Cookies are governed by their own set of UK rules, the Privacy and Electronic Communications Regulations, usually shortened to PECR, which sit alongside the UK GDPR. In short, most cookies that aren't strictly necessary need the visitor's consent before they're set. This guide explains what that means in practice for a small website.

How PECR and GDPR fit together

PECR covers cookies and similar technologies, as well as electronic marketing such as email and text messages. The UK GDPR sets the wider rules for personal data. The two overlap: PECR decides when you can place a cookie, and where that cookie involves personal data the UK GDPR applies as well. The ICO enforces both, so it's sensible to treat them as one job rather than two.

When you need consent for cookies

You need consent before setting any cookie that isn't strictly necessary. That includes analytics, advertising, and most third-party cookies from embedded content. The cookie can't be set first and consent collected afterwards, so the order matters. The only cookies you can set without asking are the genuinely essential ones.

What "strictly necessary" actually means

Strictly necessary is narrower than it sounds. It covers cookies that are essential to provide the service the visitor has asked for, such as remembering what's in a shopping basket or keeping someone logged in securely. It doesn't cover analytics, even your own, and it doesn't cover anything to do with advertising. If a cookie is there for your benefit rather than to deliver something the visitor requested, it isn't strictly necessary.

What valid consent looks like

Consent has to be a clear, affirmative choice. In practice that means:

• You set no non-essential cookies until the visitor has agreed.
• You don't rely on pre-ticked boxes or assume agreement from silence.
• Refusing is as easy as accepting, and isn't hidden behind extra clicks.
• People can change their mind whenever they like.

A banner that drops analytics the moment the page loads, or that only offers an "accept" button, doesn't meet the standard, however common it is.

A note on electronic marketing

PECR also governs marketing by email and text. As a rule you need consent to send it, with a limited exception known as the soft opt-in. It lets you email your own customers about similar products, as long as you collected their details during a sale, offered them a clear way to opt out at the time, and include one in every message since.

A proportionate approach for a small site

Start by finding out which cookies your site actually sets, including the ones added by embedded tools. Drop anything you don't need, which is often more than expected. Use a consent banner that genuinely lets people refuse, and describe your cookies in your privacy or cookie notice. Done once, this rarely needs revisiting unless your site changes.

Cookies are one part of the wider picture in our guide to GDPR for small businesses. If you'd like help getting your cookies and consent in order, our GDPR compliance service covers it as part of the project.