Cookie consent banners are now a standard feature of most websites — but many businesses still get them wrong. Here's what UK law requires, what counts as valid consent, and how to make sure your cookie banner is actually compliant.
What Are Cookies?
Cookies are small text files that websites store on a visitor's device. They serve many purposes — from keeping you logged in to a website, to tracking your browsing behaviour across the internet for advertising purposes.
Not all cookies are equal from a privacy perspective. The key distinction is between:
- Essential cookies — necessary for the website to function (e.g. session cookies, CSRF tokens, shopping cart cookies). These do not require consent.
- Non-essential cookies — analytics, advertising, personalisation, and social media cookies. These require prior consent under UK law.
What Does UK Law Say?
In the UK, cookie consent is governed by two overlapping pieces of legislation:
- UK GDPR — requires a lawful basis for processing personal data. For non-essential cookies that process personal data, consent is the appropriate lawful basis.
- PECR (Privacy and Electronic Communications Regulations) — specifically requires prior consent before placing non-essential cookies, regardless of whether they process personal data.
Together, these mean that if your website uses any non-essential cookies — including Google Analytics — you must obtain consent before they are placed.
What Counts as Valid Consent?
Under UK GDPR and PECR, valid consent must be:
- Freely given — users must be able to refuse without being penalised
- Specific — users should know what they are consenting to
- Informed — users should understand what cookies do
- Unambiguous — consent must be a clear, affirmative action
This means the following are not valid consent:
- A banner that says "by continuing to use this site you accept cookies"
- A banner with only an "Accept" button and no way to decline
- Pre-ticked checkboxes
- Cookies that load before the user has made a choice
What a Compliant Cookie Banner Looks Like
A compliant cookie consent banner should:
- Appear before any non-essential cookies load
- Clearly explain what types of cookies are used
- Offer a genuine choice — accept, reject, or manage preferences
- Make it as easy to reject as to accept
- Allow users to change their preferences at any time
- Record consent so you can demonstrate it if challenged
Do I Need a Cookie Banner If I Only Use Google Analytics?
Yes. Google Analytics uses cookies and collects personal data (including IP addresses). It is not an essential cookie. You must obtain consent before Google Analytics loads on your site.
If you want to avoid the need for cookie consent entirely, consider switching to a cookieless analytics tool such as Plausible or Fathom, which collect anonymous aggregate data without using cookies or processing personal data.
Popular Cookie Consent Tools
There are many tools available to help you implement compliant cookie consent, including:
- Cookiebot
- OneTrust
- TrustArc
- Osano
- Termly
Most offer free tiers suitable for small websites. Whichever tool you choose, make sure it blocks non-essential cookies until consent is given — not just displays a notice.
Check Your Cookie Compliance
ClearlyCompliant automatically checks whether your site has a cookie consent banner, whether a cookie preferences link is present, and whether your privacy policy covers your cookie usage — for £29.99.
Is Your Website GDPR Compliant?
Find out in minutes with our automated compliance report. 23 checks, AI-powered policy analysis, detailed PDF report — £29.99.
Get Your Report — £29.99