If you run a website that serves UK visitors, the law that tells you when you need consent to set a cookie isn't the UK GDPR. It's the Privacy and Electronic Communications Regulations (PECR) — and it's the regulation the ICO reaches for when it examines your cookie banner.
Since February 2026, PECR has changed in ways that create real daylight between UK and EU cookie law. This guide covers what PECR says, what just changed, and what your CMP needs to handle for UK compliance. For the broader UK GDPR vs EU GDPR comparison, see UK GDPR After Brexit.
How PECR and UK GDPR Work Together for Cookies
The split is cleaner than most people realise. Two laws, two jobs:
- PECR Regulation 6 sets the rule that you must not store information on, or access information from, a user's device unless you meet one of the conditions. For cookies, the main condition is consent. This is why you need a cookie banner in the first place.
- UK GDPR defines what valid consent actually looks like: freely given, specific, informed, and unambiguous, via a clear affirmative action (mirroring Articles 4(11) and 7 of the EU GDPR as retained in UK law).
In short: PECR says when consent is needed, and the UK GDPR says what counts as valid consent. If you only think about the UK GDPR, you'll know how consent should be gathered but not which technologies require it. If you only think about PECR, you'll know you need consent for cookies but might set the bar too low for what counts.
This matters for your CMP configuration. A banner that collects consent according to GDPR standards but doesn't actually block cookies from being set until that consent is recorded fails PECR. A banner that blocks cookies correctly but relies on pre-ticked boxes fails the UK GDPR's consent standard. You need both.
PECR's Origins and Post-Brexit Divergence
PECR was originally the UK's implementation of the EU ePrivacy Directive (2002/58/EC). After Brexit, it was retained in domestic law, but the UK Parliament now controls its future. While the EU's cookie rules remain anchored to the original ePrivacy Directive (the long-delayed ePrivacy Regulation still hasn't been finalised), the UK has already updated PECR through the Data (Use and Access) Act 2025 (DUAA). The two regimes started from the same text, but they're no longer in lockstep.
What Changed: The Data (Use and Access) Act 2025
The UK government's original reform vehicle was the Data Protection and Digital Information Bill, but that died when the 2024 general election was called. Its successor, the Data (Use and Access) Bill, received Royal Assent on 19 June 2025. The PECR-relevant provisions came into force on 5 February 2026. Here's what changed for cookies:
1. New Cookie Exemptions
Before the DUAA, PECR had a narrow exemption: cookies that were "strictly necessary" for a service explicitly requested by the user. Everything else required prior consent. The DUAA added new categories of cookies and similar technologies that are now exempt from the consent requirement, including:
- Statistical/analytics cookies used solely to collect information about how a service or its website is used, for the purpose of improving that service. The data must not be shared with third parties except to help make those improvements, and the user must be given clear information plus a simple, free way to opt out.
- Preference/functionality cookies that remember user settings such as layout choices, language, or accessibility options.
- Security cookies that detect repeated failed logins, fraud patterns, or abuse.
This is the single biggest divergence from EU cookie law. Under the EU ePrivacy Directive, analytics cookies still require opt-in consent. In the UK, qualifying analytics cookies now need only information and an opt-out mechanism. That's a fundamentally different consent model for measurement.
2. Penalty Alignment
Under the old PECR regime, the maximum fine for a cookie violation was £500,000. That cap was set in 2003 and hadn't been updated. The DUAA aligns PECR penalties with UK GDPR levels: up to £17.5 million or 4% of global annual turnover, whichever is greater. This removes the argument that PECR cookie violations carry only modest financial risk. They no longer do.
3. Broader Scope: Storage and Access Technologies
The ICO's updated guidance, finalised in April 2026, explicitly covers more than just HTTP cookies. Regulation 6 applies to any technology that stores or accesses information on a user's device. That includes tracking pixels, device fingerprinting, local storage, session storage, and IndexedDB. If your site uses fingerprinting scripts or writes to localStorage for analytics purposes, those technologies are subject to the same PECR rules as cookies.
The Analytics Exemption: What Qualifies and What Doesn't
The statistical-purposes exemption is the change most likely to affect your banner configuration, so it's worth understanding exactly where the boundary sits.
Conditions for the exemption to apply:
- The sole purpose is collecting information about how the service is used in order to improve it.
- The collected data is not shared with any person except someone helping you make those improvements (i.e., your analytics provider acting as a data processor).
- You provide clear and comprehensive information about the purpose.
- You give users a simple, free mechanism to object — and they haven't objected.
What this likely covers: first-party analytics tools where the provider acts strictly as your processor. Self-hosted analytics platforms (like Matomo in self-hosted mode) are the clearest fit.
What this almost certainly does not cover: Google Analytics. Google uses analytics data for its own advertising and AI training purposes, making it a joint controller. Any tool that enables cross-service enrichment, advertising attribution, or behavioural profiling falls outside the exemption. If your analytics tool doesn't qualify, the old rule applies: opt-in consent, same as before.
ICO Enforcement: How the Regulator Actually Operates
The ICO's enforcement approach on cookies has shifted noticeably. In January 2025, it announced a programme to bring the UK's top 1,000 websites into compliance, having already assessed the top 200 and contacted 134 with specific concerns. By April 2026, 99% of those sites passed the ICO's compliance checks — driven by direct engagement rather than fines.
The ICO favours engagement before penalties: it contacts non-compliant sites, explains the issues, and gives time to fix them. But it's made clear that engagement is a precursor, not a replacement, for enforcement. Sites that ignore the ICO's communications risk formal action, and the penalty increase to £17.5 million provides stronger leverage.
What the ICO checks:
- Whether "reject all" is presented with equal visual prominence to "accept all"
- Whether non-essential cookies are actually blocked before consent
- Whether withdrawing consent is as easy as giving it
- Whether clicking "reject all" truly results in zero non-essential cookies being set
The ICO has signalled it will expand beyond large publishers in 2026 and examine compliance more broadly.
How PECR Differs from the EU ePrivacy Directive in 2026
Because PECR started as the UK's transposition of the ePrivacy Directive, the core consent obligation is the same: you need consent before setting non-essential cookies. The differences are now all in the reforms and enforcement overlay.
PECR (UK) vs ePrivacy Directive (EU) in 2026
| Aspect | UK (PECR + DUAA) | EU (ePrivacy Directive) |
|---|---|---|
| Analytics cookies | Exempt from consent if conditions met (information + opt-out) | Still require prior opt-in consent |
| Preference cookies | Exempt from consent | Generally require consent unless strictly necessary |
| Maximum cookie penalty | £17.5m or 4% of turnover (aligned with UK GDPR) | Varies by member state; some still lower |
| Scope of technologies | ICO guidance explicitly covers fingerprinting, localStorage, pixels | Directive text covers all; enforcement varies by DPA |
| Regulatory approach | Single regulator (ICO); engagement-led, centralised | 27+ DPAs with varying approaches and priorities |
| Pending reform | DUAA enacted; ICO guidance finalised April 2026 | ePrivacy Regulation still in legislative limbo |
What This Means for Your Cookie Banner and CMP
If you serve both UK and EU visitors, these divergences create practical CMP requirements that a one-size-fits-all configuration can't handle.
UK-Specific CMP Features You Need
- Region-aware consent mode. Your CMP needs to detect whether a visitor is in the UK or the EU and apply different rules. For UK visitors, qualifying analytics cookies can run on an opt-out basis. For EU visitors, those same cookies still need opt-in consent. A single global setting gets one of them wrong.
- An opt-out mechanism for analytics (UK). The DUAA exemption isn't a free pass. You still need to inform users and provide a simple way to object. Your banner or a persistent preferences control must include an analytics opt-out that's easy to find and free to use.
- Equal-prominence reject option. The ICO has been explicit: "reject all" must be as visible and accessible as "accept all." A banner that buries the reject option behind a "manage preferences" click is non-compliant. This is stricter in practice than some EU DPAs.
- Genuine script blocking. The ICO checks whether cookies are actually suppressed when a user rejects them, not just whether the banner says it respects the choice. Your CMP must enforce consent at the tag level. See how to block scripts until consent for the implementation layer.
- Coverage beyond HTTP cookies. If your site uses localStorage, sessionStorage, tracking pixels, or fingerprinting for non-essential purposes, your CMP needs to gate those technologies too. The ICO's guidance makes clear these are all in scope under Regulation 6.
How CookieBeam Handles UK Compliance
CookieBeam's regional consent system addresses PECR requirements directly:
- UK GDPR framework preset. A built-in UK GDPR preset applies opt-in consent mode to GB visitors, matched by geolocation. UK visitors see UK-appropriate behaviour; EU visitors on the same site get the EU configuration.
- Per-region consent defaults. Regional rules let you configure analytics storage to default to "granted" for UK visitors while keeping it "denied" for EU visitors — adjustable per region without rebuilding your banner.
- Tag-level enforcement. The script-blocking engine gates tags based on resolved consent state, ensuring non-essential cookies aren't set before consent. This is exactly what the ICO checks.
- Scanning beyond cookies. CookieBeam's scanner detects cookies, scripts, connections, localStorage, and tracking pixels — the full scope of PECR Regulation 6. Drift detection catches new trackers added after your audit.
Practical Compliance Checklist for UK Sites
If you serve UK visitors, here's what PECR requires you to get right in 2026:
- Audit all storage and access technologies, not just HTTP cookies. Include localStorage, sessionStorage, pixels, and any fingerprinting.
- Block non-essential technologies until consent unless they fall under a DUAA exemption. Don't set them first and remove them later.
- Check whether your analytics tool qualifies for the exemption. Read the data processing agreement. If the vendor uses your data for its own purposes (advertising, model training, cross-service enrichment), the exemption doesn't apply and you still need opt-in consent.
- Provide clear information and a simple opt-out for any analytics running under the exemption. The opt-out must be free and easy to find.
- Present reject and accept with equal prominence. No visual tricks, no extra clicks to refuse.
- Make consent withdrawal as easy as consent. A persistent preferences button or link that lets users change their mind at any time.
- Use region-aware settings if you serve both UK and EU traffic. The rules are diverging; a single configuration will leave you non-compliant somewhere.
- Keep records. You'll need to demonstrate compliance if the ICO contacts you. Consent logs with timestamps, the banner version shown, and the choices recorded are your evidence.
What's Still Coming
The PECR landscape isn't settled yet. Two areas to watch:
- Regulation 6 review for online advertising. The ICO's April 2026 guidance explicitly noted that its review of Regulation 6 as it applies to online advertising purposes is ongoing, with further updates expected. This could affect how consent applies to advertising cookies and real-time bidding.
- Statutory complaints mechanism. From 19 June 2026, individuals gain a statutory right to lodge complaints directly with data controllers. Organisations must acknowledge within 30 days and respond without undue delay. Users can complain to you directly, not just to the ICO.
Neither of these changes the immediate compliance requirements above, but they signal that PECR enforcement will keep tightening.
The Bottom Line
PECR is the law that makes cookie consent necessary in the UK — it's Regulation 6, not the UK GDPR, that says you can't set a cookie without meeting the conditions. Since February 2026, those conditions have changed: qualifying analytics cookies can run on an opt-out basis, preference and security cookies are exempt, and penalties have jumped to £17.5 million.
For sites that serve both UK and EU visitors, a single-configuration banner no longer works. You need region-aware consent that applies the UK's exemptions to UK traffic while maintaining opt-in for EU traffic. The ICO is actively checking and has the teeth to enforce it. Build for the divergence.
Further Reading
- UK GDPR After Brexit: How It Differs from EU GDPR — the broader UK data protection picture
- ePrivacy Directive and Cookie Law — the EU law PECR was originally based on
- How to Block Scripts Until Cookie Consent — the enforcement layer your banner needs
- Regional Consent: One Banner for Global Sites — running region-aware consent
- GDPR vs CCPA vs PECR: Global Privacy Laws Compared — cross-framework comparison
- ICO Guidance on Storage and Access Technologies — the authoritative source on PECR cookie rules
- ICO Guide to PECR — full PECR guidance from the regulator