Skip to main content
Vantyris

Privacy

UK cookie consent: the ICO rule most sites ignore.

Published 2026-04-15 · Last updated 2026-04-15 · Vantyris editorial

Under UK PECR + UK-GDPR, you cannot set non-essential cookies (analytics, advertising, A/B testing) on a visitor's device before they've actively consented. Most cookie banners on UK SME sites violate this rule openly: they load Google Analytics on page-load, show a banner asking to 'accept cookies', and the analytics already fired before the visitor saw the banner. The ICO has been increasingly active on this since 2023; the fix is a configuration change, not a redesign.

What this means for your business

How to fix

Block all non-essential trackers from loading until the visitor clicks Accept. Make Reject as easy as Accept. Document the consent decision so the visitor's later browser sessions remember it.

  1. List every script that needs consent. Google Analytics + Google Tag Manager (analytics + advertising). Facebook Pixel. LinkedIn Insight Tag. Hotjar / FullStory / Microsoft Clarity (session recording). Stripe.js (if it sets persistent identifiers, mostly NOT — Stripe is considered essential for payment). Chat widgets (Intercom, Drift) — usually need consent. Mailchimp / HubSpot popups — usually need consent.
  2. Move every consent-required script behind a gate. The simplest implementation: wrap each script tag in a check against a 'consent: granted' state in localStorage. Don't render the script until that state is true. Frameworks like CookieYes, Cookiebot, and Osano handle this for you; or build a 30-line implementation yourself if you only have 2-3 trackers (see Vantyris's own ConsentBanner.tsx for the pattern).
  3. Build a banner with equal-weighted Accept and Reject buttons. Two buttons, identical styling, both visible at first paint. No pre-tick. No 'X' close button that bypasses the decision. If the visitor leaves without choosing, the state stays 'not yet decided' and the banner returns on next visit; non-essential trackers stay off.
  4. Add a 'Manage cookies' link in the footer. Visitors must be able to change their consent later. A footer link that re-opens the banner is the cleanest pattern. Required by UK PECR; required by GDPR Article 7's 'right to withdraw consent'.
  5. Document and surface your privacy policy. The consent banner must link to a privacy policy that names every processor (Google, Facebook, etc.), the legal basis (consent for analytics, contract for essential), and what each one receives. The ICO checks this when investigating.

Owner: Your developer, or your CMS administrator if your CMS has a consent-management plugin. · Time: 1-2 hours for a typical small business site with 2-5 trackers.

Common gotchas

How to verify the fix

Open your site in an incognito browser window. Open DevTools → Network. Reload. Before clicking anything on the banner, look at the Network tab: any request to google-analytics.com, facebook.com, doubleclick.net, or similar means a non-essential tracker fired pre-consent. Vantyris's Privacy category checks for this exact pattern.

Common follow-up questions

Is the ICO actually enforcing this against small businesses?

Increasingly yes. The ICO ran a major sweep in 2023 targeting the top 100 UK websites; complaints against SMEs are reviewed individually. Fines for SMEs are typically not financial — they're enforcement notices requiring you to fix it within a deadline — but ignoring a notice escalates fast.

What about visitors from outside the UK?

EU visitors are covered by ePrivacy + EU-GDPR (essentially the same rules, sometimes stricter in member states). US visitors aren't covered by GDPR but California, Virginia, Colorado, and several other states have similar consent rules. The safest default: apply UK-GDPR-grade consent to all visitors.

Can I show different banners to different jurisdictions?

Yes, geo-IP-based banners are common. The implementation is more complex; most SMEs find it easier to apply the strictest standard universally.

Does our chat widget really need consent?

If the widget fingerprints the visitor, persists state across sessions, or tracks them across sites: yes. If it's a simple stateless form-style widget that only activates on click: no, that's essential interaction. Read the vendor's documentation; most modern chat widgets are tracking by default.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0