Cookies are small text files placed on a device when a user visits a website, performing actions from remembering what’s in a shopping basket to tracking browsing behaviour across various websites. The key element to internet cookies and data protection is that, if a cookie can identify an individual directly or indirectly (e.g. via an IP address, device ID, or other unique identifier), then the information it collects counts as personal data under UK data protection legislation.  

Several areas of data protection legislation in the UK apply to the use of cookies on websites.

These include; 

• Privacy and Electronic Communications Regulations (PECR) 

PECR sets out specific rules about storing or accessing information on a user’s device, which includes most cookies. In general, websites must: 

• Tell people if cookies are being used, 
• Explain what the cookies do and why, and 
• Get the user’s consent before placing non-essential cookies. 

Essential cookies used for the website to function, such as for retaining products in a shopping basket, do not require consent. 

• The UK General Data Protection Regulation (GDPR) / Data Protection Act 2018 

If cookies involve the processing of personal data, GDPR principles apply, meaning websites must: 

• Have a lawful basis for processing (usually consent for tracking/analytics cookies) 
• Keep the data secure and protected 
• Be transparent about what is collected and how it is used
• Respect the rights of users with regards to their personal data as with any other data held (e.g. right to withdraw consent, access data, erasure). 

Most UK websites now utilise ‘cookie banners’ and cookie policies to detail how this data is collected, what the cookies are used for and to allow users the option to opt in or opt out, ensuring control and transparency over how online activity is tracked. 

What is a cookie banner?

“We use cookies to improve your experience, personalise content, and show relevant ads. You can accept all cookies, reject non-essential cookies, or manage your settings.” 

A cookie banner is required by PECR, since websites require consent before placing non-essential cookies (like tracking or advertising cookies). If a user accepts all cookies, the site may then place analytics and advertising cookies that track the pages visited, how long a user spends on the website and any advertising the user clicked on.  Occasionally, this can be combined with third-party advertising networks, which utilise algorithms and tracking to personalise adverts relevant to a user’s website visits.  

In order to do this, organisations track IP addresses, device IDs and browsing habits using cookies. This, therefore, classes as personal data and the UK GDPR/Data Protection Act 2018 applies.  

What must organisations do to comply with UK data protection legislation in reference to cookies? 

First and foremost, there must be a clear, updated and secure record of consent. A clear privacy/cookie policy must be easily accessible explaining what data is collected, who it is shared with (e.g. advertisers), how long it is kept and the rights of individuals using the website – as well as how to exercise these rights (such as withdrawing consent).

If a user rejects non-essential cookies, they should still be able to use the website as normal – with potentially less personalised features – and no tracking or advertising cookies should be placed on their device.  

What if organisations don’t comply? 

In the UK, the Information Commissioner’s Office (ICO) enforces data protection legislation. The ICO investigates complaints (e.g. from users or privacy campaigners) and carries out audits, issuing enforcement notices, penalties or further action for any organisations deemed not to be complying with data protection legislation.  

Consequences under PECR

If an organisation is found to have breached PECR, the ICO can take action through criminal prosecution, non-criminal enforcements, audits and monetary fines. The penalty notice currently can be up to £500,000, issued against an organisation or its directors.  

Consequences under UK GDPR 

If cookies involve personal data and the website processes it unlawfully, such as by tracking without consent or failing to respect opt-outs, the ICO can enforce penalties under UK GDPR.  

These include orders to stop processing data, forcing the website to delete improperly collected data and fines of up to £17.5 million or 4% of global annual turnover (whichever is higher). 

In November 2023, the ICO began contacting the UK’s top 100 websites, warning enforcement action if they did not make changes to advertising cookies. Clear guidance was given about making a simple user journey with regards to cookies, with ‘reject all’ cookies to be as easy to select as ‘accept all’.  It continues to be one of the ICO’s key areas of interest, with the 2025 online tracking strategy viewable here.  

What should an organisation do to be clear with cookie policies?  

Aside from staying compliant with data protection legislation, bad cookie practicies can damage public trust, leading to reputational harm and impacting sales, particularly online.  

Being transparent with cookie policies is key. Ensuring websites have very obvious cookie banners that have easily visible ‘accept/reject/manage’ choices and publishing detailed cookie and privacy policies ensures best practice.  

If a UK website ignores cookie and data protection rules, it risks ICO enforcement, fines (from thousands to millions), and being forced to stop using the data collected. Many of our clients request this work to be outsourced, ensuring that the cookie policy and cookie banners are always up to date and in line with ICO guidance.  

This is a service BLS Stay Compliant can offer as part of a managed service, meaning we can manage some or all an organisation’s data protection compliance. If this is something that may be of interest, click here to for more details or feel free to get in touch for a no-obligation discussion.