Does your website serve UK visitors? If so, you are operating under a separate privacy regime from the EU -- one with its own regulator, its own enforcement track record, and its own cookie-specific legislation. Getting this wrong can mean fines from the ICO, even if you are fully compliant with EU GDPR.
Since Brexit, the UK has retained GDPR principles under its own "UK GDPR," administered by the Information Commissioner's Office (ICO). But the regulatory landscape is not a carbon copy of the EU's. From PECR (the Privacy and Electronic Communications Regulations) to diverging enforcement priorities, UK cookie compliance has its own set of challenges.
UK GDPR vs EU GDPR: What Actually Changed
When the UK left the EU, the Data Protection Act 2018 incorporated GDPR into domestic law, creating what is commonly referred to as "UK GDPR." The core principles -- lawfulness, purpose limitation, data minimisation, consent -- remain identical. But several practical differences matter for website operators:
Legislative Framework
- UK GDPR is the retained version of the EU General Data Protection Regulation, supplemented by the Data Protection Act 2018.
- PECR (Privacy and Electronic Communications Regulations 2003) is the UK's equivalent of the EU ePrivacy Directive. PECR specifically governs cookies, electronic marketing, and communications data.
- The EU's forthcoming ePrivacy Regulation does not apply in the UK. PECR remains the operative cookie legislation.
Regulatory Authority
The Information Commissioner's Office (ICO) is the sole supervisory authority for UK data protection. Unlike the EU's one-stop-shop mechanism with 27 national regulators, UK enforcement is centralised. This means faster investigations but also a single authority setting precedent.
Adequacy Status
The EU granted the UK an adequacy decision in June 2021, allowing personal data to flow freely from the EU to the UK. This decision is subject to periodic review. If adequacy lapses, EU-to-UK data transfers would require additional safeguards -- a scenario that would directly affect how cross-border websites handle cookies and analytics data.
ICO Enforcement: How the UK Regulator Approaches Cookies
The ICO has taken a distinct approach to cookie enforcement compared to its EU counterparts. While EU DPAs like the CNIL and the Irish DPC have issued headline-grabbing fines, the ICO has historically favoured engagement and guidance before penalties.
Recent ICO Cookie Actions
In 2024 and 2025, the ICO shifted toward more direct enforcement:
- Sector sweeps: The ICO conducted coordinated audits of websites in financial services, healthcare, and government sectors, specifically examining pre-consent cookie behaviour.
- Reprimands and enforcement notices: Several major UK brands received formal reprimands for cookie violations, with deadlines to remediate.
- Monetary penalties: The ICO imposed fines on organisations that failed to respond to initial warnings, signalling that the "education first" era has a hard deadline.
The ICO has stated publicly that cookie compliance is a priority area for 2026, particularly around consent mechanisms and third-party tracking.
ICO Fining Powers
Under UK GDPR, the ICO can issue fines of up to:
- Standard maximum: GBP 8.7 million or 2% of annual global turnover
- Higher maximum: GBP 17.5 million or 4% of annual global turnover
These mirror the EU's tiered fining structure. While the ICO has historically issued lower fines than some EU DPAs, the trend in 2026 is toward higher penalties and more frequent enforcement actions.
PECR: The UK's Cookie-Specific Legislation
PECR is where the specifics of UK cookie law live. While UK GDPR provides the overarching data protection framework, PECR sets the rules for storing information on -- or accessing information from -- a user's device.
PECR Cookie Requirements
Under PECR Regulation 6:
- Clear and comprehensive information must be provided about the purposes of cookies
- Consent must be obtained before setting non-essential cookies
- Consent must be freely given, specific, and informed (borrowing the UK GDPR standard)
What Counts as "Necessary" Under PECR
PECR exempts cookies that are "strictly necessary" for providing a service explicitly requested by the user. This includes:
- Session cookies for shopping baskets
- Authentication cookies
- Load-balancing cookies
- Cookies that remember consent preferences
It does not include:
- Analytics cookies (even first-party)
- Functionality cookies for personalisation
- Any form of advertising or marketing cookie
- Social media sharing widgets
This is a common area of confusion. Many UK website owners assume that first-party analytics are exempt. They are not.
PECR vs ePrivacy Directive
Key differences between PECR and the EU's ePrivacy framework:
| Aspect | PECR (UK) | ePrivacy Directive (EU) |
|---|---|---|
| Scope | Applies to cookies and similar technologies | Same scope |
| Consent standard | UK GDPR standard (freely given, specific, informed) | EU GDPR standard |
| Enforcement | ICO only | National DPAs |
| Upcoming reform | UK Data Protection and Digital Information Act | ePrivacy Regulation (stalled) |
| Cookie wall guidance | ICO guidance discourages them | EDPB guidance restricts them |
Cross-Border Considerations
If your website serves both UK and EU audiences, you face dual compliance obligations. This is where things get complicated.
Dual Compliance Scenarios
Scenario 1: UK company, EU visitors You must comply with both UK GDPR/PECR for UK users and EU GDPR/ePrivacy for EU users. In practice, this means your Consent Management Platform (CMP) must be able to distinguish between UK and EU visitors and apply the appropriate consent framework.
Scenario 2: EU company, UK visitors You need to comply with UK GDPR and PECR for your UK visitors. If you process significant volumes of UK personal data, you may need to appoint a UK representative.
Scenario 3: Non-EU/UK company targeting both markets You must comply with both regimes and may need representatives in both jurisdictions.
Data Transfers
The EU-UK adequacy decision means data can flow between the EU and UK without additional safeguards -- for now. However:
- Analytics data collected via cookies from UK users and processed in the EU (or vice versa) relies on this adequacy decision
- If adequacy is revoked, you would need Standard Contractual Clauses or other transfer mechanisms
- Third-country transfers (UK to US, for example) follow UK-specific rules, including the UK International Data Transfer Agreement
UK Cookie Compliance Checklist
Use this checklist to verify your UK compliance posture:
Consent Banner Requirements
- Consent banner appears before any non-essential cookies fire
- Banner provides clear information about cookie purposes
- Users can accept or reject non-essential cookies with equal ease
- No pre-ticked checkboxes for non-essential categories
- Granular consent options are available (analytics, marketing, etc.)
- Consent preferences can be changed at any time
- Consent records are stored and auditable
Technical Implementation
- No analytics cookies set before consent (including Google Analytics)
- No marketing pixels fire before consent (Facebook, LinkedIn, etc.)
- Tag manager configured with consent-based triggers
- Third-party scripts blocked until appropriate consent category is granted
- Cookie duration does not exceed what is necessary for the stated purpose
- Cookie policy is accessible and up to date
PECR-Specific Requirements
- Cookie policy clearly lists all cookies, their purposes, and expiry times
- First-party analytics treated as requiring consent (not "strictly necessary")
- PECR-compliant information is provided before or at the time consent is sought
- Consent mechanism works on all devices and browsers
Documentation and Governance
- Cookie register maintained with categories, vendors, and purposes
- Regular compliance scans performed (audit your site with a step-by-step approach)
- Records of consent configuration changes
- Data Processing Agreements in place with cookie-setting third parties
- Staff training on cookie compliance responsibilities
Cross-Border (If Applicable)
- CMP configured to detect user location and apply correct framework
- UK representative appointed (if required)
- Data transfer mechanisms in place for non-adequate countries
- Privacy policy addresses both UK GDPR and EU GDPR where relevant
The UK Data Protection and Digital Information Act
The UK government has been developing the Data Protection and Digital Information Act (DPDI), which could modify certain aspects of cookie compliance. Key proposed changes include:
- Legitimate interest for analytics: A potential exemption for first-party analytics cookies, removing the need for explicit consent in some cases
- Cookie banner reform: Proposals to reduce "consent fatigue" by allowing browser-level settings to express preferences
- Simplified compliance for low-risk processing: Reduced documentation requirements for smaller organisations
However, these proposals remain subject to parliamentary process and may change. Until the DPDI is enacted, PECR's current consent requirements remain in full force. Building your compliance programme on the existing rules is the safest approach.
Practical Steps for UK Compliance
Step 1: Run a Clean-Slate Scan
Visit your own website in a fresh browser session -- or better yet, use an automated scanner. You need to see exactly which cookies and scripts fire before a UK visitor interacts with any consent mechanism.
Step 2: Categorise Every Cookie
Map each cookie to its purpose and determine whether it qualifies as "strictly necessary" under PECR's narrow definition. Remember: analytics and personalisation cookies require consent.
Step 3: Configure Your CMP for UK Requirements
Ensure your CMP:
- Blocks non-essential cookies by default
- Provides granular consent categories
- Offers an equally prominent reject option
- Stores consent records for audit purposes
Step 4: Monitor Continuously
Cookie compliance is not a one-time task. New scripts, plugin updates, and third-party changes can introduce violations at any point. Schedule regular scans and set up alerts for regressions.
Verify Your UK GDPR Compliance
Whether you are a UK-based business or an international company serving UK visitors, cookie compliance under UK GDPR and PECR is a regulatory requirement with real enforcement consequences. The ICO is scanning, and the fines are increasing.
Scan your website for UK GDPR compliance →
Run a free scan to see your Gretel Score and identify any pre-consent violations that could put you at risk with the ICO. It takes 30 seconds, and the results include specific remediation steps for every issue found.
