Do I need a cookie banner on my website?

By SuLe · Updated 29 May 2026

If your website sets any non-essential cookies — analytics, advertising or personalisation — then yes, PECR requires you to get consent first, which in practice means a compliant cookie banner. Strictly necessary cookies are exempt, so a purely functional site may not need one. The test is what your cookies do, not whether you have a banner already.

Get expert legal advice before you sign.

Book a free 20-minute call

Key facts

  • PECR requires consent for non-essential cookies and trackers, including analytics and advertising.
  • Strictly necessary cookies (login, basket, security) are exempt from the consent rule.
  • Consent must be as easy to refuse as to give — a reject option is effectively required.
  • Non-essential cookies must not fire until the user consents.
  • The Data (Use and Access) Act 2025 adds limited exceptions for some low-risk analytics — check commencement before relying on them.

Do I legally need a cookie banner?

It depends entirely on what cookies your site sets. The rule lives in PECR — the Privacy and Electronic Communications Regulations — which requires consent before you place non-essential cookies or similar trackers on someone's device.

Non-essential covers analytics, advertising, embedded social media and personalisation. If you run Google Analytics, an ad pixel or a marketing tag, you are setting non-essential cookies and you need consent — a banner.

If your site sets only strictly necessary cookies, you are exempt from the consent requirement, though you still owe transparency about them. So the honest first step is to audit what actually fires, not to assume.


Which cookies count as strictly necessary?

Only the ones genuinely required to deliver a service the user asked for. Keeping a user logged in, remembering items in a basket, load-balancing and certain security cookies are the classic examples.

Analytics is the common trap. Founders like to call it "essential" because they rely on it, but PECR judges necessity from the user's perspective, not the business's — and the user did not ask to be measured.

So most analytics, all advertising, and anything used to profile or retarget sits on the non-essential side and needs consent. Draw the line honestly; mislabelling trackers as essential is exactly what the ICO looks for.


What makes a cookie banner compliant?

Design and behaviour both matter. Consent must be freely given, specific and informed, and — critically — as easy to refuse as to give.

That rules out the "Accept all" button with refusal buried two clicks deep, and it rules out pre-ticked boxes or implied consent from continued browsing. A compliant banner offers accept and reject with equal prominence and lets people choose by category.

Behaviour matters most: non-essential cookies must not fire until consent is given. Many banners look compliant but load analytics on page load anyway, which defeats the entire mechanism.

Cookie typeExampleConsent needed?
Strictly necessaryLogin session, basket, securityNo
Analytics / performanceGoogle Analytics, heatmapsYes
Advertising / targetingAd pixels, retargeting tagsYes
Functional / preferenceRemembered language, saved settingsUsually yes
Social / embedded mediaEmbedded video, share widgetsYes

Is the cookie law about to change?

Yes, but carefully rather than dramatically. The Data (Use and Access) Act 2025 introduces limited exceptions to the consent rule for some low-risk purposes, such as certain first-party analytics.

The important caveat is commencement. The Act's provisions come into force in phases, so a new exception may be announced but not yet live — and relying on one before it commences would leave you in breach.

Check the current commencement position for any cookie change before you act on it, and until an exception is confirmed in force, keep treating analytics as needing consent. Hedge your compliance to the law as it actually stands, not as it is trailed.


Worked example

Marcus launches Brewkit, a coffee-subscription site, with a slick "Accept all" banner. On the first page load, before anyone clicks, Google Analytics and a Meta ad pixel both fire.

That is a PECR breach on two counts: the non-essential cookies set before consent, and the banner offers no equally easy reject. Marcus reconfigures so nothing but his login and basket cookies loads until the user chooses.

He adds a one-click "Reject non-essential" alongside "Accept", plus a short cookie policy listing each cookie's purpose. He notes that the Data (Use and Access) Act 2025 may soon ease first-party analytics consent, but keeps consent switched on until that exception is confirmed in force.


Where founders go wrong

  • Firing analytics on page load.

    If non-essential cookies set before consent, the banner is decorative, not compliant.
  • Mislabelling analytics as essential.

    Necessity is judged from the user's perspective — measurement is not something they asked for.
  • Offering accept but not easy reject.

    Consent must be as easy to refuse as to give, or it is not valid consent.
  • Assuming the law has already loosened.

    The Data (Use and Access) Act 2025 exceptions commence in phases — check before relying on them.

Related questions

Are all cookies covered by the consent rule?

No. PECR requires consent only for non-essential cookies and similar trackers — analytics, advertising and personalisation. Strictly necessary cookies, such as those that keep a user logged in or hold items in a basket, are exempt. The practical task is separating the two honestly rather than labelling everything "essential" to avoid the banner.

Does a cookie banner need a reject button?

Effectively yes. Consent must be as easy to refuse as to give, so a banner that offers a prominent "Accept all" but hides refusal behind extra clicks is not compliant. A one-click reject option alongside accept is the safe design, and non-essential cookies must not fire until the user actually consents.

Is the cookie law changing?

It is being adjusted. The Data (Use and Access) Act 2025 introduces limited exceptions to the consent rule for some low-risk purposes, such as certain analytics — but its provisions commence in phases, so you should check the current commencement position before relying on any new exception rather than assuming it is live.

What happens if I set analytics cookies without consent?

You are in breach of PECR, and the ICO can take enforcement action — historically penalties reached £500,000, with the trend under the Data (Use and Access) Act 2025 towards higher, UK GDPR-aligned levels. Non-consented analytics is also a common, easily spotted complaint, because anyone can inspect what your site sets on first load. [More: Can I send cold emails under UK GDPR and PECR?]


Cookie banners are where compliance is most visible and most often faked — a banner that loads trackers before consent is worse than none, because it advertises the breach. A SuLe solicitor can check your banner actually does what it claims and is ready for the incoming rule changes. Book a free compliance check call and get it right at the surface where regulators look first.

Keep reading: What does UK GDPR require from an early-stage startup? · Can I send cold emails under UK GDPR and PECR? · Do I need terms and conditions and a privacy policy for my startup? · Does my startup need to register with the ICO? · What are the rules for marketing to consumers vs businesses? · Can I transfer user data outside the UK?

Primary sources: ICO — For organisations · GOV.UK — Data protection

AI-generated content. General information, not legal advice.