Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Is PECR And How Does It Apply To Cookies?
- What Does “Valid Consent” Look Like For PECR Cookies?
- PECR Vs UK GDPR: How Do They Interact?
- Direct Marketing Under PECR: Email And SMS Rules
- Common PECR Cookie Mistakes (And How To Avoid Them)
- How PECR Cookies Fit Into Your Wider Privacy Compliance
- Key Takeaways
If your website uses cookies or similar tracking tech, you’re not just dealing with “tech settings” - you’re in legal territory. In the UK, cookies are regulated under the Privacy and Electronic Communications Regulations 2003 (PECR), and they sit alongside the UK GDPR and the Data Protection Act 2018.
Don’t stress - once you know what PECR requires, setting up lawful cookies and consent can be straightforward. In this guide, we’ll walk you through what PECR cookies are, when consent is required, how to design compliant cookie banners, and a step-by-step plan to get your business on the right side of the rules from day one.
What Is PECR And How Does It Apply To Cookies?
PECR is a set of UK regulations that govern certain types of electronic communications. For small businesses, the most relevant PECR areas are:
- Use of cookies and similar technologies (including pixels, SDKs, local storage and tracking scripts)
- Direct marketing by email and SMS (including rules for consent and the “soft opt-in”)
- Some telemarketing and live/automated calls
When it comes to cookies, PECR requires you to:
- Tell people you’re using cookies (clear, accessible information)
- Explain what the cookies do and why (purposes, third parties, retention)
- Get the user’s consent before setting any non-essential cookies
Only strictly necessary cookies are exempt from consent. Everything else (including analytics, advertising, social media, A/B testing, heat maps and most embedded third‑party tools) typically requires user consent before they are placed or read on the user’s device.
Which Cookies Need Consent Under PECR?
In practice, think of cookies in two buckets: “strictly necessary” and “non‑essential”.
Strictly Necessary (No Consent Required)
These are cookies essential to provide a service the user has explicitly requested. Common examples include:
- Shopping basket cookies for an e‑commerce checkout
- Load-balancing or security cookies that keep a site available and safe
- Authentication cookies for logged-in sessions
Even for these, you must still provide clear information in your Cookie Policy, but you don’t need consent.
Non‑Essential (Consent Required)
Most other cookies require prior consent, including:
- Analytics/measurement cookies (e.g. Google Analytics, Meta Pixel analytics features)
- Advertising or retargeting cookies (ad networks, cross‑site tracking)
- Social media plug‑ins and embedded content that set trackers
- UX optimisation (A/B testing, heatmaps, session replay)
- Functional enhancements that aren’t essential (e.g. personalisation)
Important: Even if you don’t process personal data, PECR can still apply because it regulates the storage or access of information on a user’s device. Where personal data is involved, UK GDPR applies in parallel (transparency, lawful basis, data minimisation, security, etc.). If you’re unsure how UK GDPR applies to your audience and data flows, it helps to review when UK GDPR applies to your activities.
What Does “Valid Consent” Look Like For PECR Cookies?
Consent under PECR must meet UK GDPR standards. In plain English, that means:
- Freely given: No pressure or tricks. “Cookie walls” that block access unless users accept non‑essential cookies are generally high risk.
- Specific: Granular controls for different categories (e.g. analytics, ads, social).
- Informed: Clear, plain-language explanations before the user chooses.
- Unambiguous: A positive action (e.g. clicking “Accept”) - no pre-ticked boxes.
- Prior: Don’t set non‑essential cookies until the user has consented.
- Easy to withdraw: Users should be able to change their mind just as easily as they consented.
Design-wise, your banner should provide a genuine choice. That’s why having compliant cookie banners with “Accept” and “Reject” options of equal prominence is now best practice. Providing a clearly visible option to reject all cookies avoids “nudging” users into a default acceptance, which the ICO discourages.
How Do Cookie Banners, Policies And Privacy Notices Work Together?
Think of your cookie compliance as three connected layers.
1) The On‑Page Banner Or Pop‑Up
This is the first point of engagement. It should:
- Explain briefly that you use cookies and why
- Provide “Accept”, “Reject” and “Manage settings” options
- Block all non‑essential cookies until consent is captured (prior consent)
- Offer granular controls per category, with a link to more detail
2) The Detailed Cookie Policy
Your Cookie Policy should list cookie categories, specific cookies/trackers (including third parties), what they do, and retention periods. It should be easy to find from the banner, footer and preferences centre.
3) The Privacy Policy
Because cookies often involve personal data (e.g. IP addresses, device IDs), you also need a compliant Privacy Policy. This covers your lawful basis, who you share data with, users’ rights, international transfers and your retention practices. Make sure both the Cookie Policy and Privacy Policy align - contradictions can create legal and trust issues.
Analytics, Advertising And Third‑Party Tools: Common Tricky Areas
Most small businesses rely on analytics and advertising to grow. That’s fine - just make sure you get consent right and configure tools carefully.
Analytics
- Default: Analytics cookies usually require consent under PECR, so block them until the user opts in.
- Configuration: Explore IP anonymisation, reduced retention and server-side options to minimise data, but remember PECR focuses on device-level storage/access, so consent will still often be needed.
- Documentation: Keep a record of cookie categories, vendors, and your reasoning for the consent approach you’ve taken.
Advertising & Social
- Pixels/Tags: Ad pixels and social plug‑ins typically require consent before loading.
- Sharing: If you share data with ad partners, you’ll also need UK GDPR transparency and appropriate contracts.
- Retargeting: Requires consent and clear information about profiling and cross‑site tracking.
Embedded Content & SaaS Widgets
- Videos, maps, live chats and review widgets can silently set cookies. Use “two‑click” embeddings or block these scripts until consent is given.
- Vendor Management: Put appropriate terms in place (e.g. a Data Processing Agreement where the vendor is a processor; or check their controller terms if they act as an independent controller).
PECR Vs UK GDPR: How Do They Interact?
PECR and UK GDPR often apply at the same time:
- PECR governs storing/reading information on a device (cookies, pixels, SDKs). Consent is required for non‑essential cookies.
- UK GDPR governs the subsequent processing of personal data (transparency, lawful basis, rights, security, DPIAs and accountability).
In practice, if you set analytics cookies, you need PECR consent first, and then you must meet UK GDPR duties for the collected personal data. If a cookie doesn’t involve personal data, PECR may still require consent due to device access rules.
Don’t forget your wider data protection obligations - for example, registering with the ICO where applicable, or applying for any relevant ICO fee exemptions.
Direct Marketing Under PECR: Email And SMS Rules
PECR also regulates electronic direct marketing, which often uses cookies to build audiences and measure conversions. For email and SMS marketing to individuals, you generally need consent unless the “soft opt‑in” applies (existing customers, similar products/services, with a clear opt‑out in every message). Business-to-business marketing has different rules but still requires transparency and opt‑out mechanisms.
Key tips:
- Don’t rely on cookie consent for email marketing consent - they’re different legal bases and must be collected distinctly.
- Ensure your email platform and website consent records are aligned (who consented to what, and when).
- If you’re syncing site behaviour to ad platforms (e.g. custom audiences), make sure your cookie consent covers those purposes.
Designing Compliant Cookie Banners And Consent Flows
A compliant banner isn’t just a box at the bottom of the screen - it’s the gateway to valid consent.
Banner Essentials
- Clear purpose summary in plain English
- Equal prominence for “Accept” and “Reject”
- “Manage settings” for granular choices by category
- No non‑essential scripts until consent is captured
- A link to your Cookie Policy and Privacy Policy
- An easy way to change preferences later (e.g. “Cookie Settings” link in your footer)
Dark Patterns To Avoid
- Pre-ticked boxes or sliders set to “on” by default
- Hiding the “Reject” option behind multiple clicks
- Overly vague language or misleading icons
- “Take it or leave it” cookie walls for services that aren’t genuinely necessary
If you’re building or updating your banner, it’s worth reviewing current best practice around cookie banners and how to provide a clear reject all cookies option to users.
A Step‑By‑Step PECR Cookies Compliance Plan
1) Map Your Cookies And Trackers
Run a comprehensive audit (manual and/or with a scanner):
- List all scripts, pixels, SDKs and storage (first and third party)
- Identify purposes, vendors, data flows and retention
- Decide if each is “strictly necessary” or “non‑essential”
2) Configure Prior Blocking
Ensure your website or app defers non‑essential scripts until consent is given. Most consent platforms support this - but you may need developer tweaks for embedded tools and iframes.
3) Set Up Your Banner And Preferences Centre
Implement a banner that provides a fair choice, with equal “Accept” and “Reject”, category toggles, and an always-available link to change choices later.
4) Update Your Policies
Publish an accurate, user-friendly Cookie Policy and make sure it aligns with your Privacy Policy. Keep them up to date as your tech stack evolves.
5) Capture And Store Consent Records
Record when, how and what users consented to, including versions of your banner text and policies. This helps demonstrate accountability.
6) Check Your Vendor Contracts
For vendors that process personal data on your behalf, put a proper Data Processing Agreement in place. For ad networks or analytics that act as independent controllers, review their controller terms and ensure your notices cover that sharing.
7) Train Your Team And Review Regularly
Make cookie compliance part of your normal site release and marketing workflows. Re-audit when adding new tools, and review policies at least yearly.
Common PECR Cookie Mistakes (And How To Avoid Them)
- Setting analytics or marketing cookies before consent: Fix with prior blocking and tag management.
- Banners without a “Reject” option: Add an equally prominent reject button and a preference centre.
- Inaccurate or outdated Cookie Policies: Update regularly and align with actual scripts in use.
- Relying on “legitimate interests” for tracking cookies: PECR typically requires consent for non‑essential cookies, regardless of GDPR lawful bases.
- Using “implied consent” from continued browsing: This is not sufficient for non‑essential cookies.
- Forgetting apps and non‑website tech: SDKs in mobile apps and connected devices also fall within PECR if they store or access information on user devices.
How PECR Cookies Fit Into Your Wider Privacy Compliance
Cookie compliance is one piece of your privacy framework. To stay protected as you scale, it’s worth looking at your broader data protection practices too - from policy hygiene and vendor management to incident response and staff training.
If you want to streamline this, consider a joined-up approach to your core documents and workflows, such as a tailored privacy stack or a packaged solution like a data protection toolkit. That typically includes a compliant Privacy Policy, a Cookie Policy, consent wording, and the right vendor terms - the essentials you need to be protected from day one.
Key Takeaways
- PECR requires you to give users clear information and get prior consent for any non‑essential cookies (analytics, advertising, social plug‑ins and most third‑party tools).
- Valid consent must be freely given, specific, informed and unambiguous - with equal “Accept” and “Reject” options and granular controls by category.
- Use a compliant banner, a detailed Cookie Policy and a transparent Privacy Policy that all align with your actual tech stack.
- Block non‑essential cookies until consent is captured, keep robust consent records, and ensure appropriate contracts are in place with vendors (e.g. a Data Processing Agreement where needed).
- PECR also covers direct marketing - email and SMS to individuals require consent unless the soft opt‑in applies, and every message must include an easy opt‑out.
- Review your obligations under UK GDPR in parallel and check whether you need to register with the ICO or if any ICO fee exemptions apply.
If you’d like tailored help getting your PECR cookies and privacy setup right, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.
