Cookie Banners and the ICO: Getting Consent Right on UK Sites

Cookie banners are everywhere, and most of them are not quite right. In the UK, cookie rules come from the Privacy and Electronic Communications Regulations, known as PECR, working alongside the UK GDPR and enforced by the ICO. Here is how to get consent right.

What the rules actually require

Non-essential cookies, such as analytics and advertising trackers, need the visitor's consent before they load. Strictly necessary cookies, like those that keep a shopping basket working, do not. The ICO has been clear that consent must be a genuine, informed choice.

A banner that only offers Accept, or that loads tracking before the visitor decides, does not meet the standard.

Getting the banner right

• Block non-essential cookies until the visitor consents, not just after they see the banner.
• Make Reject as easy and prominent as Accept.
• Explain in plain terms what each category of cookie does.
• Let visitors change their mind later through a settings link.
• Keep a record of consent where your tool supports it.

A common mistake

Many sites install a banner that displays a notice but never actually blocks the scripts. Check that your consent tool holds tracking back until consent is given. If analytics fires on page load regardless of the banner, you are not compliant.

Balancing compliance and experience

A good banner is clear and quick to dismiss either way. Burying Reject behind extra clicks frustrates visitors and draws regulator attention. Treat consent as a normal part of a respectful site, not a hurdle.