How to Use This Checklist
Click each checkbox to mark items as complete. Your progress is automatically saved to your browser. Use this checklist to:
✅ Three Ways to Use This Tool
1. Audit existing policies: Review your current cookie policy against all 48 UK PECR compliance points
2. Draft new policies: Ensure you don't miss any essential cookie disclosure requirements
3. Compare with legal drafts: Verify your policy covers everything required by UK law
⚠️ Where Should Your Cookie Policy Be Placed?
🔗 Footer Link: Your cookie policy should be prominently linked in your website footer, accessible from every page. This is the standard location users expect to find it.
📄 Separate Page: Host your cookie policy on its own dedicated webpage (e.g., www.yoursite.com/cookie-policy)
🍪 Cookie Banner: Include a direct link to your cookie policy within your cookie consent banner (required by PECR)
🔗 Privacy Policy Link: Cross-reference your cookie policy from your privacy policy and vice versa for comprehensive transparency
⚠️ Understanding Importance Levels
🔴 Critical: Must have - omission creates serious legal risk and ICO penalties up to £17.5M or 4% of global turnover
🟡 Important: Should have - recommended for proper compliance and transparency
🔵 Recommended: Best practice - enhances user trust and demonstrates accountability
Website URL Identified
Must clearly state which website the cookie policy applies to. Users need to know the exact domain covered. Required by UK GDPR transparency obligations.
🔴 Critical
Company Name & Details
Clear identification of the organization operating the website: company name, registered address, company number. Required for data controller transparency under UK GDPR Article 13.
🔴 Critical
Last Updated Date
Date showing when the policy was last revised. Demonstrates ongoing compliance review. Helps users know if changes have been made since their last visit.
🔴 Critical
Contact Email Address
Provide email address for cookie-related inquiries. Required for users to exercise their rights and ask questions about cookie usage under UK GDPR.
🔴 Critical
Privacy Policy Cross-Reference
Statement that cookie policy should be read alongside privacy policy. Cookies collect personal data, so both policies must work together for full transparency.
🟡 Important
⚠️ UK PECR Cookie Disclosure Requirement
The Privacy and Electronic Communications Regulations (PECR) require clear explanation of what cookies are and how they work. You cannot simply assume users understand cookies - you must explain in plain English what cookies do, why you use them, and how users can control them.
Plain English Definition of Cookies
Clear explanation that cookies are small text files stored on user's device when visiting website. Must be understandable to non-technical users. Required by PECR transparency obligations.
🔴 Critical
First-Party vs Third-Party Cookies Explained
Distinguish between cookies set by your website (first-party) and cookies set by external services like analytics or advertising (third-party). Critical for informed consent under PECR.
🔴 Critical
Purpose of Using Cookies
General explanation of why websites use cookies: making sites work, improving user experience, understanding behavior, providing personalized content. Sets context for detailed disclosures that follow.
🟡 Important
Consent Statement for Cookie Use
Clear statement that by using the website, users consent to cookies in accordance with the policy (subject to consent mechanism for non-essential cookies). Required by PECR Regulation 6.
🔴 Critical
⚠️ Mandatory Cookie Categorization
UK PECR requires you to clearly categorize and explain each type of cookie you use. Generic statements like "we use cookies to improve your experience" are insufficient. You must specify: strictly necessary cookies, performance cookies, functionality cookies, targeting cookies - with examples and purposes for each category.
Strictly Necessary Cookies Disclosed
Essential cookies required for website to function: session management, security, load balancing. These are exempt from consent under PECR Regulation 6(4) but must still be disclosed.
🔴 Critical
Performance/Analytics Cookies Disclosed
Cookies that collect anonymous information about website usage: Google Analytics, page views, bounce rates, traffic sources. Require consent under PECR unless truly anonymous.
🔴 Critical
Functionality Cookies Disclosed
Cookies that remember user preferences: language settings, font size, region selection, saved preferences. Enhance user experience. Require consent under PECR.
🟡 Important
Targeting/Advertising Cookies Disclosed
Cookies used to deliver personalized advertising: tracking browsing behavior, building profiles, targeting ads, measuring campaign effectiveness. Require explicit consent under PECR.
🔴 Critical
Session vs Persistent Cookies Explained
Distinguish between temporary session cookies (deleted when browser closes) and persistent cookies (stored for longer periods). Duration impacts privacy considerations.
🟡 Important
Purpose Explained for Each Cookie Type
Specific explanation of what each cookie category does: "Performance cookies help us understand which pages are most popular", not just generic descriptions. Required for informed consent.
🔴 Critical
Similar Technologies Disclosed (if applicable)
If you use web beacons, pixels, local storage, or other tracking technologies beyond cookies, these must be disclosed and explained. PECR applies to all tracking technologies.
🟡 Important
Complete List of Third-Party Services
Name all third-party services that set cookies through your website: Google Analytics, Facebook Pixel, Hotjar, advertising networks, etc. Required by PECR - users must know who is tracking them.
🔴 Critical
Google Analytics Disclosed (if used)
If using Google Analytics, explicitly state this with explanation of data collected: page views, session duration, traffic sources, device information. Most common third-party cookie service.
🔴 Critical
Social Media Cookies Disclosed (if applicable)
If you have Facebook Like buttons, Twitter feeds, LinkedIn share buttons, etc., disclose the cookies these set. Social plugins are prolific cookie setters requiring explicit disclosure.
🔴 Critical
Advertising Networks Disclosed (if applicable)
If you use Google Ads, Facebook Ads, or other advertising platforms that track users across sites, disclose these. Advertising cookies require explicit consent and detailed disclosure under PECR.
🔴 Critical
Purpose Explained for Each Third-Party Service
For each third-party service listed, explain specifically why you use it: "Google Analytics to understand website traffic patterns", "Hotjar to improve user experience through session recordings".
🔴 Critical
Cookie Duration/Expiry Stated
For key cookies, state how long they remain on user's device: "Google Analytics cookies expire after 2 years", "Session cookies deleted when browser closes". Duration impacts privacy risk assessment.
🟡 Important
Data Collected by Each Service Explained
Specify what data each third-party service collects: IP addresses, device identifiers, browsing behavior, timestamps. Shows comprehensive transparency about third-party tracking.
🟡 Important
Links to Third-Party Privacy Policies
Provide links to privacy policies of major third-party services (Google, Facebook, etc.) so users can understand how these companies use their data. Demonstrates comprehensive transparency.
🔵 Recommended
⚡
Limited Time Only
Get All 48 Points Pre-Completed
Our professionally-drafted cookie policy covers every UK PECR compliance point automatically
Only £10 - Limited Time Offer
Lock In Lifetime Access Now
→
Buy now to lock in this price • Lifetime updates included • No subscription ever
⚠️ PECR Consent Requirements
UK PECR Regulation 6 requires prior consent before setting non-essential cookies. Consent must be informed, specific, freely given, and obtained through clear affirmative action. Pre-ticked boxes, cookie walls, and implied consent do NOT meet PECR standards. The ICO can impose penalties up to £17.5M for non-compliant cookie consent.
Cookie Consent Mechanism Described
Clear explanation of how you obtain cookie consent: cookie banner, consent management platform, settings page. Must explain how users give consent before non-essential cookies are set. Required by PECR Regulation 6.
🔴 Critical
Consent Timing Explained
State that non-essential cookies will not be set until user provides consent. Critical for PECR compliance - you cannot set tracking cookies before consent is obtained through clear affirmative action.
🔴 Critical
Consent Management Platform Disclosed (if applicable)
If using OneTrust, Cookiebot, Termly, or similar consent platform, name the service and explain how it manages cookie preferences. Shows robust consent infrastructure.
🟡 Important
Granular Consent Options Explained
Explain that users can accept/reject different cookie categories (essential, analytics, advertising) separately. PECR requires granular control - users must be able to accept some categories while rejecting others.
🔴 Critical
Compliance with UK PECR Stated
Explicit statement that cookie consent practices comply with Privacy and Electronic Communications Regulations (PECR) and UK GDPR. Demonstrates awareness of legal obligations and commitment to compliance.
🟡 Important
Strictly Necessary Cookie Exemption Explained
State that strictly necessary cookies (essential for website function) do not require consent under PECR Regulation 6(4) but must still be disclosed. Clarifies why some cookies are set immediately.
🟡 Important
Browser Cookie Controls Explained
Explain how users can control cookies through browser settings: blocking all cookies, blocking third-party cookies, deleting existing cookies. Required transparency about technical controls available to users.
🔴 Critical
Instructions for Major Browsers Provided
Provide guidance or links for managing cookies in Chrome, Firefox, Safari, Edge. Practical information helps users exercise control. Best practice for user empowerment.
🔵 Recommended
Cookie Preference Management Explained
Explain how users can change their cookie preferences: revisiting cookie banner, accessing preference center, adjusting settings. Must provide easy way to withdraw consent previously given.
🔴 Critical
Opt-Out Links Provided (if applicable)
For key services like Google Analytics, provide opt-out links: Google Analytics Opt-Out Browser Add-on. Demonstrates commitment to user choice and control over tracking.
🔵 Recommended
Impact of Disabling Cookies Explained
Honest explanation that blocking cookies may affect website functionality: unable to stay logged in, preferences not saved, some features may not work. Sets realistic expectations for users exercising cookie controls.
🟡 Important
Strictly Necessary Cookies Cannot Be Disabled
Clarify that essential cookies required for website to function cannot be disabled through consent settings (but can be blocked via browser). Explains why some cookies persist despite user preferences.
🟡 Important
Cookie Data Storage Location Disclosed
State where cookie data is stored: UK, EEA, or international locations. Many third-party services (Google, Facebook) transfer data to USA. Required disclosure under UK GDPR Chapter V.
🔴 Critical
International Transfer Safeguards Explained
If data transferred outside UK/EEA, explain safeguards: adequacy decisions, Standard Contractual Clauses, International Data Transfer Agreements. Required by UK GDPR for lawful international transfers.
🔴 Critical
Third-Party Service Data Transfers Disclosed
For services like Google Analytics or Facebook Pixel that transfer data internationally, explicitly state this and explain how third parties protect data. Comprehensive international transfer transparency.
🟡 Important
Policy Update Process Explained
State that cookie policy may be updated to reflect changes in cookie usage, legal requirements, or operational needs. Explain how users will be notified: updated date, website notice, email.
🟡 Important
Material Changes Notification Commitment
Confirm you'll notify users of material changes to cookie policy and may require fresh consent for significant changes to cookie usage. Demonstrates respect for user expectations.
🟡 Important
Contact Information for Cookie Queries
Provide email address and website URL for users to ask questions about cookie policy or cookie usage. Required for user right to information under UK GDPR.
🔴 Critical
External Cookie Resources Provided
Links to independent cookie information resources: ICO cookie guidance, AboutCookies.org, AllAboutCookies.org. Helps users learn more about cookies beyond your specific policy.
🔵 Recommended
ICO Website Link Provided
Include link to Information Commissioner's Office cookie guidance: https://ico.org.uk/for-the-public/online/cookies/. Directs users to authoritative UK regulatory guidance on cookies and privacy.
🔵 Recommended
Cookie Table/Detailed List Included
Comprehensive table listing all cookies: cookie name, provider, purpose, type, duration. Provides maximum transparency about every cookie set on your website. ICO best practice recommendation.
🔵 Recommended
Plain Language Throughout Policy
Entire policy written in clear, plain English avoiding excessive technical jargon. PECR and UK GDPR require information to be accessible and easily understood by average users, not just legal experts.
🔴 Critical
Regular Policy Review Commitment
Statement encouraging users to review policy periodically to stay informed about cookie usage changes. Shows ongoing commitment to transparency and keeping users informed.
🔵 Recommended
Additional Clauses/Custom Requirements
Space for any additional cookie-related clauses specific to your business: industry-specific requirements, additional tracking technologies, special consent mechanisms. Customization for unique business needs.
🔵 Recommended
⚡
Limited Time Pricing
Get Your Compliant Cookie Policy Now
Why check 48 boxes when you can have a professional, UK PECR-compliant cookie policy ready in minutes?
Just £10 - Lock In This Price Today
Secure Lifetime Access Now
→
Limited time offer • Buy now for lifetime updates • Price may increase
Next Steps
Now that you've reviewed the compliance checklist, you have three options:
✅ Use Our Ready-Made Template (Recommended)
Save hours of legal research and drafting. Our professionally-crafted cookie policy covers all 48 UK PECR compliance points with legally-sound wording. Available in both Interview Mode (guided questionnaire) and Editor Mode (direct editing) for just £10.
📝 Draft Your Own Policy
Use this checklist as your guide, but remember: getting the legal wording correct is complex. UK PECR requires precise language around cookie types, consent mechanisms, third-party services, and user controls. A single compliance gap can result in ICO fines up to £17.5M or 4% of global turnover.
⚖️ Book a Legal Consultation
For complex cookie implementations, consent management platforms, or if you handle significant third-party tracking, consider booking a consultation with our legal professionals for personalized UK PECR advice tailored to your specific circumstances.
Need personalized legal advice? Book a consultation →