Do I need a cookie banner on my website?

By Toby · Published April 2026 · Last updated April 2026

If your website sets any non-essential cookies — including analytics trackers, marketing pixels, or social media embeds — then yes, PECR Regulation 6 requires you to inform visitors and get their consent before those cookies are set. The only exception is for cookies that are strictly necessary for a service the user has explicitly requested.

The short answer for most websites is: you almost certainly need a cookie banner. But the detail matters — what kind of banner, when it needs to appear, and what it must do. This guide walks you through a simple decision process and explains exactly what the law requires.

What counts as a cookie under UK law

Before working out whether you need a banner, you need to understand what PECR considers a "cookie." The regulations use technology-neutral language — Regulation 6 covers any technology that stores information on or accesses information from a user's device. This includes:

• HTTP cookies — the traditional text files set by websites, both first-party (from your domain) and third-party (from external services).
• Local storage and session storage — browser-based storage mechanisms used by many web applications and scripts.
• Tracking pixels and web beacons — invisible images or scripts that report back to a server when loaded, commonly used by marketing platforms.
• Browser fingerprinting — techniques that combine device and browser characteristics to identify users without setting traditional cookies.

If any of these technologies are present on your website for non-essential purposes, the consent requirement applies.

The flowchart: do you need a cookie banner?

Work through these questions to determine your obligations:

Does your website set any cookies at all?

If your website genuinely sets zero cookies, local storage entries, or tracking technologies, you do not need a cookie banner. This is rare — most websites set at least some cookies, even if just from the content management system or hosting platform. To check, open your browser's developer tools (F12), navigate to the Application or Storage tab, and look for cookies, local storage, and session storage entries.

Are all cookies strictly necessary?

If every cookie your site sets is strictly necessary for providing a service the user has requested, you need to inform users about those cookies but you do not need to ask for consent. Strictly necessary cookies include authentication sessions, shopping cart functionality, load balancing, and security tokens. In this scenario, a simple informative notice is sufficient. However, this situation is uncommon — most websites include at least one non-essential technology.

Do you use analytics tools?

If you use Google Analytics 4, Hotjar, Microsoft Clarity, or similar analytics platforms, these set non-essential cookies. You need a consent banner that blocks these tools until the user opts in. The only analytics tools that typically do not require consent are cookieless alternatives like Fathom Analytics, Plausible, and Simple Analytics.

Do you use marketing or advertising tools?

If you use Meta Pixel (Facebook Pixel), Google Ads conversion tracking, LinkedIn Insight Tag, TikTok Pixel, or similar marketing tools, all of these set non-essential cookies. You need consent before loading any of them.

Do you embed third-party content?

Embedding YouTube videos, Google Maps, social media feeds, or third-party chat widgets can set cookies from those third-party domains. Check whether each embed sets cookies — if it does, you need consent for it. Consider using privacy-enhanced embed modes (YouTube offers a no-cookie embed URL) or facade patterns that show a static placeholder until the user consents.

What "strictly necessary" actually means

The ICO defines strictly necessary cookies as those that are essential to provide a service the user has explicitly requested. The key word is "requested" — the service must be something the user actively wanted, not something you decided to provide.

Examples of strictly necessary cookies:

• Shopping cart cookies that remember what items a user has added
• Authentication cookies that keep a user logged in during a session
• Security cookies that detect authentication abuse
• Load balancing cookies that distribute traffic across servers
• Cookie consent preference cookies that remember the user's consent choice

Examples of cookies that are NOT strictly necessary:

• Analytics cookies (GA4, Hotjar, etc.) — useful to you, but the user did not request analytics
• Marketing and advertising cookies — serve your commercial interests, not the user's request
• Social media tracking cookies — set by embedded widgets from Facebook, Twitter, etc.
• Personalisation cookies — remembering preferences is convenient but not essential

Common tools that DO require consent

These widely-used tools set non-essential cookies and require consent under PECR:

• Google Analytics 4 (GA4) — sets the _ga, _ga_*, and related cookies for visitor tracking
• Meta Pixel (Facebook Pixel) — sets _fbp and _fbc cookies for advertising attribution
• Google Ads / Google Tag Manager — sets various cookies for conversion tracking and remarketing
• Hotjar — sets _hj* cookies for session recording and heatmaps
• HubSpot — sets __hs* cookies for marketing automation and tracking
• LinkedIn Insight Tag — sets cookies for advertising analytics
• YouTube embeds (standard) — set cookies for viewing preferences and tracking

Common tools that DON'T require consent

These tools operate without setting non-essential cookies:

• Fathom Analytics — cookieless, privacy-focused analytics
• Plausible Analytics — cookieless, open-source analytics
• Simple Analytics — cookieless analytics with no personal data collection
• Cloudflare (basic CDN and security features) — functional cookies classified as strictly necessary
• YouTube (privacy-enhanced mode) — using the youtube-nocookie.com embed domain avoids most tracking cookies

For a detailed comparison of analytics options, see our guide to analytics alternatives.

What a compliant banner looks like

A PECR-compliant cookie banner is not just a notification — it is a functional consent mechanism. It must:

• Appear before non-essential cookies are set. The banner must load before any analytics, marketing, or tracking scripts fire. If cookies are set before the user interacts with the banner, you are already non-compliant.
• Clearly explain what cookies are used and why. Vague language like "this website uses cookies to improve your experience" is not sufficient. Describe the categories of cookies and their purposes.
• Provide a genuine choice. Users must be able to accept all, reject all, or choose specific categories. The reject option must be as easy to access as the accept option — not hidden behind a "manage preferences" link.
• Not use pre-ticked boxes. All non-essential categories must be off by default.
• Actually block cookies. The banner must technically prevent non-essential scripts from loading until consent is given. Many cheap implementations just display a banner without actually blocking anything.
• Allow users to change their mind. Provide a persistent link (often in the footer) for users to revisit and update their cookie preferences at any time.

For tools that handle these requirements, see our comparison of cookie consent tools for UK websites.

How to check what cookies your site sets

• Open your website in an incognito/private browser window (to start with a clean slate).
• Open browser developer tools (F12 or right-click and select Inspect).
• Go to the Application tab (Chrome) or Storage tab (Firefox) and check Cookies, Local Storage, and Session Storage.
• Note every entry — the name, the domain it belongs to, and its expiry.
• Navigate to several different pages (homepage, contact page, blog post) and check again, as different pages may load different scripts.
• Search online for each cookie name you do not recognise to identify what service set it.
• Classify each cookie as strictly necessary or non-essential.
• Document your findings — this becomes the basis for your cookie policy and consent categories.

Common mistakes

Cookie walls that block access

A cookie wall prevents users from accessing your website unless they accept all cookies. The ICO considers this problematic because consent must be freely given. If the only option is "accept everything or leave," that is not a genuine choice. Provide a way to use the site with only strictly necessary cookies.

Pre-ticked consent boxes

Loading your cookie banner with all categories pre-selected and requiring users to untick boxes they do not want is not valid consent. The Planet49 ruling established that pre-ticked boxes do not constitute consent. All non-essential categories must be off by default, requiring an affirmative action to enable them.

"By continuing to browse, you agree"

Scrolling, clicking a link, or simply continuing to use a website is not an affirmative act of consent. This approach was common in the early days of cookie regulation but has been explicitly rejected by the ICO and European data protection authorities. You need an active opt-in — a click on an "Accept" button or a toggle switched on by the user.

No granular options

Offering only "Accept All" and "Reject All" without the ability to consent to specific categories (analytics, marketing, functional) does not meet the informed consent standard. Users should be able to accept analytics cookies while rejecting marketing cookies, for example. Provide category-level controls at a minimum.

Banner does not actually block cookies

The most dangerous mistake: your banner looks compliant but does not technically prevent non-essential cookies from loading before consent. Many basic cookie banner plugins simply display a notice without integrating with your actual scripts. Test this by opening developer tools before interacting with your banner — if analytics or marketing cookies appear before you have clicked anything, your implementation is broken.

Frequently asked questions

What if I only use analytics cookies?

You still need consent. Analytics cookies like those set by Google Analytics 4 are classified as non-essential under PECR because they are not strictly necessary for providing a service the user has requested. The ICO's position is clear: analytics cookies require informed consent before they are set. The alternative is to use a cookieless analytics tool like Fathom Analytics or Plausible, which do not set cookies and therefore do not require a consent banner for that specific purpose.

Is Google Analytics exempt from cookie consent requirements?

No. Google Analytics 4 sets cookies on the user's device and is not considered strictly necessary under PECR. You must obtain consent before loading GA4 scripts. Google's own consent mode can help by adjusting GA4's behaviour when consent is not given, but the default implementation still requires a consent mechanism. There is no special exemption for Google Analytics or any other analytics platform that uses cookies.

What about WordPress session cookies?

WordPress sets several cookies depending on your configuration. Session cookies for logged-in administrators are generally considered strictly necessary for providing the admin service. However, if your WordPress site uses plugins that set cookies for analytics, marketing, social sharing, or comments, those cookies are non-essential and require consent. Common offenders include Jetpack (WordPress.com Stats), social sharing plugins, and comment system plugins. Audit your specific WordPress installation to identify all cookies being set.

Can I just use a cookie notice instead of asking for consent?

Only if all your cookies are strictly necessary. If every cookie on your site is essential for providing a service the user has requested (such as authentication or shopping cart functionality), you need to inform users about these cookies but you do not need to ask for consent. A simple notice is sufficient in this case. However, if you use any non-essential cookies — analytics, marketing, social media embeds — you must obtain active consent before those cookies are set. A notice alone is not enough.

What is the minimum I need for a compliant cookie banner?

At minimum, a compliant cookie banner must: clearly explain what cookies you use and why, provide a way to accept or reject non-essential cookies before they are set, not use pre-ticked boxes or assume consent from continued browsing, offer granular options so users can consent to some categories while rejecting others, and provide an easy way to change preferences later. The banner must actually block non-essential cookies until consent is given — it is not enough to just display a notice while cookies load in the background. For tools that handle this correctly, see our comparison of cookie consent tools.