Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a website (or app) for your business, you’ve probably seen those cookie pop-ups everywhere - and you might be wondering what you actually need to do to stay compliant in the UK.
Getting cookies wrong can create real legal risk, especially if you’re using analytics tools, advertising pixels, or third-party embeds that collect personal data. But don’t stress - once you understand the main types of internet cookies users encounter (and what each one does), it becomes much easier to set up your site properly.
This guide breaks down the main types of web cookies, when consent is required under UK rules, and what practical steps you can take to keep your small business on the right side of data protection law.
What Are Internet Cookies (And Why Should Your Business Care)?
Cookies are small text files that websites place on a user’s device (like their phone or laptop). They help websites work properly, remember settings, and (in many cases) track user behaviour.
From a business perspective, cookies can help you:
- keep customers logged in;
- remember basket items in an online shop;
- understand which pages are performing well;
- measure marketing performance (like ad conversions); and
- personalise content or offers.
The catch is that many cookies - especially tracking and advertising cookies - can involve processing personal data and/or storing or accessing information on a device, which triggers specific compliance obligations.
In the UK, cookies are mainly regulated by two legal frameworks:
- PECR (the Privacy and Electronic Communications Regulations), which set rules around storing/accessing information on a user’s device (including cookies) and require consent in many cases; and
- UK GDPR and the Data Protection Act 2018 (which apply where cookies involve processing personal data, such as online identifiers and browsing behaviour).
So, if your website uses cookies beyond what’s strictly necessary, you’ll usually need a compliant consent approach (not just a generic banner) - and you’ll need your technical setup to match.
Types Of Cookies Internet Users Encounter (And What Each One Does)
When people search for the types of internet cookies sites use, they’re usually looking for cookie categories like “necessary” or “marketing”. These categories are also a practical way for businesses to organise cookie consent settings.
Below are the most common types of web cookies you’ll see on small business websites.
1. Strictly Necessary Cookies
Strictly necessary cookies (sometimes called “essential cookies”) are used to make a website function properly. These are the cookies that let users do things like:
- log in securely;
- add items to a cart and proceed to checkout;
- move through your site without pages breaking; or
- apply security features (like load balancing and fraud prevention).
Do you need consent? Usually no - if the cookie is genuinely essential to provide the service the user requested. But you should still disclose these cookies in your cookie information (for transparency).
2. Preference Cookies (Functionality Cookies)
Preference cookies help remember choices a user makes, such as:
- language selection;
- region settings;
- saved form fields; or
- layout choices (like dark mode).
Do you need consent? It depends. If a preference cookie is strictly necessary to deliver a feature the user actively requested, it may not require consent. However, many preference cookies are treated as non-essential in practice - so many businesses include them in consent controls to be safe.
3. Analytics / Performance Cookies
Analytics cookies help you understand how people use your website, such as:
- which pages users visit;
- how long they stay;
- how they found you (search, social, ads); and
- where users drop off in a purchase funnel.
Analytics is incredibly useful for small businesses - but it’s also one of the easiest ways to become non-compliant if cookies are placed before consent is collected.
Do you need consent? Usually yes under PECR, because analytics cookies are typically not “strictly necessary”. If analytics involves personal data, UK GDPR requirements also apply (including having a valid lawful basis, which is often consent in a cookie context).
4. Marketing / Advertising Cookies
Marketing cookies are designed to track users across websites and build a profile for advertising purposes. Common uses include:
- retargeting ads (showing ads to someone who visited your site);
- measuring ad campaign performance and conversions;
- building lookalike audiences; and
- limiting the number of times someone sees an ad.
Do you need consent? In most cases, yes. These are higher-risk cookies from a privacy perspective because they often involve extensive tracking and third-party sharing.
5. Third-Party Cookies
Some cookies are set by your own website (first-party cookies). Others are set by third parties whose tools or content appear on your site, such as:
- embedded videos;
- social media widgets;
- maps;
- payment providers; or
- advertising networks.
Do you need consent? If they’re not strictly necessary, typically yes. Third-party cookies can be particularly tricky because your business may not fully control what data the third party collects, how long it’s retained, or where it’s sent.
6. Session Cookies vs Persistent Cookies (Not Categories, But Useful To Know)
People also talk about types of internet cookies in terms of how long they last:
- Session cookies expire when the user closes their browser.
- Persistent cookies remain for a set period (days, months, sometimes longer).
This matters because persistent cookies can increase privacy impact - and you’ll want to reflect cookie lifespans accurately in your cookie disclosures.
When Do You Need Cookie Consent In The UK?
In the UK, you generally need to consider two questions:
- Does the cookie store or access information on a user’s device? (This is where PECR usually applies - and is the main set of cookie-specific rules.)
- Does the cookie involve personal data? (This is where UK GDPR comes in.)
For most small business websites, the practical rule of thumb is:
- Strictly necessary cookies: can usually be used without consent, but must be disclosed.
- All other cookies (analytics, marketing, and many preference cookies): usually require opt-in consent before they’re set.
What Does “Valid Consent” Actually Mean?
Consent under UK GDPR has a specific meaning. It generally needs to be:
- freely given (users shouldn’t be forced into it to access basic services, unless the cookie is genuinely necessary);
- specific and informed (clear explanation of what you’re turning on and why);
- unambiguous (a clear affirmative action, like clicking “Accept”); and
- easy to withdraw (users should be able to change their mind later).
This is why “by continuing to browse you accept cookies” banners are risky - they often don’t meet the standard for opt-in consent.
A Common Mistake: Cookies Firing Before Consent
One of the most common compliance issues we see is businesses installing a cookie banner, but the analytics and marketing scripts still load immediately - meaning cookies are placed before the user has consented.
If you’re aiming for a compliant implementation, it’s not just what your banner says - it’s what your website actually does behind the scenes.
How To Set Up A PECR- And UK GDPR-Compliant Cookie Banner And Cookie Controls
Good cookie compliance is a mix of legal drafting, good UX, and correct technical setup.
As a small business owner, here’s a practical approach you can follow.
Step 1: Audit What Cookies Your Site Uses
Before you can explain your cookies (or control them), you need to know what’s there. A cookie audit should identify:
- cookie name;
- provider (first party vs third party);
- purpose/category (necessary, analytics, marketing, etc);
- duration (session/persistent and lifespan); and
- whether it involves personal data and any international transfers.
If you work with developers or marketing agencies, it’s worth confirming who is responsible for managing cookie compliance, because responsibility can fall through the gaps.
Step 2: Configure Cookies To Be “Off” Until Opt-In
For cookies that require consent, the safest approach is to ensure they are blocked by default until the user opts in.
That typically means:
- no analytics tags load until the user clicks “Accept analytics” (or similar);
- no marketing pixels load until the user opts into marketing; and
- third-party embeds that set tracking cookies are blocked or replaced with a “click to load” option.
Step 3: Make It Easy To Say “No”
To support “freely given” consent, users should have a real choice. In practice, that means your cookie banner should include:
- an “Accept all” option;
- a “Reject non-essential” option; and/or
- a clear “Manage settings” option with granular controls.
Dark patterns (like hiding the reject button or requiring extra clicks to refuse) can cause compliance issues and customer distrust.
Step 4: Keep Records Of Consent
Under UK GDPR, you may need to demonstrate that you obtained valid consent (especially if challenged). Many cookie management solutions include consent logs.
Consent recordkeeping is part of building your privacy compliance “paper trail” - similar to how you’d document other key practices in a GDPR Package.
What Legal Documents Do You Need For Cookie Compliance?
Cookie compliance isn’t only about banners. You’ll also want your written policies and contracts to match what’s happening in practice.
Cookie Policy
A Cookie Policy is where you explain (in plain English) what cookies you use, why you use them, and how users can control them.
For many businesses, the cleanest approach is to have a standalone Cookie Policy that includes:
- what cookies are and how they work;
- a breakdown of cookie categories;
- a cookie table (names, purpose, duration, provider);
- how to change cookie preferences; and
- how to contact you about privacy questions.
Privacy Policy
If cookies involve personal data (for example, online identifiers, device IDs, behaviour data), you’ll also need to explain that processing in your Privacy Policy.
Your Privacy Policy should typically cover:
- what personal data you collect via cookies/analytics;
- your lawful basis (often consent for non-essential cookies);
- who you share data with (including third parties);
- international transfers (if relevant); and
- data subject rights.
Website Terms And Conditions
Cookies sit within your broader website compliance setup. Depending on your site (especially if you sell online or collect user-generated content), your Website Terms and Conditions can help set expectations around acceptable use, liability, and how your site is operated.
Data Processing Agreements (If Suppliers Process Data For You)
If you use third-party providers who process personal data on your behalf (such as analytics providers, email marketing tools, CRM systems, or cloud platforms), you may need appropriate contracts in place, like a Data Processing Agreement.
This won’t replace cookie consent - but it can help you meet UK GDPR processor-contract requirements and manage risk when suppliers handle personal data.
Internal Policies (Especially If Staff Touch Marketing And Customer Data)
Cookie compliance often involves marketing teams, content teams, and anyone who updates your website. An internal Acceptable Use Policy can help set rules around tools, tracking, and handling business data properly (particularly if staff install plugins or tracking scripts).
Practical Cookie Compliance Tips For Small Businesses (Without Overcomplicating It)
Cookie rules can feel technical, but the goal is pretty simple: be transparent, only use non-essential cookies with opt-in consent, and don’t collect more data than you need.
Here are some practical tips that usually make the biggest difference:
- Reduce your cookie footprint - if you’re not actively using a tracking tool, remove it.
- Be careful with embedded content - third-party video and social embeds can set cookies even if a user doesn’t click play.
- Make cookie categories clear - “Marketing”, “Analytics”, “Preferences”, “Necessary” are usually easier for users to understand than technical labels.
- Check your site after updates - new plugins, themes, and marketing tags can silently add new cookies.
- Align your banner with your policies - if your Cookie Policy says analytics are optional, your site shouldn’t load analytics cookies automatically.
It can also help to pressure-test your setup by asking: If a customer complained, could we confidently explain what we collect, why, and how they can opt out?
If the answer is “not really”, that’s usually a sign your cookie banner, policies, or internal process need tightening up.
Key Takeaways
- The main types of internet cookies users encounter include strictly necessary cookies, preference cookies, analytics cookies, marketing cookies, and third-party cookies.
- In the UK, non-essential cookies usually require opt-in consent under PECR, and UK GDPR rules may also apply when personal data is processed.
- A cookie banner isn’t enough if cookies still load before the user opts in - the technical setup needs to match the legal wording.
- Most businesses should have a clear Cookie Policy and Privacy Policy that accurately reflects what cookies are used, why, and how users can control them.
- If third-party providers process personal data for you, consider whether you need a Data Processing Agreement to manage GDPR risk properly.
- Staying compliant is much easier when you audit cookies regularly, minimise tracking where possible, and keep consent options genuinely user-friendly.
If you’d like help getting your cookie consent setup and privacy documents right, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
