ConsentPixel – Privacy · Verified

UK Cookie Compliance · PECR + UK GDPR

UK Cookie Law Just Got Significantly More Serious.

PECR fines rose from £500,000 to £17.5 million under the Data Use and Access Act. The ICO finalised new tracking technology guidance in April 2026. ConsentPixel handles PECR, UK GDPR, and Google Consent Mode v2 — one pixel, no developer required.

Feb 5, 2026

PECR fines raised to £17.5M — up 35× from £500K. The Data Use and Access Act aligned PECR penalties with UK GDPR enforcement levels.

Apr 29, 2026

ICO finalised new SAT guidance — now explicitly covers tracking pixels, fingerprinting, scripts, and tags. Not just HTTP cookies.

Feb 5, 2026

3 new cookie exemptions added — statistical, appearance, and emergency. Google Analytics still requires consent. Advertising pixels still require consent.

£17.5M
Maximum PECR fine under the DUAA — up from £500,000 since Feb 2026
1,000
UK websites the ICO wrote to in January 2025 about cookie non-compliance
Apr 2026
ICO finalised new guidance — explicitly covering pixels, fingerprinting, scripts
Before
Same standard as GDPR — consent must precede every non-essential tracking request
UK legal framework

PECR and UK GDPR: Two Laws, One Regulator

UK cookie compliance sits at the intersection of two statutes enforced by the ICO. Understanding both is essential — getting one right without the other leaves you exposed.

PECR · Privacy and Electronic Communications Regulations 2003

Creates the consent requirement

PECR Regulation 6 is the specific law that requires consent before any non-essential cookie or tracking technology accesses a visitor's device. It derives from the EU's ePrivacy Directive 2002/58/EC, which the UK retained post-Brexit. The strictly necessary exemption is narrow — it covers only what's genuinely required to deliver the service the visitor explicitly requested. Analytics are not strictly necessary. Advertising pixels are not strictly necessary.

The Data Use and Access Act 2025 raised maximum PECR fines to £17.5M or 4% of global turnover from February 2026. The ICO April 2026 guidance expanded PECR's scope to explicitly cover tracking pixels, device fingerprinting, scripts, tags, and link decoration — not just HTTP cookies.

Governs: when consent is needed
UK GDPR · UK General Data Protection Regulation (Data Protection Act 2018)

Defines what valid consent looks like

UK GDPR applies when cookies and tracking technologies process personal data — which analytics and advertising trackers always do, since they transmit IP addresses and device identifiers. UK GDPR defines the quality of consent: freely given, specific, informed, and unambiguous. Reject must be as easy as accept. No pre-ticked boxes. Continued browsing is not consent. Consent must be documented with timestamps.

Both laws are enforced by the ICO. Both must be satisfied simultaneously — PECR governs when consent is needed, UK GDPR governs the quality and documentation of that consent.

Governs: what valid consent means
DUAA new exemptions

New Exemptions — and What They Don't Cover

Three new PECR cookie exemptions came into force February 5, 2026. Commonly misunderstood. Google Analytics, Meta Pixel, and LinkedIn Tag all still require consent.

✓ New exemption — no consent needed

Statistical purposes

First-party analytics whose sole purpose is collecting data about how the service is used, with a view to making improvements. Data must stay with the website operator — not shared with any third party. Users must be given a simple, free means of objecting. Does not cover third-party analytics tools.

✓ New exemption — no consent needed

Website appearance

Cookies that remember viewing preferences — language, dark mode, layout. Must adapt the service to the user's own device preferences, not to their browsing history or interests. Personalisation based on past behaviour is not covered by this exemption.

✓ New exemption — narrow scope

Emergency assistance

Cookies used to ascertain user location solely to provide emergency assistance. Applies to safety-critical services only. Not relevant to commercial websites, media, or eCommerce.

✗ Still requires consent

Google Analytics / GA4

GA4 sends data to Google's servers — that's third-party data sharing, not first-party statistical purposes. The statistical exemption explicitly requires data to remain with the website operator. GA4 does not qualify. Consent is still required for GA4 under PECR.

✗ Still requires consent

Meta, TikTok, LinkedIn pixels

All advertising pixels transmit data to third-party servers for commercial purposes. No exemption covers cross-site or cross-device tracking of any kind. The ICO's April 2026 guidance is explicit: advertising and profiling purposes still require consent.

✗ Still requires consent

Analytics feeding advertising

The statistical exemption applies only where cookies are used "solely" for statistical purposes. If your analytics tool also feeds advertising targeting, A/B testing audiences, or conversion tracking, it cannot rely on the exemption. Mixed-purpose deployments require consent for everything.

The ICO's compliance test

How the ICO Actually Checks Compliance

The ICO's method is straightforward: visit the site in a fresh browser session and watch the network tab. If third-party tracking requests appear before any consent interaction — non-compliant. This is the same test ConsentPixel runs for free on any URL.

✗ Non-compliant — what the ICO finds
// Fresh browser session · no cookies · no consent given
// Banner visible on screen...

→ connect.facebook.net/en_GB/fbevents.js
Status: 200 · Initiated by: pixel-code.js
→ www.googletagmanager.com/gtag/js?id=G-XXX
Status: 200 · Initiated by: head script
→ snap.licdn.com/li.lms-analytics/insight.min.js
Status: 200 · Initiated by: tag manager

// FAIL: 3 third-party trackers fired before consent
// PECR violation · ICO compliance letter likely
✓ Compliant — what ConsentPixel delivers
// Fresh browser session · no cookies · no consent given
// Banner visible on screen...

→ edge.consentpixel.com/pixel.js
Status: 200 · CMP loading ✓
→ [no further third-party requests]

// Visitor clicks "Accept all"...
// Consent logged with timestamp ✓
→ connect.facebook.net/en_GB/fbevents.js
→ www.googletagmanager.com/gtag/js?id=G-XXX
→ snap.licdn.com/li.lms-analytics/insight.min.js

// PASS: Zero pre-consent requests · ICO compliant
Quick reference

What Needs Consent Under UK Law

ConsentPixel for UK sites

Everything PECR + UK GDPR Compliance Requires

Built for the technical standard the ICO actually enforces — not just what passes a visual inspection.

Script-level blocking before consent

Zero third-party requests before visitor choice. Passes the ICO's network tab test on first visit. No banner-while-scripts-load gap.

Equal Accept / Reject prominence

PECR and UK GDPR require Reject to be as visible as Accept on the first layer. ConsentPixel banners are built to this standard — no configuration that hides Reject is possible.

Timestamped consent logs — ICO audit ready

Every consent event logged: timestamp, banner version, categories chosen. Producible within minutes if the ICO requests evidence of consent for a specific date and visitor session.

Google Consent Mode v2 — automatic

Correct GCM v2 signals fire automatically based on the visitor's choice. Conversion modelling and remarketing continue to function for UK visitors who accept — and stop entirely for those who decline.

Preference centre — withdrawal always accessible

Satisfies UK GDPR's requirement that withdrawal is as easy as giving consent. Accessible from every page — not buried in a footer privacy policy link visitors rarely find.

EU AI Act Article 50 — built in

If your UK site also serves EU visitors, EU AI Act Article 50 transparency obligations apply from 2 August 2026. The disclosure is already in your ConsentPixel banner. Enable the toggle.

ICO enforcement record

What ICO Enforcement Actually Looks Like

The ICO's approach is coordinated, public, and escalating — and the DUAA's fine increase changes the financial stakes entirely.

Feb 2026
In force

PECR fines raised to £17.5M under the DUAA

Maximum PECR fine increased 35× — from £500,000 to £17.5 million or 4% of global annual turnover. Cookie violations now carry the same financial risk as major data protection failures under UK GDPR.

Apr 2026
Published

ICO finalised new storage and access technologies guidance

Explicitly covers cookies, tracking pixels, device fingerprinting, web storage, scripts, tags, and link decoration. Confirms advertising and profiling purposes still require consent. Clarifies the three new DUAA exemptions and their strict scope limitations.

Jan 2025
Enforcement

ICO wrote to top 1,000 UK websites

Following the November 2023 campaign targeting the top 100 UK websites, the ICO extended its compliance campaign to the top 1,000 UK websites. The letters cited specific cookie banner failures including pre-enabled categories, asymmetric Accept/Reject design, and technical scripts firing before consent.

Nov 2023
Enforcement

53 of the top 100 UK websites received ICO compliance letters

The ICO's first major coordinated cookie enforcement campaign. Letters were public — recipients were named. The ICO specifically cited: pixels firing before consent (network tab evidence), Accept/Reject asymmetry, and absence of granular category controls.

FAQ

UK Cookie Compliance — Common Questions

Does UK cookie law still apply after Brexit?
Yes. The UK retained the EU's cookie requirements through PECR (Privacy and Electronic Communications Regulations 2003) and UK GDPR, incorporated via the European Union (Withdrawal) Act 2018 and Data Protection Act 2018. The Data Use and Access Act 2025 updated PECR by adding new exemptions and raising the fine ceiling — but the fundamental consent requirement for non-essential cookies remained unchanged. Not legal advice.
Does Google Analytics 4 need consent under PECR?
Yes. Despite the new DUAA statistical purposes exemption, GA4 requires consent in the UK. The statistical exemption requires data to be used solely for statistical purposes and remain with the website operator — not shared with third parties. GA4 sends data to Google's servers for Google's own purposes. Multiple European DPAs have found GA4 non-compliant without consent, and the ICO's guidance is consistent with this position. GA4 must be blocked until consent is obtained. Not legal advice.
What does the ICO actually do when it finds cookie non-compliance?
The ICO's primary enforcement mechanism for cookies has been public reprimands and compliance letters — effective reputational and operational pressure even without a monetary fine. However, the DUAA's increase of the maximum PECR fine to £17.5M changes the enforcement landscape significantly. The ICO has stated that formal monetary penalties are reserved for serious cases — but with the raised ceiling, the financial risk of being found in serious breach has increased 35-fold. The ICO's compliance test is the network tab test: third-party tracking requests before consent = non-compliant. Not legal advice.
Does PECR apply to my website if I'm not based in the UK?
PECR applies when you place or access tracking technologies on the terminal equipment of people located in the UK. If UK residents visit your website and you use non-essential cookies or tracking, PECR applies — regardless of where your business is based. The ICO has jurisdiction over processing activities that affect UK residents. Not legal advice.
Is a cookie banner enough to comply with PECR?
Not on its own. A compliant banner must be backed by technical enforcement. The CMP must actually block non-essential scripts before they load — displaying a banner while scripts run in the background is not compliance. The ICO's test is the network tab test: if third-party tracking requests appear before any consent interaction in a fresh browser session, the site is non-compliant regardless of whether a banner is present. Not legal advice.

UK Cookie Compliance — Done in Minutes

343 UK impressions in Search Console with near-zero clicks. Make your UK traffic convert — show them you take privacy seriously. PECR and UK GDPR compliant in under 10 minutes.

Scroll to Top