UK ICO Cookie Guidance Just Changed: What Your Website Must Do Now

If you run an online service accessible from the UK, you need to know about the ICO’s updated cookie guidance. The Information Commissioner’s Office (ICO) published significant revisions to its guidance on storage and access technologies in 2026, and these changes affect how you handle cookie consent, device fingerprinting, and analytics tracking. This article explains exactly what changed, what the law actually requires, and what you should do to stay compliant.

The ICO’s 2026 guidance has been finalized following consultations held in December 2024 and July 2025 on updated cookies guidance and PECR changes under the Data (Use and Access) Act.

The update introduces two new sections: simple means of objecting and using the same storage and access technology for multiple purposes, along with minor clarifications based on stakeholder feedback. The ICO’s updated cookie guidance mainly focuses on clarifying how UK cookie rules under PECR should be interpreted rather than introducing entirely new obligations.

1. Businesses can only rely on the strictly necessary exemption when the cookie or tracking technology is genuinely necessary from the user’s perspective, not simply helpful for the organization’s commercial interests.
   
2. Affiliate marketing tracking pixels require consent because they track user clicks and conversions for advertising and attribution purposes.
   
3. Certain exemptions, such as those for statistical or anonymized analytics purposes, may not apply if the same cookie or technology is used for multiple purposes simultaneously.
   
4. Businesses relying on the statistical or appearance exceptions must still give users a clear, free, and easy way to object to cookies or tracking technologies. If a user objects, the organization must stop the storage or access immediately and cannot rely solely on browser settings to assume consent or non-objection.

PECR Regulation 6 is the central legal provision. It says that before storing anything on a user’s device (like cookies) or reading what’s already there, you must:

1. Tell them clearly why you’re doing it, and
2. Get their consent first.

The only exceptions apply when your use falls into one of five specific categories that do not require consent, such as cookies that are strictly necessary for the website to function.

Valid consent under PECR

Consent under PECR must meet the UK GDPR Article 4(11) standard. This means it must be freely given, specific, informed, and unambiguous. In practical terms:

• Pre-ticked boxes do not constitute consent.
• A cookie banner that has pre-ticked optional cookies violates PECR. 
• Consent through continued browsing is not valid.
• You cannot say “by using this site, you agree to cookies.” 
• A single tick for analytics, marketing, and personalisation cookies does not count as valid consent.
• The user must actively click something to indicate agreement, such as clicking an “Accept” button.
• You must obtain consent before you set cookies, not after.

What a compliant UK cookie banner looks like

The ICO’s 2026 guidance sets out clear expectations for cookie consent mechanisms. A compliant cookie banner needs to present an ‘Accept all’ and a ‘Reject all’ option with equal visual prominence.

• The reject option must be just as easy to find and use as the accept option.
• Cookie categories should be listed with clear descriptions of what each one does. 
• Users should be able to withdraw consent just as easily as they gave it, at any time.
• If someone clicks ‘Reject all’, no non-essential cookies should be set. 

Not all cookies require consent. PECR Schedule A1 sets out exceptions where consent is not required. Understanding these correctly is essential because a lot of websites either misapply them or apply them too broadly.

Communication

This exception applies to storage and access technologies that are strictly necessary to transmit a communication over an electronic communications network.

The exception only applies where the communication cannot happen without the specific technology being used. Common examples include session cookies used for load balancing between servers. It does not apply to technologies used for additional purposes beyond enabling the communication itself.

Strictly necessary

The strictly necessary exception covers storage or access that is essential to provide an internet service requested by the user. If the service could technically function without the cookie, it does not qualify.

Analytics (statistical purposes)

This is one of the most frequently misunderstood exceptions, and the 2026 ICO guidance tightened the conditions significantly.

The statistical purposes exception allows you to collect aggregate data about how visitors use your service, for the purpose of improving that service, without obtaining consent.

But, the exceptions come with strict conditions.

• The data collected must be aggregated and must not be used to identify individual users.
• The analytics must be used solely to improve your service, not to serve advertising, profile users, or share with third parties for their own purposes. 
• You must give users clear information about the analytics use and a simple, free way to object.
• If a user objects, you must stop. 

Can you use a third-party analytics tool?

Yes. You can use a third-party analytics provider under the statistical purposes exception, provided the provider acts only on your behalf and uses the data solely to help improve your website or service. Do not share analytics data for other purposes, such as advertising or profiling. You must also inform users about the third-party provider and explain how their information is used.

Standard Google Analytics, in its default configuration, may not meet this exception. This is because Google can use the data it collects on your behalf for its own purposes, which goes beyond what the exception permits. In that case, you can use Google Consent Mode with a CMP such as CookieYes to help manage user consent preferences and control when analytics tags are activated.

Appearance

This exception allows you to adapt how your service looks or functions based on the user’s own device preferences, without consent. Qualifying examples include detecting whether a user’s operating system has dark mode enabled and displaying your site in dark mode accordingly, remembering which language a user selected on a multilingual website, and adjusting your layout to suit a mobile screen size.

This exception does not cover personalising content based on a user’s browsing history, interests, or demographic profile. Like the statistical purposes exception, you must offer users a simple and free way to object, and you must stop if they do.

Keeping up with the ICO’s 2026 PECR guidance can quickly become complex, especially when your website uses multiple analytics, advertising, and third-party tracking technologies. A Consent Management Platform (CMP) like CookieYes helps businesses simplify compliance by automating cookie scanning, prior consent blocking, consent logging, and user preference management.

Instead of manually configuring cookie banners and tracking scripts, businesses can use CookieYes to create a consent experience aligned with PECR and UK GDPR requirements.

With CookieYes, you can:

• Automatically block non-essential cookies before consent is obtained
• Display compliant “Accept all” and “Reject all” options with equal prominence
• Give users granular control through a customizable preference centre
• Maintain audit-ready consent logs and records
• Re-scan websites and update consent settings when cookies change
• Allow users to withdraw or modify consent anytime
• Manage analytics and marketing cookies without relying on risky implied consent mechanisms

For businesses handling UK website traffic, using a properly configured CMP is one of the most practical ways to reduce PECR compliance risks while improving transparency and user trust.

The ICO have currently issued monetary penalty notices of up to GBP 500,000 for serious PECR breaches. The UK government’s Data (Use and Access) Act and related legislative proposals aim to increase this significantly, potentially aligning PECR fines with UK GDPR fines of up to GBP 17.5 million or 4% of global annual turnover, whichever is higher.

Beyond fines, the ICO can issue enforcement notices requiring you to change your practices, and can handle complaints from users. Individuals can also bring civil claims for damages caused by PECR breaches. 

Yes. PECR applies to all organisations, regardless of size, that operate websites or apps accessible to people in the UK and that use cookies or similar technologies.

There is no small business exemption. That said, the ICO’s approach to enforcement tends to focus first on the largest and highest-traffic websites, particularly those whose practices affect the most people. But this does not mean smaller businesses are free to ignore the rules. The ICO does investigate complaints from individuals, and a complaint about a small business’s cookie practices can lead to an enforcement action.

PECR cookie compliance requires ongoing attention as your website changes, as new cookies are added by third-party services, and as the ICO updates its guidance. Here is a practical list of steps to take right now.

• Audit all cookies and tracking technologies on your site.
• Categorise each cookie or tracking technology as either strictly necessary (or falling within another PECR exception) or requiring consent. 
• Review your current consent banner. Check whether ‘Accept all’ and ‘Reject all’ are presented with equal prominence. 
• Test whether non-essential cookies are actually blocked before consent is given.
• Confirm user preferences are recorded and respected.
• Update your cookie policy to accurately describe every category of cookie you use, why you use it, and who has access to the data it generates.
• Set up a process for logging and storing consent records.
• Check whether you use any embedded third-party content such as YouTube videos, social media plugins, or live chat widgets, and review whether these set cookies without consent.