✦ AlgoGrass is a compliance guidance platform — not a law firm. Always review outputs with a qualified solicitor. ✦

← Back to blog
Cookies28 Jan 2025 · 6 min read

How to Set Up a Legally Compliant Cookie Banner

Cookie banners are not optional. Under UK and EU law, any website that sets non-essential cookies — analytics, advertising, personalisation — must obtain freely given, specific, informed, and unambiguous consent before those cookies fire. Getting this wrong is one of the most common GDPR violations the ICO investigates.

The ICO fined a UK company £200,000 for placing analytics cookies before obtaining consent. Cookie compliance is actively enforced — not a theoretical risk.

What the Law Actually Requires

Cookie consent in the UK is governed by the Privacy and Electronic Communications Regulations 2003 (PECR), read alongside UK GDPR. The key rules are:

  • Non-essential cookies must not fire before the user actively accepts them.
  • The user must be able to refuse consent as easily as they can accept it — a reject button must be equally prominent.
  • Pre-ticked boxes, consent walls, and "continued browsing implies consent" are all unlawful.
  • You must clearly explain what each category of cookie does before the user chooses.
  • Consent must be recorded with a timestamp and the version of your banner that was shown.
  • Users must be able to withdraw consent at any time — a cookie settings link in your footer is required.

Essential vs Non-Essential Cookies

Not all cookies need consent. Strictly necessary cookies are exempt — but the exemption is narrower than most businesses assume.

Strictly Necessary (No Consent Required)

  • Session cookies that keep users logged in
  • Shopping basket or checkout cookies
  • Security and fraud-prevention cookies (e.g. CSRF tokens)
  • Load-balancing cookies that keep a user on the same server
  • User-interface customisation cookies that the user explicitly requested (e.g. language preference set by the user)

Non-Essential (Consent Required)

  • Analytics cookies (Google Analytics, Hotjar, Mixpanel)
  • Advertising and retargeting cookies (Meta Pixel, Google Ads)
  • Social media tracking pixels
  • Personalisation cookies that profile users
  • Third-party live chat cookies
  • A/B testing tools that track individual users

Google Analytics requires consent. Even if you use IP anonymisation, GA sets cookies that identify returning users across sessions — this is non-essential processing under PECR.

What a Compliant Banner Must Contain

A legally compliant cookie banner must include all of the following:

  • A clear, plain-English explanation of what cookies you use and why
  • Separate categories (e.g. Necessary, Analytics, Marketing) with toggle controls
  • An "Accept All" and a "Reject All" button at the same level of prominence
  • A "Manage Preferences" or "Customise" option
  • A link to your full Cookie Policy
  • No pre-ticked boxes for non-essential categories

Common Mistakes That Lead to ICO Enforcement

1. Hiding the Reject Button

Placing "Accept All" as a prominent green button and "Reject" as a small grey link in a corner is a dark pattern. The ICO has explicitly stated both options must be equally easy to use.

2. Firing Cookies Before Consent

Your analytics and marketing tools must be blocked until the user clicks Accept. This requires a consent management platform (CMP) that actually gates the scripts — not just displays a banner.

3. Not Recording Consent

If the ICO investigates, you must be able to demonstrate that a specific user gave consent on a specific date, saw a specific version of your banner, and consented to specific categories. Audit logs are required.

4. Using Consent for Legitimate Interests

Some businesses set analytics cookies under "legitimate interests" to avoid needing consent. This is unlawful under PECR — cookie consent is required regardless of your lawful basis under GDPR.

Setting Up Your Cookie Banner: A Practical Checklist

  • Audit all cookies your site sets — use browser DevTools or a scanning tool
  • Categorise each cookie: strictly necessary, analytics, or marketing
  • Choose a CMP (Consent Management Platform) — Cookiebot, OneTrust, or CookieYes are common
  • Configure the CMP to block all non-essential cookies until consent is given
  • Ensure Accept All and Reject All buttons are visually equivalent
  • Test on mobile — many banners are compliant on desktop but not on smaller screens
  • Store consent records with timestamps
  • Link to a full Cookie Policy that lists every cookie, its purpose, and retention period
  • Add a "Cookie Settings" link to your footer so users can change their preferences
  • Re-collect consent when you add new cookies or change cookie purposes

What Happens If You Get It Wrong

The ICO can issue fines up to £17.5 million or 4% of global annual turnover under UK GDPR, and separate fines under PECR. While most enforcement to date has targeted large companies, the ICO has made clear that cookie compliance is a priority for all organisations.

The ICO's cookie sweep programme actively checks websites for compliance. Any UK business with a website that sets analytics or advertising cookies is within scope.

Check your cookie compliance right now

AlgoGrass scans your website for cookie consent issues and tells you exactly what to fix — free, no account needed.

Scan my website free →