Guide to UK (UK GDPR + PECR) Cookie Consent Compliance

Complete technical implementation guide for United Kingdom privacy regulations. Learn about consent requirements, banner elements, record keeping, and technical specifications.

Opt-in Translation Required Children's Privacy Rules Cookie Walls Restricted

Summary

This guide provides comprehensive technical implementation requirements for UK (UK GDPR + PECR). PECR governs cookies; UK GDPR governs personal data.

This jurisdiction requires an opt-in consent model (prior consent), meaning websites must obtain explicit user consent before placing non-essential cookies or similar tracking technologies. Users must actively accept cookies through clear consent mechanisms.

Additional requirements for this jurisdiction include: providing consent banners and privacy information in all required languages, and special protections and consent mechanisms for children's personal data.

Website owners and operators subject to these regulations must implement compliant cookie consent banners, maintain proper consent records, and ensure their tracking technologies respect user privacy choices. This guide outlines all technical requirements needed to achieve compliance.

Key Requirements Overview

Consent Model

Opt-in (Prior Consent)

Consent Lifespan

6 months

Default State

Off (Non-Essential Cookies)

Cookie Walls

Restricted

Technical Requirements

Prior consent for non-essential cookies

Purpose granularity required

Equal prominence for accept/reject buttons

No pre-checked boxes allowed

Dark patterns prohibited

Proof of consent required

Local storage covered by regulation

Implementation Guidance

As of Data (Use and Access) Act 2025, first-party analytics cookies for site improvement may be exempt from consent. However, third-party tracking and advertising cookies still require opt-in consent. "Reject All" button must be equally prominent to "Accept All". Higher fines now apply: up to £17.5M or 4% global turnover for PECR violations.

Special Protections

Children's Privacy

Age Appropriate Design Code (Children's Code) requires heightened protections for services likely to be accessed by children. No behavioral advertising cookies without clear necessity. Parental consent required for under-13. High privacy settings by default for child users.

Sensitive Data

Consent or other lawful basis as applicable

Record Keeping Requirements

Required Consent Record Fields

For each consent action, you must maintain records containing:

Timestamp ISO
User Choices By Purpose
Policy Version
Jurisdiction Detected

Retention Period: 18 months minimum

Re-consent Trigger: New Purpose Or Material Change

CookieChimp handles all of this automatically. Our platform maintains comprehensive consent records including all required fields, timestamps, consent strings, IP addresses, user agents, and more. Records are securely stored and easily exportable for compliance audits. Learn more about our consent management

Exempt Cookie Types

The following types of cookies are typically exempt from consent requirements:

Strictly Necessary

Security Fraud Prevention

Load Balancing

First Party Analytics For Site Improvement

Legal References & Resources

Official legal documents and regulatory guidance for this jurisdiction:

UK GDPR

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/

PECR (Privacy and Electronic Communications Regulations)

https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/

Data (Use and Access) Act 2025

https://www.legislation.gov.uk/

Legal Disclaimer: For engineering implementation guidance only. Not legal advice. This guide provides technical implementation guidance only and should not be considered legal advice. Privacy laws are complex and frequently updated. We recommend consulting with qualified legal counsel to ensure full compliance with applicable regulations.