What Are the UK GDPR Cookie Consent Requirements?
Everything you need to know about UK GDPR cookie consent compliance in 2026. Complete guide covering opt-in consent requirements, cookie banner elements, consent records, and technical implementation for United Kingdom.
Summary
This guide provides comprehensive technical implementation requirements for UK (UK GDPR + PECR). PECR governs cookies; UK GDPR governs personal data.
This jurisdiction requires an opt-in consent model (prior consent), meaning websites must obtain explicit user consent before placing non-essential cookies or similar tracking technologies. Users must actively accept cookies through clear consent mechanisms.
Additional requirements for this jurisdiction include: providing consent banners and privacy information in all required languages, and special protections and consent mechanisms for children's personal data.
Website owners and operators subject to these regulations must implement compliant cookie consent banners, maintain proper consent records, and ensure their tracking technologies respect user privacy choices. This guide outlines all technical requirements needed to achieve compliance.
Key Requirements Overview
Technical Requirements
Required Banner Elements
First Layer (Cookie Banner)
- Concise Purpose Summary
- Accept All Button
- Reject All Button Or Link
- Manage Preferences Button
- Link Privacy Policy
Second Layer (Preferences Modal)
- Granular Purpose Toggles
- Vendor List If Applicable
- Retention Periods If Known
Implementation Guidance
As of Data (Use and Access) Act 2025, first-party analytics cookies for site improvement may be exempt from consent. However, third-party tracking and advertising cookies still require opt-in consent. "Reject All" button must be equally prominent to "Accept All". Higher fines now apply: up to £17.5M or 4% global turnover for PECR violations.
Special Protections
Children's Privacy
Age Appropriate Design Code (Children's Code) requires heightened protections for services likely to be accessed by children. No behavioral advertising cookies without clear necessity. Parental consent required for under-13. High privacy settings by default for child users.
Sensitive Data
Consent or other lawful basis as applicable
Record Keeping Requirements
Required Consent Record Fields
For each consent action, you must maintain records containing:
- Timestamp ISO
- User Choices By Purpose
- Policy Version
- Jurisdiction Detected
CookieChimp handles all of this automatically. Our platform maintains comprehensive consent records including all required fields, timestamps, consent strings, IP addresses, user agents, and more. Records are securely stored and easily exportable for compliance audits. Learn more about our consent management
Exempt Cookie Types
The following types of cookies are typically exempt from consent requirements:
Legal References & Resources
Official legal documents and regulatory guidance for this jurisdiction:
Frequently Asked Questions About UK GDPR Cookie Consent
Found an issue or have feedback on this page?
Explore Other Jurisdictions
View All
EU (GDPR + ePrivacy Directive Art. 5(3))
EU/EEA
ePrivacy governs cookies; GDPR governs personal data.
Switzerland (FADP + TCA)
Switzerland
Hybrid model: some cookies allowed under legitimate interest; profiling/marketing require consent. Opt-out always required.
Netherlands (Telecommunicatiewet + GDPR)
Netherlands
The Dutch Telecommunications Act (Telecommunicatiewet) Art. 11.7a implements the EU ePrivacy Directive. Consent required before placing non-essential cookies. GDPR applies in parallel for personal data processing. Enforced by Autoriteit Persoonsgegevens (Dutch DPA) and ACM.