your site, you may also need:

• Website Terms and Conditions (the rules for using your site)
• Acceptable Use Policy (particularly helpful if users can post content or interact with your platform)

Think of it as building your legal foundations properly - not just “adding a banner”.

6) Keep Records And Review Regularly

Cookie setups drift over time. Marketing teams add new tags. Developers add new plugins. Platforms update their features.

So it’s worth setting a simple process to:

• review cookies periodically (e.g. quarterly or when you change key site functionality)
• re-check that non-essential cookies are still blocked until consent
• ensure your cookie list and descriptions are still accurate
• monitor complaints or opt-out patterns (they can be early warning signs)

If you want a more “done-for-you” approach to your broader compliance setup, a GDPR package can help pull the moving parts together in a consistent way.

Common Cookie Mistakes That Can Trip Up UK Businesses

Even well-intentioned businesses get cookie compliance wrong. Here are some common issues to watch for.

No Real Choice (Or A Hidden “Reject” Option)

If your banner nudges users into accepting cookies (for example, a big bright “Accept” and a tiny “Manage settings” link), it may not meet the “freely given” standard.

Loading Marketing Tags Before Consent

This is a technical implementation issue, but it’s one of the most common reasons businesses fall out of compliance.

Make sure your setup actually blocks non-essential scripts until consent is given.

Calling Everything “Essential”

Not everything is essential just because it’s helpful. If a cookie supports marketing, personalisation, or analytics, it’s usually not strictly necessary to deliver a service the user requested.

Out-Of-Date Cookie Lists

Cookie policies often start accurate and then become outdated within months.

Try to keep your cookie information live and reviewed, especially if you rely on third-party plugins.

Forgetting About International Transfers

Many analytics and advertising tools can involve transfers of personal data outside the UK (or remote access from outside the UK), depending on how the tools are configured and where providers operate.

This can trigger additional UK GDPR obligations (like making sure appropriate safeguards are in place). This is one of those areas where tailored legal advice is often worth it, because the right approach depends on your tools and your data flows.

Key Takeaways

• “What are cookies online?” Cookies are small files placed on a user’s device to make websites work, remember preferences, run analytics, and support marketing and tracking.
• In the UK, cookie compliance usually involves both PECR (consent for non-essential cookies) and UK GDPR (lawful processing and transparency when cookies involve personal data).
• Consent is generally required for marketing and most analytics/tracking cookies, and it should be opt-in, informed, and easy to withdraw.
• Strictly necessary cookies can be used without consent, but you still need to be transparent about them.
• A practical compliance approach includes a cookie audit, a properly configured cookie banner, accurate cookie and privacy information, and regular reviews as your website changes.
• Cookie compliance works best when it’s part of your broader website legal setup, including your Cookie Policy, Privacy Policy, and website terms.

If you’d like help getting your cookie consent setup and website legal documents right, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.