UK Cookie Law Just Got Significantly More Serious.
PECR fines rose from £500,000 to £17.5 million under the Data Use and Access Act. The ICO finalised new tracking technology guidance in April 2026. ConsentPixel handles PECR, UK GDPR, and Google Consent Mode v2 — one pixel, no developer required.
PECR fines raised to £17.5M — up 35× from £500K. The Data Use and Access Act aligned PECR penalties with UK GDPR enforcement levels.
ICO finalised new SAT guidance — now explicitly covers tracking pixels, fingerprinting, scripts, and tags. Not just HTTP cookies.
3 new cookie exemptions added — statistical, appearance, and emergency. Google Analytics still requires consent. Advertising pixels still require consent.
PECR and UK GDPR: Two Laws, One Regulator
UK cookie compliance sits at the intersection of two statutes enforced by the ICO. Understanding both is essential — getting one right without the other leaves you exposed.
Creates the consent requirement
PECR Regulation 6 is the specific law that requires consent before any non-essential cookie or tracking technology accesses a visitor's device. It derives from the EU's ePrivacy Directive 2002/58/EC, which the UK retained post-Brexit. The strictly necessary exemption is narrow — it covers only what's genuinely required to deliver the service the visitor explicitly requested. Analytics are not strictly necessary. Advertising pixels are not strictly necessary.
The Data Use and Access Act 2025 raised maximum PECR fines to £17.5M or 4% of global turnover from February 2026. The ICO April 2026 guidance expanded PECR's scope to explicitly cover tracking pixels, device fingerprinting, scripts, tags, and link decoration — not just HTTP cookies.
Governs: when consent is neededDefines what valid consent looks like
UK GDPR applies when cookies and tracking technologies process personal data — which analytics and advertising trackers always do, since they transmit IP addresses and device identifiers. UK GDPR defines the quality of consent: freely given, specific, informed, and unambiguous. Reject must be as easy as accept. No pre-ticked boxes. Continued browsing is not consent. Consent must be documented with timestamps.
Both laws are enforced by the ICO. Both must be satisfied simultaneously — PECR governs when consent is needed, UK GDPR governs the quality and documentation of that consent.
Governs: what valid consent meansNew Exemptions — and What They Don't Cover
Three new PECR cookie exemptions came into force February 5, 2026. Commonly misunderstood. Google Analytics, Meta Pixel, and LinkedIn Tag all still require consent.
Statistical purposes
First-party analytics whose sole purpose is collecting data about how the service is used, with a view to making improvements. Data must stay with the website operator — not shared with any third party. Users must be given a simple, free means of objecting. Does not cover third-party analytics tools.
Website appearance
Cookies that remember viewing preferences — language, dark mode, layout. Must adapt the service to the user's own device preferences, not to their browsing history or interests. Personalisation based on past behaviour is not covered by this exemption.
Emergency assistance
Cookies used to ascertain user location solely to provide emergency assistance. Applies to safety-critical services only. Not relevant to commercial websites, media, or eCommerce.
Google Analytics / GA4
GA4 sends data to Google's servers — that's third-party data sharing, not first-party statistical purposes. The statistical exemption explicitly requires data to remain with the website operator. GA4 does not qualify. Consent is still required for GA4 under PECR.
Meta, TikTok, LinkedIn pixels
All advertising pixels transmit data to third-party servers for commercial purposes. No exemption covers cross-site or cross-device tracking of any kind. The ICO's April 2026 guidance is explicit: advertising and profiling purposes still require consent.
Analytics feeding advertising
The statistical exemption applies only where cookies are used "solely" for statistical purposes. If your analytics tool also feeds advertising targeting, A/B testing audiences, or conversion tracking, it cannot rely on the exemption. Mixed-purpose deployments require consent for everything.
How the ICO Actually Checks Compliance
The ICO's method is straightforward: visit the site in a fresh browser session and watch the network tab. If third-party tracking requests appear before any consent interaction — non-compliant. This is the same test ConsentPixel runs for free on any URL.
What Needs Consent Under UK Law
| Technology | Consent required? | Why |
|---|---|---|
| Google Analytics 4 (GA4) | Yes | Third-party data sharing — statistical exemption does not apply |
| Meta Pixel / Facebook Pixel | Yes | Advertising pixel — no exemption covers advertising or profiling purposes |
| TikTok Pixel | Yes | Advertising pixel — same as Meta Pixel |
| LinkedIn Insight Tag | Yes | Advertising pixel — cross-site tracking requires consent |
| Microsoft Bing UET + Clarity | Yes | Both transmit to Microsoft advertising infrastructure |
| Hotjar / session replay tools | Yes | Non-essential tracking — captures interaction and keystroke data |
| Device fingerprinting | Yes | Explicitly within ICO April 2026 SAT guidance scope |
| A/B testing cookies | Yes | Non-essential for service — improves business analytics, not required by visitor |
| Shopping cart / session cookies | No — strictly necessary | Required to deliver the service the visitor explicitly requested |
| Login / authentication cookies | No — strictly necessary | Required to maintain the session the visitor explicitly requested |
| Cookie consent state cookie | No — strictly necessary | Required to remember the visitor's own consent choice |
| First-party analytics (sole purpose, no third-party sharing) | No — new DUAA exemption | Statistical purposes exemption — must provide objection mechanism |
Everything PECR + UK GDPR Compliance Requires
Built for the technical standard the ICO actually enforces — not just what passes a visual inspection.
Script-level blocking before consent
Zero third-party requests before visitor choice. Passes the ICO's network tab test on first visit. No banner-while-scripts-load gap.
Equal Accept / Reject prominence
PECR and UK GDPR require Reject to be as visible as Accept on the first layer. ConsentPixel banners are built to this standard — no configuration that hides Reject is possible.
Timestamped consent logs — ICO audit ready
Every consent event logged: timestamp, banner version, categories chosen. Producible within minutes if the ICO requests evidence of consent for a specific date and visitor session.
Google Consent Mode v2 — automatic
Correct GCM v2 signals fire automatically based on the visitor's choice. Conversion modelling and remarketing continue to function for UK visitors who accept — and stop entirely for those who decline.
Preference centre — withdrawal always accessible
Satisfies UK GDPR's requirement that withdrawal is as easy as giving consent. Accessible from every page — not buried in a footer privacy policy link visitors rarely find.
EU AI Act Article 50 — built in
If your UK site also serves EU visitors, EU AI Act Article 50 transparency obligations apply from 2 August 2026. The disclosure is already in your ConsentPixel banner. Enable the toggle.
What ICO Enforcement Actually Looks Like
The ICO's approach is coordinated, public, and escalating — and the DUAA's fine increase changes the financial stakes entirely.
PECR fines raised to £17.5M under the DUAA
Maximum PECR fine increased 35× — from £500,000 to £17.5 million or 4% of global annual turnover. Cookie violations now carry the same financial risk as major data protection failures under UK GDPR.
ICO finalised new storage and access technologies guidance
Explicitly covers cookies, tracking pixels, device fingerprinting, web storage, scripts, tags, and link decoration. Confirms advertising and profiling purposes still require consent. Clarifies the three new DUAA exemptions and their strict scope limitations.
ICO wrote to top 1,000 UK websites
Following the November 2023 campaign targeting the top 100 UK websites, the ICO extended its compliance campaign to the top 1,000 UK websites. The letters cited specific cookie banner failures including pre-enabled categories, asymmetric Accept/Reject design, and technical scripts firing before consent.
53 of the top 100 UK websites received ICO compliance letters
The ICO's first major coordinated cookie enforcement campaign. Letters were public — recipients were named. The ICO specifically cited: pixels firing before consent (network tab evidence), Accept/Reject asymmetry, and absence of granular category controls.
UK Cookie Compliance — Common Questions
Does UK cookie law still apply after Brexit?
Does Google Analytics 4 need consent under PECR?
What does the ICO actually do when it finds cookie non-compliance?
Does PECR apply to my website if I'm not based in the UK?
Is a cookie banner enough to comply with PECR?
UK Cookie Compliance — Done in Minutes
343 UK impressions in Search Console with near-zero clicks. Make your UK traffic convert — show them you take privacy seriously. PECR and UK GDPR compliant in under 10 minutes.