Privacy
UK cookie consent: the ICO rule most sites ignore.
Published 2026-04-15 · Last updated 2026-04-15 · Vantyris editorial
Under UK PECR + UK-GDPR, you cannot set non-essential cookies (analytics, advertising, A/B testing) on a visitor's device before they've actively consented. Most cookie banners on UK SME sites violate this rule openly: they load Google Analytics on page-load, show a banner asking to 'accept cookies', and the analytics already fired before the visitor saw the banner. The ICO has been increasingly active on this since 2023; the fix is a configuration change, not a redesign.
What this means for your business
- Cookie consent under UK PECR + UK-GDPR is opt-in, not opt-out. The visitor must take an affirmative action (click 'Accept') before the non-essential tracking fires. Pre-ticked boxes don't count. Dark patterns ('Accept' button styled prominent, 'Reject' hidden in small text) don't count.
- Essential cookies are exempt. A session cookie keeping the visitor logged in, a CSRF token, a basket-state cookie for an e-commerce flow — these don't need consent. Analytics, advertising pixels, A/B testing, third-party social widgets, chat widgets that fingerprint the visitor: all of these need explicit consent first.
- The ICO's specific guidance: the Accept and Reject buttons must be equally weighted (same visual prominence, same number of clicks, both above the fold). Visitors who close the banner without choosing should be treated as having rejected.
How to fix
Block all non-essential trackers from loading until the visitor clicks Accept. Make Reject as easy as Accept. Document the consent decision so the visitor's later browser sessions remember it.
- List every script that needs consent. Google Analytics + Google Tag Manager (analytics + advertising). Facebook Pixel. LinkedIn Insight Tag. Hotjar / FullStory / Microsoft Clarity (session recording). Stripe.js (if it sets persistent identifiers, mostly NOT — Stripe is considered essential for payment). Chat widgets (Intercom, Drift) — usually need consent. Mailchimp / HubSpot popups — usually need consent.
- Move every consent-required script behind a gate. The simplest implementation: wrap each script tag in a check against a 'consent: granted' state in localStorage. Don't render the script until that state is true. Frameworks like CookieYes, Cookiebot, and Osano handle this for you; or build a 30-line implementation yourself if you only have 2-3 trackers (see Vantyris's own ConsentBanner.tsx for the pattern).
- Build a banner with equal-weighted Accept and Reject buttons. Two buttons, identical styling, both visible at first paint. No pre-tick. No 'X' close button that bypasses the decision. If the visitor leaves without choosing, the state stays 'not yet decided' and the banner returns on next visit; non-essential trackers stay off.
- Add a 'Manage cookies' link in the footer. Visitors must be able to change their consent later. A footer link that re-opens the banner is the cleanest pattern. Required by UK PECR; required by GDPR Article 7's 'right to withdraw consent'.
- Document and surface your privacy policy. The consent banner must link to a privacy policy that names every processor (Google, Facebook, etc.), the legal basis (consent for analytics, contract for essential), and what each one receives. The ICO checks this when investigating.
Owner: Your developer, or your CMS administrator if your CMS has a consent-management plugin. · Time: 1-2 hours for a typical small business site with 2-5 trackers.
Common gotchas
- Don't use a consent-management platform that pre-ticks the accept boxes; that violates UK-GDPR even though the platform claims compliance.
- Don't redirect users who reject to a different version of the site, or block them from the content. The ICO calls this 'cookie wall' and explicitly disallows it for general-purpose sites (some specific contexts allow it, but not most SME marketing sites).
- Watch out for indirect trackers: Google Fonts loaded directly from googleapis.com sends visitor IPs to Google, which is itself a transfer requiring consent under some interpretations. Self-host fonts, or use Cloudflare's privacy-respecting font CDN.
- Vantyris itself follows the rule we're describing. Look at our consent banner for the reference implementation; we wrote it the same way we'd advise any UK SME to.
How to verify the fix
Open your site in an incognito browser window. Open DevTools → Network. Reload. Before clicking anything on the banner, look at the Network tab: any request to google-analytics.com, facebook.com, doubleclick.net, or similar means a non-essential tracker fired pre-consent. Vantyris's Privacy category checks for this exact pattern.
Common follow-up questions
Is the ICO actually enforcing this against small businesses?
Increasingly yes. The ICO ran a major sweep in 2023 targeting the top 100 UK websites; complaints against SMEs are reviewed individually. Fines for SMEs are typically not financial — they're enforcement notices requiring you to fix it within a deadline — but ignoring a notice escalates fast.
What about visitors from outside the UK?
EU visitors are covered by ePrivacy + EU-GDPR (essentially the same rules, sometimes stricter in member states). US visitors aren't covered by GDPR but California, Virginia, Colorado, and several other states have similar consent rules. The safest default: apply UK-GDPR-grade consent to all visitors.
Can I show different banners to different jurisdictions?
Yes, geo-IP-based banners are common. The implementation is more complex; most SMEs find it easier to apply the strictest standard universally.
Does our chat widget really need consent?
If the widget fingerprints the visitor, persists state across sessions, or tracks them across sites: yes. If it's a simple stateless form-style widget that only activates on click: no, that's essential interaction. Read the vendor's documentation; most modern chat widgets are tracking by default.
References
- ICO: Cookies and similar technologies NCSC
- ICO: Direct marketing and privacy NCSC
- European Data Protection Board guidelines on consent Vendor
Related explainers
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0