Most people have heard of GDPR. Fewer have heard of PECR. But if your website sets cookies — and almost every website does — it is PECR, not GDPR, that governs what you need to do.
PECR stands for the Privacy and Electronic Communications Regulations 2003. It predates GDPR by 15 years but was updated several times, most recently to align with the EU's e-Privacy Directive. Post-Brexit, the UK version of PECR remains in force and is enforced by the ICO alongside UK GDPR.
What PECR actually requires
The key rule under PECR Regulation 6 is this: before you set any cookie (or similar technology) that is not strictly necessary, you must:
- Tell the user clearly what cookies you are setting and why
- Obtain their prior consent
This is stricter than many people realise. Consent must come before the cookies are set. Not after the page loads. Not buried in a footer link. Before.
Common mistake: Many UK websites still show a cookie banner that says "By continuing to use this site you accept cookies." This does not constitute valid consent under PECR. Continued browsing is not an affirmative action.
What counts as strictly necessary?
PECR exempts cookies that are "strictly necessary" for a service explicitly requested by the user. In practice this means:
- Session cookies that keep you logged in during a checkout
- Cookies that store what is in a shopping basket
- Load-balancing cookies that have no personal data
- Security cookies used to detect authentication fraud
What is not strictly necessary includes virtually all analytics (Google Analytics, Hotjar), advertising trackers, social media pixels, and many "preference" cookies. These all require consent.
What valid consent looks like
The ICO's guidance (updated in 2023) sets out what counts as valid consent for cookies:
- Freely given: No penalty for refusing. A cookie wall that denies access unless you accept is generally not compliant.
- Specific: Users should be able to accept analytics cookies without accepting advertising cookies. Granularity matters.
- Informed: Users need to know what they are consenting to, which categories, and who the third parties are.
- Unambiguous affirmative action: Clicking "Accept" or toggling an on switch. Pre-ticked boxes are not valid.
The "legitimate interests" myth
Some cookie banner providers suggest that analytics cookies can be set under "legitimate interests" without consent. This is wrong for PECR. Legitimate interests is a legal basis under UK GDPR, but PECR has its own separate consent requirement that operates independently. The ICO has been clear: if it is not strictly necessary, you need consent. Full stop.
ICO enforcement: In 2023 the ICO wrote to the top 200 UK websites warning them about non-compliant cookie banners. Several received enforcement notices. The ICO has stated it will continue this work across smaller sites. A complaint from a single user can trigger an investigation.
What your Cookie Policy needs to say
Beyond the banner, you also need a written Cookie Policy. It should explain:
- What cookies your site sets (name, purpose, duration)
- Which are strictly necessary vs. optional
- How users can withdraw consent
- Any third-party cookies and links to those parties' policies
A Cookie Policy and a Privacy Policy are separate documents that serve different purposes. Most websites need both.
Practical steps for your website
If you are starting from scratch or auditing an existing site:
- Audit what cookies your site actually sets (browser DevTools → Application → Cookies)
- Categorise them: strictly necessary vs. functional vs. analytics vs. advertising
- If you have any non-essential cookies, implement a proper consent mechanism
- Make sure your consent banner has a genuine "Reject all" option at the same level as "Accept all"
- Document your Cookie Policy and link to it from your banner
If your site only uses essential cookies: You still need to inform users in a cookie notice. You do not need consent, but you need transparency. A simple banner saying "we use only essential session cookies" that users can dismiss is sufficient.