Cookie Banners That Comply: Practical Steps for UK Sites

Alex Solo
byAlex Solo8 min read
Digital Marketing & AdvertisingRegulatory ComplianceData & Privacy
Contents
Let’s be honest – cookies on websites can be confusing. Whether you’re building your first online shop or managing a popular UK blog, you’ve likely had the dreaded “cookie banner” conversation: What does the law actually require? How do you get consent? And how can you make your banner user-friendly without breaking the rules or annoying your visitors? Not to worry – setting up a compliant cookie banner is much more manageable than it may seem. Understanding the basics, staying on top of the laws, and taking a few proactive steps can ensure your business avoids costly mistakes while building trust with your users. In this guide, we’ll demystify the UK’s cookie banner requirements, break down practical compliance steps, and help you protect your business “from day one.” Ready to get sorted? Read on for everything you need to know to implement a cookie banner that both meets legal requirements and works for your users. A cookie banner is that familiar pop-up or overlay you see when visiting most modern websites. On the surface, it’s just a small piece of the user experience – but from a legal standpoint, cookie banners are critical for data privacy and compliance in the UK. Simply put, a cookie banner informs site visitors about the use of cookies and other trackers, and – crucially – obtains their consent for deploying non-essential cookies. This isn’t just good practice; it’s a legal requirement for virtually every business that operates a website, whether you’re selling products, offering services, or just sharing content. Failing to use a compliant cookies banner could put your business at risk of regulatory action, fines, and reputational harm. But, with a clear approach and a bit of knowledge, you can get it right from the start. If you’re operating in the UK, your main focus should be on the Privacy and Electronic Communications Regulations (PECR). While many people associate cookies with the GDPR, it’s PECR that specifically governs cookies and similar technologies here. PECR sets out rules for using “cookies and similar technologies” (like web beacons, pixels, and local storage), including:
  • Notifying users about the cookies you use (with some limited exemptions for essential cookies).
  • Obtaining user consent before you place most cookies on their device.
A key point to remember is that GDPR works alongside PECR – so your approach to cookies also needs to meet GDPR-level standards for consent. If you collect any kind of “personal data” through cookies (which most analytics and advertising cookies do), both sets of rules will apply. If you want more detail on the legal background of cookies, check out our full guide on Cookie Pop-Ups: Do I Need One?. Not all cookies are created equal. Under PECR, there are two main categories:
  • Strictly necessary cookies – These are essential for your website to function (such as remembering what’s in a shopping basket or enabling secure logins). You do not need consent for these.
  • Non-essential cookies – These include analytics cookies, advertising/tracking cookies, social media plug-ins, and anything that gathers information for non-essential purposes. You must get the user’s consent before these are set on their device.
Remember, consent for non-essential cookies must be collected before those cookies are placed. Simply telling users “by using this site, you consent…” isn’t enough. Both PECR and GDPR are clear – consent for non-essential cookies must be:
  • Freely given (the user must have real choice, with no pressure or misleading tactics)
  • Specific (users can choose which types of cookies to accept or refuse)
  • Informed (the user gets clear information about the cookies used and what they do)
  • Unambiguous (consent is given through a clear, positive action – not pre-ticked boxes or passive behaviour)
Implied or “by continuing to use this website” consent is not valid under the current law. Users need to actively opt in, especially for things like tracking, advertising or social sharing cookies. Plus, you must keep a record of users’ cookie consent in case you need to prove it later – another common trap for business owners. So, what do you actually need to show on your website to meet UK law? A compliant cookies banner will:
  • Appear immediately when a user first visits your site (ideally before any non-essential cookies are set)
  • Clearly state which types of cookies your site uses (e.g. “This site uses cookies to personalise content, analyse traffic and provide social media features”)
  • Link to a detailed Cookie Policy that explains what each cookie does, who sets it, how long it lasts, and how the user can manage preferences
  • Allow the user to accept, reject, or customise their preferences (such as toggling analytics or marketing cookies on/off)
  • Record the user’s choices (and respect them on future visits unless preferences are changed)
Banners that simply say “We use cookies; by using this site you agree…” with an ‘OK’ button are no longer compliant. You must provide a real, informed choice before non-essential cookies go live. For further reading, see our comprehensive article on Cookie Pop-Ups which breaks down what a banner should include. You want your cookie banner to be legally compliant, but also user-friendly. Here’s how to strike the right balance:
  • Visibility: The banner should be hard to miss – typically as a pop-up, overlay, or sticky bar at the top/bottom of the page.
  • Timing: Show the banner as soon as someone lands on your site (before setting non-essential cookies).
  • Options: Give users clear buttons or toggles to accept all, reject all, or customise which cookies they allow. Avoid using tricks like making the “Accept” button bright and the “Reject” button hard to find.
  • Clarity: Avoid legal jargon. Use plain language to summarise types of cookies and their purpose.
  • Link to full Cookie Policy: Every banner should clearly link to the complete cookie policy for users who want more detail.
  • No Cookie Walls (in most cases): You can’t generally block content unless a user accepts cookies – this is only justifiable where cookies are strictly necessary for a specific service the user requests (rare for most basic websites).
The goal is to empower your users to make an informed choice without overwhelming or “tricking” them into accepting cookies. Keeping it user-centric also builds trust – which is always good for business. Your Cookie Policy is where the legal details are housed. It should be:
  • Easy to find (linked from your banner, footer, or main menu)
  • Written in plain English – avoid technical or legal jargon where possible
  • Up to date – regularly review to reflect any changes in third-party providers or technology
A robust Cookie Policy will set out:
  • A description of what cookies are, the types you use, and their purpose
  • A categorisation of cookies (strictly necessary, analytics, marketing, preferences, etc.)
  • Information about third-party cookies and who operates them (e.g. Google, Facebook, Shopify)
  • Details on cookie duration (session vs persistent)
  • Instructions on how users can manage or withdraw their consent at any time
A well-written Cookie Policy helps users take control over their data – and goes a long way towards demonstrating your own compliance if you’re ever audited or challenged. For more information on how to write a strong Cookie Policy (and why it matters), see our guide: Do You Need a Cookie Policy? If you’re building or updating your cookie banner, here’s a straightforward process to follow:
  1. Audit Your Cookies
    • List every cookie (and similar technologies) used on your site, including those from third-party services and plugins.
    • Classify each as “strictly necessary” or “non-essential”.
    • Identify what personal data, if any, each cookie collects.
  2. Draft or Update Your Cookie Policy
    • Include all required information (purpose, provider, category, storage duration, and how users can opt out).
    • Write in plain English with user-friendly explanations.
  3. Design a Compliant Cookie Banner
    • Ensure the banner appears immediately on first visit – before setting non-essential cookies.
    • Offer clear opt-in controls for each type of cookie (not just a blanket accept/reject).
    • Link to your Cookie Policy and make it easy to find later.
    • Record and respect the user’s choice for future visits.
  4. Test and Monitor Your Banner
    • Check that no non-essential cookies run before the user consents.
    • Test your banner on desktop and mobile devices across browsers.
    • Record each user’s consent (or refusal) in case you’re asked to prove it.
  5. Review Regularly
    • Re-audit your site after significant updates or when adding new plugins/services.
    • Update your banner and policy if you change what cookies you use or how you use them.
If your cookie setup changes often (common for ecommerce shops or content sites), consider a regular legal check-in to ensure you’re always covered. For an example of how this kind of due diligence helps, check out our guide to complying with business regulations in the UK. It’s not just cookies that matter when running a website. Most UK businesses will also need: Getting these core documents and compliance steps right can save your business from disputes, fines, and loss of customer trust down the line. Non-compliance isn’t just a small risk. UK regulators (like the ICO) have the power to issue warnings, require site changes, or impose fines for serious breaches. Bad press and dropped search rankings can also result from poor or misleading cookie practices. If you collect substantial personal data or run a larger site, the risks only grow. That’s why laying strong legal foundations – and proactively seeking advice – is always the safer play.
  • Cookie banners are required by UK law for all non-essential cookies – you can’t just “assume” user consent.
  • Consent must be informed, specific, and actively given (pre-ticked boxes and implied consent aren’t enough).
  • Your banner needs to provide clear information, plus opt-in/opt-out controls, immediately when a user visits.
  • Link to a detailed, up-to-date Cookie Policy that categorises your cookies and explains who sets what, why, and for how long.
  • Regularly review your cookies and compliance as your site or business grows.
  • Don’t neglect related areas like your Privacy Policy and Terms & Conditions.
  • When in doubt, seek professional advice to make sure your approach is up to date and legally robust.
If you need help making your website’s cookie banner fully compliant, or if you’d like tailored advice on your Cookie Policy, reach out to our team at Sprintlaw UK for a free, no-obligations chat. You can contact us on 08081347754 or team@sprintlaw.co.uk – we’re here to help you get your legal foundations right from day one.
Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Website Terms and Privacy for UK Online Pharmacy and Chemist Retailers

Website Terms and Privacy for UK Online Pharmacy and Chemist Retailers

Online pharmacy and chemist websites need tailored website terms and privacy documents that reflect regulated products, consumer law, and the handling of

16 May 2026
Read more
Privacy Notices and Consent Forms for UK Clinical Trial Service Providers

Privacy Notices and Consent Forms for UK Clinical Trial Service Providers

UK clinical trial service providers often need both a clear privacy notice and carefully structured consent wording, but those documents do different

16 May 2026
Read more
Website Terms and Privacy for UK Dental Laboratories

Website Terms and Privacy for UK Dental Laboratories

A UK dental laboratory website needs more than a copied terms page and a generic privacy template. Here is what to check in your website terms, privacy

16 May 2026
Read more
What Is a Data Room? Secure Document Sharing for Deals and Fundraising

What Is a Data Room? Secure Document Sharing for Deals and Fundraising

A data room is a secure digital space for sharing sensitive business documents during fundraising, due diligence and deals. This guide explains how UK

16 May 2026
Read more
Privacy Notices and Consent in UK Market Research Projects

Privacy Notices and Consent in UK Market Research Projects

UK market research projects often need both a privacy notice and a consent form, but they do different jobs. This guide explains when consent is required

14 May 2026
Read more
Website Terms and Privacy for Drone Service Businesses in the UK

Website Terms and Privacy for Drone Service Businesses in the UK

Drone service businesses in the UK often need more than generic website terms and a basic privacy policy. This guide explains how to set up website terms

13 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call