UK Cookie Policy Requirements for GDPR Compliance: What to Include

If your business has a website (or app), chances are you’re using cookies or similar tracking technologies - even if it’s “just” for analytics or basic functionality.

And while cookies can be incredibly useful for improving your site and marketing, they also come with legal obligations. In the UK, cookie compliance is mainly driven by the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR (plus the Data Protection Act 2018).

This guide breaks down the key cookie policy requirements in the UK that small businesses should know, what your cookie policy should include, and how to avoid the common traps that cause compliance issues.

What Are The UK Cookie Rules (And Which Laws Apply)?

When people talk about “cookie law” in the UK, they’re usually referring to two legal frameworks that work together:

1) PECR (Cookie Consent Rules)

PECR sets the core rule: you generally must not store cookies on a user’s device (or access cookies already stored) unless:

• you provide the user with clear and comprehensive information about those cookies; and
• you get the user’s consent before placing them, unless an exemption applies.

The key exemption is for cookies that are “strictly necessary” to provide a service the user has requested (for example, adding items to a shopping cart or keeping a user logged in). In practice, “strictly necessary” is interpreted narrowly and depends on what the cookie does in your particular set-up.

2) UK GDPR (Personal Data + Consent Standards)

UK GDPR comes into play when cookies (or identifiers collected via cookies) involve personal data - which is common, because analytics, advertising, and device identifiers often relate to an identifiable person.

UK GDPR matters because it sets the standard for valid consent and requires transparency about processing personal data. That means your cookie consent mechanism and your written cookie information both need to meet GDPR-level expectations (not just a vague “by using this site you agree”).

In practice, many UK businesses should treat cookie compliance as: PECR tells you when consent is needed; UK GDPR tells you what that consent must look like and what you must tell people.

Do You Actually Need A Cookie Policy In The UK?

Often, yes - if your website uses any cookies beyond what’s strictly necessary, you should have a dedicated cookie policy (or a clearly labelled cookie section within your privacy documentation).

Even where you only use strictly necessary cookies, having a cookie policy can still be a smart move because it:

• shows transparency (which is a key GDPR principle);
• helps users understand what’s happening on your site;
• reduces complaints and trust issues (“why is this site tracking me?”); and
• supports your broader compliance documents (like your Privacy Policy).

If you sell online, take bookings, run ads, or use analytics tools, you’re very likely using cookies that require consent - so it’s worth making sure your cookie policy and cookie banner (or equivalent consent tool) are set up properly.

Cookie Policy Requirements UK: What Your Policy Needs To Include

A compliant cookie policy is more than a list of cookie names. It’s meant to be a clear explanation that helps a user make an informed decision about whether to accept non-essential cookies.

Here’s what your cookie policy should usually include for UK GDPR and PECR compliance.

1) A Plain-English Explanation Of What Cookies Are

This sounds basic, but it matters. Your audience isn’t lawyers or developers - it’s your customers.

A short explanation should cover:

• what cookies are (small text files stored on a user’s device);
• what they do (help your website work, remember preferences, analyse usage, deliver relevant ads); and
• that similar technologies may also be used (like pixels, SDKs, local storage, tags).

2) The Types Of Cookies You Use (By Category)

Most businesses structure cookies into categories. Common categories include:

• Strictly Necessary Cookies (no consent required if genuinely necessary)
• Performance / Analytics Cookies
• Functionality Cookies (preferences, personalisation)
• Marketing / Advertising Cookies

Be careful with labels. Calling something “necessary” doesn’t make it necessary. If it’s there to help you track conversions or improve your marketing, it’s usually not strictly necessary.

3) A Detailed Cookie List (Or A Clear Way To Access It)

Your cookie policy should identify the cookies in use in a meaningful way. Many businesses include a table setting out:

• cookie name
• purpose
• duration/expiry
• whether it’s first-party or third-party

If your website uses a cookie consent platform that automatically scans and populates cookie details, that can work - but only if it’s accurate and kept up to date.

Also, remember that cookies can change when you add plugins, update site themes, embed videos, add chat widgets, or run new ad campaigns. A cookie list is not a “set and forget” document.

4) Clear Information About Third Parties

If third parties set cookies through your site (for example, embedded content, advertising networks, analytics providers, social media integrations), you should explain:

• who the third party is (at least at a category level, and ideally by naming the third party);
• what those cookies do; and
• where users can find out more (for example, links to third-party privacy/cookie information).

This is important because third-party cookies are a major driver of privacy risk - and users should understand who else is involved in tracking.

5) How Users Can Accept, Reject, Or Change Cookie Settings

This is a big one for cookie policy requirements in the UK.

Your cookie policy should explain (and ideally link to):

• how to change cookie preferences on your website (for example, via a “cookie settings” button);
• how to disable cookies through browser settings (with a note that this may affect functionality); and
• how to opt out of certain types of advertising cookies where relevant.

From a practical perspective, it’s best to make “change preferences” available at any time - not only at the first visit.

6) The Date And Versioning (So It’s Clear When You Updated It)

It’s good practice to show:

• the date your cookie policy was last updated; and
• if possible, a brief note of what changed.

This helps demonstrate you’re actively maintaining compliance as your business evolves.

Cookie Banners And Consent: What “Good” Looks Like In The UK

A cookie policy is only half the story. For many small businesses, the real compliance risk sits in the cookie banner and consent process.

Here’s what UK regulators generally expect to see.

Consent Must Be Opt-In (Not Implied)

If non-essential cookies are involved, consent needs to be:

• freely given (real choice, no unfair pressure)
• specific and informed (the user understands what they’re agreeing to)
• unambiguous (clear affirmative action)

So approaches like “By continuing to use this site, you accept cookies” are risky. They’re typically not treated as valid consent for non-essential cookies.

You Need A Real “Reject” Option

It’s common to see banners that effectively push users to accept (big “Accept All” button, tiny hard-to-find settings).

To reduce risk, your banner should provide an option to reject non-essential cookies just as easily as accepting them - typically a “Reject All” button at the same level as “Accept All”.

Don’t Drop Non-Essential Cookies Until Consent Is Given

This is one of the biggest technical compliance issues.

If your website loads marketing/analytics cookies automatically as soon as a user lands on the page, and the banner appears after cookies are already set, you’ve likely missed the point of consent.

In many cases, fixing this requires adjusting tag settings, your website scripts, and plugin configuration - not just changing the wording.

Give Granular Choices (Where Appropriate)

Many businesses offer category-based toggles (analytics on/off, marketing on/off). This can be a good approach, especially for users who want your website to function but don’t want tracking.

Granular controls won’t fix misleading wording or pre-ticked boxes - but when implemented properly, they help demonstrate a privacy-by-design approach.

Keep A Record Of Consent

UK GDPR expects accountability. That means if you rely on consent, you should be able to show:

• what the user consented to;
• when they consented;
• how they consented; and
• what information they were shown at the time.

For many small businesses, a consent management tool helps with this - but it still needs correct configuration.

Common Cookie Compliance Mistakes Small Businesses Make

Most cookie compliance problems aren’t caused by bad intentions - they happen because cookies are often introduced quietly through website themes, plugins, and third-party tools.

Here are some of the most common pitfalls we see.

1) Treating Analytics As “Strictly Necessary”

Analytics is useful, but it’s usually not strictly necessary to provide a service a user requested. If your analytics cookies identify users or track behaviour, they often require consent.

2) Having A Cookie Policy That Doesn’t Match Reality

Your cookie policy should reflect what your site actually does.

If your policy says “we only use essential cookies” but you’re running ads, tracking conversions, or using embedded third-party content that drops cookies, that mismatch can create legal and reputational risk.

3) Forgetting About Embedded Content

Embedded videos, maps, social media feeds, review widgets, and chat tools can all introduce third-party cookies.

If your business relies on embedded content to generate leads, bookings, or sales, it’s worth doing a cookie audit whenever you change those features.

4) Relying On Generic Templates Without Reviewing Your Setup

A cookie policy template can give you a starting point - but cookie policy requirements in the UK depend heavily on your site’s actual cookies and what personal data is being processed.

If you’re also collecting customer data through forms, checkouts, or user accounts, it’s worth aligning your cookie policy with your broader documents, like your Website Terms And Conditions and (if you sell online) your E-Commerce Terms And Conditions.

5) Not Giving Users An Easy Way To Change Their Mind

Under UK GDPR, users should be able to withdraw consent. If there’s no persistent cookie settings link (for example, in the website footer), users can feel trapped - and that’s when complaints happen.

Practical Steps To Get Your Cookie Compliance Sorted (Without It Taking Over Your Week)

Cookie compliance can feel technical, but you can approach it step-by-step.

Step 1: Audit Your Cookies

Start by identifying:

• what cookies your website actually uses;
• what triggers them (landing page, checkout, embedded content, ads);
• whether they are essential or non-essential; and
• which third parties are involved.

This is often the biggest “aha” moment for business owners - many sites have far more cookies than expected.

Step 2: Decide What You Truly Need

From a business perspective, it’s worth asking:

• Do you need marketing cookies right now, or can you start with analytics only?
• Do you need every plugin, widget, or tracking tool currently installed?
• Can you replace certain tools with more privacy-friendly alternatives?

Less tracking often means less compliance burden.

Step 3: Set Up A Proper Consent Mechanism

Your cookie banner should:

• block non-essential cookies until consent;
• offer “Accept All” and “Reject All” at the same level;
• provide granular controls where appropriate; and
• link to your cookie policy for details.

Make sure cookie settings are accessible at any time (a footer link is common), alongside your Cookie Policy.

Step 4: Update Your Written Policies So They Match Your Website

This is where many businesses tighten things up from a legal perspective.

Your cookie policy should work together with your privacy compliance framework. Depending on your setup, it may also be worth reviewing your overall data protection approach and getting advice through a Data Protection Consultation - especially if you’re using customer profiling, remarketing, or collecting special category data.

If you’re scaling or want a more complete set-up, a packaged approach (like a GDPR Package) can help bring the moving pieces together in a consistent way.

Step 5: Put A Review Reminder In Your Calendar

A good rule of thumb is to review cookie compliance:

• when you change website platforms/themes;
• when you add new plugins or embedded content;
• when you start a new advertising campaign; and
• at least every 6–12 months even if nothing major changes.

This helps keep your cookie list accurate and reduces the risk of “silent” tracking changes over time.

Key Takeaways

• In the UK, cookie compliance is mainly governed by PECR (when consent is required) and the UK GDPR (consent standards, transparency, and accountability where personal data is involved).
• Many small business websites benefit from a cookie policy, especially if they use analytics, marketing tools, embedded content, or third-party integrations.
• Your cookie policy should clearly explain what cookies you use, why you use them, how long they last, and how users can accept/reject/change cookie settings.
• For non-essential cookies, consent should generally be opt-in, with a genuine ability to reject cookies and withdraw consent later.
• A common compliance issue is setting cookies before consent - fixing this often requires technical configuration, not just updated wording.
• Cookie compliance is not “set and forget”; you should review your cookies regularly, especially after site updates or new marketing activity.

If you’d like help getting your cookie policy and consent set-up right (and making sure it matches how your website actually works), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.