Updated: March 2026 • Based on UK Law

Quick Navigation:

What Is a Cookie Policy?

A cookie policy is a legal document required under UK law that explains how your website uses cookies and similar tracking technologies — what cookies are set, their purposes, retention periods, and how users can control them. Required under PECR and UK GDPR.

This guide covers UK cookie rules, PECR consent requirements, GDPR obligations, and ICO enforcement risks. Free cookie policy checklist included.

In early 2025, the ICO found that over half of the UK’s most-visited websites failed basic cookie consent standards. Pre-ticked boxes, missing reject buttons, cookies dropping before consent — the same mistakes repeated across household-name brands.

The fines for getting this wrong are no longer theoretical. The Data Use and Access Act 2025 increased maximum PECR penalties from £500,000 to £17.5 million or 4% of global turnover — aligning them with UK GDPR. The ICO has announced plans to review the top 1,000 UK websites.

✓ Cookie Policy Template

Build your cookie policy using our guided questions or classic editor — preview every clause before buying.

→ Cookie Policy Template

Prefer to do it yourself? Use our checklist as a basic guide.

What Are the Cookie Rules in the UK?

UK cookie rules require you to tell visitors cookies are present, explain what they do and why, and obtain consent before setting non-essential cookies. Three laws govern this: PECR, UK GDPR, and the Data Use and Access Act 2025.

The Three Laws That Govern Cookies

PECR (Privacy and Electronic Communications Regulations 2003) is the primary cookie law. It regulates any technology that stores or accesses information on a user’s device — cookies, pixels, beacons, device fingerprinting, scripts, tags, and web storage.

Under PECR, you must obtain informed, specific, and explicit consent before placing non-essential cookies. The only exceptions are cookies strictly necessary for providing a service the user requested (e.g., shopping baskets, security features).

Expert Insight: UK GDPR works alongside PECR to define valid consent. Consent must be freely given, specific, informed, and unambiguous — meaning users must actively opt in. Pre-ticked boxes, implied consent through continued browsing, and cookie walls blocking site access do not meet the legal standard.

The Data Use and Access Act 2025 (Royal Assent 19 June 2025) dramatically increased maximum PECR fines from £500,000 to £17.5 million or 4% of global turnover. It also introduced future exemptions for low-risk statistical cookies — but these provisions are not yet in force.

Warning: The DUA Act’s new cookie exemptions (analytics, fraud detection, user preferences) are not yet in force. Until a commencement date is set by government, you must continue following current consent rules for all non-essential cookies.

What Your Cookie Banner Must Do

    • Equal prominence for accept and reject buttons — reject cannot be smaller, hidden, or require extra clicks
    • Granular control over cookie categories — users must be able to accept analytics while rejecting marketing
    • No cookies before consent — non-essential cookies must not fire until the user actively accepts
    • Record-keeping — maintain records of when consent was given, what was consented to, and the exact wording shown
    • Direct link to your full cookie policy from the banner

The ICO has specifically flagged “dark patterns” — design tricks that nudge users toward accepting — as non-compliant practices attracting enforcement action.

Key Takeaway: Three laws govern UK cookies: PECR (consent rules), UK GDPR (what valid consent means), and the DUA Act 2025 (increased fines to £17.5m). Your cookie banner must give equal weight to accept and reject, provide granular category control, and never drop cookies before consent.

UK Websites Using Cookies Must Have a Compliant Cookie Policy

Editor + Interview Versions Included • £20 one time • No Subscriptions

Preview Cookie Policy Template
Lifetime Access • Free Updates • 30-Day Money-Back Guarantee*

Is Cookie Logging Illegal in the UK?

Cookie logging without proper consent is illegal. Both UK GDPR and PECR require that you inform users and obtain consent before logging personal data through cookies.

Cookie logging means tracking and recording user behaviour, preferences, and personal data through cookies and similar technologies. The legality depends entirely on whether you have valid consent and whether the cookies serve a legitimate purpose.

Legal vs Illegal Cookie Logging

Strictly necessary cookies can be set without consent — session management, shopping baskets, load balancing, and security cookies.

Everything else requires explicit consent: analytics cookies logging user behaviour, advertising cookies tracking users for targeted marketing, social media cookies logging sharing activity, and preference cookies remembering user settings.

Expert Insight: The ICO’s 2025 online tracking strategy targets four key violations: deceptive or missing consent choices, vague cookie descriptions, consent preferences not being honoured, and users unable to easily withdraw consent. If you use third-party services (YouTube embeds, social plugins, analytics tools, chatbots), you remain responsible for their cookies.
Key Takeaway: Cookie logging becomes illegal when you fail to obtain proper consent, drop cookies before consent is given, use deceptive consent mechanisms, fail to honour consent withdrawal, or collect data beyond what users consented to. Personal data collected through cookies is subject to all UK GDPR requirements.

Do I Need a Cookie Policy on My Website UK?

Yes — if your UK website uses any cookies beyond strictly necessary ones, you legally need a cookie policy. Even if you only use strictly necessary cookies, you must still inform users about their presence.

A cookie policy is distinct from a privacy policy. Your cookie policy specifically addresses cookies and tracking technologies. Your privacy policy covers broader data processing. For comprehensive protection, maintain both as part of your website legal documents.

What Your Cookie Policy Must Include

    • Every cookie your website uses — listed by name
    • Purpose of each cookie — explained in plain language
    • First-party or third-party — who sets each cookie
    • Duration — how long each cookie remains active
    • Consent requirement — which cookies require consent and which are strictly necessary
    • User instructions — clear guidance for managing cookie preferences
Warning: Many website owners don’t realise their “simple site” sets cookies automatically through hosting platforms, security plugins, embedded maps, contact form spam protection, and newsletter signup forms. Audit your site before writing your policy — hidden cookies are a common ICO finding.

Small businesses and sole traders are not exempt. PECR and UK GDPR apply to all organisations regardless of size. Even a one-person business must comply if cookies are present.

Your cookie policy must be accessible from every page (typically in the footer alongside your privacy policy and terms and conditions) and updated whenever you add new cookies or change how existing ones function.

Key Takeaway: Every UK website using cookies needs a cookie policy — no size exemption exists. The policy must list every cookie by name with purpose, duration, and provider. Keep it accessible from every page, written in plain language, and updated whenever cookies change.
Bundle & Save

Website Legal & Compliance Pack

Stay GDPR-Ready • 5 Templates + Editor & Interview Versions • Save 40% vs Buying Individually

One-Time Payment (£60) • No Subscriptions • Instant Access
Get the Legal & Compliance Pack – Save 40%

Limited Time Offer • Lifetime Access • Free Updates • 30-Day Money-Back Guarantee*

What Is the GDPR Policy on Cookies?

UK GDPR treats cookies containing personal data as requiring lawful processing under data protection principles. While PECR governs when you can set cookies, UK GDPR governs how you can process any personal data those cookies collect.

A cookie becomes relevant to data protection law when it stores or accesses personal data — including user identifiers that link to an individual, browsing history revealing interests, location data, or unique advertising identifiers.

Consent Under UK GDPR

For cookies, consent is almost always the only viable lawful basis. Other bases like legitimate interests or contractual necessity rarely apply because cookie processing typically is not essential for the core service you provide.

    • Freely given — genuine choice without detriment for refusing
    • Specific — separate consent for different processing purposes
    • Informed — clear information about who processes data and why
    • Unambiguous — clear affirmative action (not pre-ticked boxes)
Expert Insight: Purpose limitation means if you set analytics cookies for “improving website performance,” you cannot later use that data for targeted advertising without obtaining fresh consent. Each distinct purpose requires separate consent.

Data Subject Rights and Cookie Data

All data subject rights apply fully to cookie data. Users can request access to all cookie data you hold, demand deletion (not just deactivation), restrict processing, object to cookie-based processing, and request portability in a machine-readable format.

International data transfers through cookies require appropriate safeguards. Many third-party cookies automatically transfer data to US servers. Under UK GDPR, you must ensure adequate protection — through adequacy decisions, standard contractual clauses, or binding corporate rules.

Warning: Even seemingly anonymous cookie identifiers can constitute personal data if they can be linked to an individual, combined with other data to identify someone, or used to single out a person from a group. Dynamic IP addresses, device fingerprints, and unique advertising identifiers typically qualify as personal data.
Key Takeaway: UK GDPR requires consent for most cookie processing, data minimisation (only collect what’s necessary), storage limitation (delete when no longer needed), and full data subject rights. Third-party cookie data transfers outside the UK require additional safeguards.

Cookie Policy GDPR Requirements Checklist

A cookie policy is GDPR-compliant when it provides transparent information about personal data processing, operates alongside valid consent mechanisms, respects data subject rights, and implements appropriate security measures.

Simply having a cookie policy document does not guarantee compliance — your entire cookie ecosystem must meet UK GDPR standards.

Transparency Requirements (Article 13 UK GDPR)

    • Identify yourself as the data controller with contact details
    • Explain purposes of processing for each cookie type
    • Specify the legal basis for processing (typically consent)
    • Identify third parties who receive cookie data
    • State retention periods for cookie data
    • Inform users of all their data protection rights

Security and Accountability

    • Encrypt sensitive cookies and use HTTPS for all cookie transmission
    • Implement access controls on systems storing cookie databases
    • Maintain consent records — who consented, when, what they consented to, how
    • Conduct DPIAs for high-risk cookie processing (systematic monitoring at scale, profiling, special category data)
    • Due diligence on third parties — you remain responsible for cookies third-party services set on your site
Quick Answer: Data protection impact assessments are mandatory for cookie processing likely to result in high risk — including systematic monitoring of users on a large scale, combining data from multiple cookie sources to create detailed profiles, or processing special category data through cookies.

Insurance Considerations

Standard business insurance typically does not cover cookie policy violations. Cyber insurance specifically addresses data protection and privacy risks — covering regulatory investigations, legal defence costs, notification costs for breaches, and compensation to affected individuals.

With ICO fines now reaching £17.5 million, businesses handling significant user data through cookies should consider dedicated cyber insurance. Review policy wording carefully — many policies exclude or limit coverage for regulatory fines.

Key Takeaway: True GDPR compliance requires transparency, valid consent mechanisms, security measures, consent record-keeping, DPIAs for high-risk processing, and due diligence on third-party cookie providers. Consider cyber insurance — standard business policies don’t cover cookie violations.

UK Websites Using Cookies Must Have a Compliant Cookie Policy

Editor + Interview Versions Included • £20 one time • No Subscriptions

Preview Cookie Policy Template
Lifetime Access • Free Updates • 30-Day Money-Back Guarantee*

Frequently Asked Questions: Cookie Policy UK

What are the legal requirements for a cookie policy in the UK?

UK legal requirements include transparency obligations under UK GDPR Article 13, information requirements under PECR Regulation 6, disclosure of all cookies and their purposes, valid consent mechanisms for non-essential cookies, easy access from all pages, clear language, and maintained consent records. Maximum fines reach £17.5 million or 4% of global turnover.

Should I accept cookie policies on websites?

You are not obligated to accept cookies. Websites must provide equal reject and accept options — you can decline non-essential cookies without losing access to the site.

Accepting all cookies allows the website (and third parties) to track your browsing behaviour, build advertising profiles, and share data with partners. Rejecting non-essential cookies while accepting necessary ones gives you full site functionality with reduced tracking.

How does a cookie policy work?

A cookie policy works alongside a consent banner to inform users and capture their choices. When a visitor arrives, the banner presents options. Based on their selection, only approved cookie categories activate.

The policy document itself explains every cookie in detail — purpose, duration, provider, and how to change preferences later. A consent management platform (CMP) handles the technical implementation, blocking non-consented cookies and maintaining audit-ready consent records.

How do I create a cookie policy legally in the UK?

Conduct a cookie audit to identify all cookies on your website. Categorise them as necessary, analytics, functionality, or marketing. Document the purpose, duration, and provider of each.

Draft the policy in clear, accessible language. Implement a consent management system that respects user choices and blocks non-consented cookies. Review and update the policy whenever cookies change — set a quarterly audit schedule.

Are cookie compliance costs tax deductible?

Yes. Costs of creating and maintaining cookie policies are legitimate business expenses — legal fees for drafting, software subscriptions for consent management, and consultant fees all qualify as tax-deductible. Services are subject to VAT at the standard 20% rate, reclaimable if you’re VAT registered.

What happens to my cookie policy after Brexit?

The UK has its own cookie regulations through PECR and UK GDPR, which have now diverged from EU rules. The DUA Act 2025 introduced UK-specific cookie exemptions not present in EU law.

If you serve EU customers, you must comply with both UK and EU cookie rules. The UK’s rules are becoming more permissive while EU rules remain strict — requiring separate cookie strategies for each jurisdiction.

What if my consent management platform goes down?

Your legal obligation to manage cookies continues regardless of provider difficulties. Have contingency plans including backups of consent records, documentation of your cookie configuration, and alternative CMP providers researched in advance. If your CMP fails, you must quickly implement alternative consent mechanisms.

The Truth About “Free” Legal Template Sites (What You’re Really Signing Up For)

Most websites advertising a “free legal template” follow the same pattern. You click because it’s free. You spend 10–15 minutes filling in questions.

And right at the end — only after you’ve invested your time — you’re hit with “Create your account first,” “Start your 7-day trial,” or “Card required — auto-renews at £29–£39 a month.”

This isn’t a template. This is a subscription funnel.

Why These “Free” Templates Are a Legal Risk

    • Outdated wording not aligned with current UK law
    • Missing mandatory clauses required for legal validity
    • Generic content copied from US or non-UK templates
    • No guidance on requirements
    • No structured checklist to verify the document works

Hidden Problem: Many “Free Template” Sites Aren’t UK-Based

    • Incorrect terminology taken from US contract law
    • Missing UK statutory references — essential legal requirements omitted
    • Non-applicable clauses that don’t apply under UK legislation
    • Legal conflicts risking breach of UK consumer, employment, or GDPR rules

Why Templates UK Does the Opposite

    • Drafted by UK professionals — written by experienced business and legal experts
    • UK-law only — no US crossover or generic “international” templates
    • One-time price from £10 — no subscriptions, no renewals
    • Full preview — see the exact document before buying
    • Two versions included — Editor + Interview formats
    • Lifetime access — free lifetime updates included

My Templates Dashboard

After purchase, access all your templates from your My Templates dashboard — download, re-download, and access updates anytime.

Transparent Pricing

One-time price from £10 per template. No hourly rates. No hidden fees. No subscriptions.

Not ready to buy? Start with our free cookie policy checklist to see if it covers what you need.

No tricks. No trials. No hidden fees. Just the exact UK-specific legal document you came for — at the price we told you upfront.

Build your own bespoke Cookie Policy — preview every clause before buying and only pay when you’re happy with it.

UK Websites Using Cookies Must Have a Compliant Cookie Policy

Editor + Interview Versions Included • £20 one time • No Subscriptions

Preview Cookie Policy Template
Lifetime Access • Free Updates • 30-Day Money-Back Guarantee*

Get Every Template in One Bundle

The UK Legal Templates Ultimate Bundle includes all 91 templates across every category — one purchase, every template, free lifetime updates including all future law changes.

Explore Template Bundles by Category

Browse all bundle options →

Master Business Legal Templates Pillar Guide

UK Business Legal Templates — Complete Guide (37 Templates)

All Templates UK Pillar Guides

Related Guides

Free Legal Templates & Interactive Checklists

Access all our free UK legal templates, checklists and downloadable PDFs.

Browse Free Templates →

UK Websites Using Cookies Must Have a Compliant Cookie Policy

Editor + Interview Versions Included • £20 one time • No Subscriptions

Preview Cookie Policy Template
Lifetime Access • Free Updates • 30-Day Money-Back Guarantee*

Last updated: March 2026

Disclaimer: This guide provides general UK legal information, not legal advice. Laws current as of March 2026. Cookie regulations apply across the UK. The Data Use and Access Act 2025 introduced changes to PECR — some provisions are phased in over 2025–2026. Always verify current requirements with official ICO guidance.