What is a Cookie Policy and Do I Need One for My UK Website?

?>

Cookies are everywhere online — but what exactly is a Cookie Policy, do you legally need one, and what happens if your website doesn't have one? This guide covers everything UK small business owners need to know.

What are cookies?

Cookies are small text files that websites store on a visitor's device. They're used for everything from keeping users logged in, to tracking which pages they visit, to serving targeted advertising.

There are four main categories of cookies:

• Strictly necessary cookies — essential for the website to work (e.g. session cookies that keep you logged in)
• Functional cookies — remember your preferences (e.g. language settings)
• Analytics cookies — track how visitors use your site (e.g. Google Analytics)
• Marketing cookies — track visitors across sites to show relevant ads (e.g. Meta Pixel)

What is a Cookie Policy?

A Cookie Policy is a legal document that tells your website visitors:

• What cookies your website uses
• What each cookie does and why it's used
• Which third parties set cookies on your site
• How long each cookie lasts
• How visitors can control or opt out of cookies

Do I legally need a Cookie Policy?

Yes — if your website uses any cookies beyond strictly necessary ones, you are legally required to have a Cookie Policy under two pieces of UK law:

• UK PECR (Privacy and Electronic Communications Regulations) — requires you to get consent before setting non-essential cookies
• UK GDPR — requires transparency about how you process personal data, which includes cookie data

What about strictly necessary cookies?

Strictly necessary cookies — like session cookies that keep users logged in — don't require consent under UK PECR. However, you still need to disclose them in your Cookie Policy. You just don't need to ask permission before setting them.

You must tell users about ALL cookies you use, even the strictly necessary ones. The consent requirement only applies to non-essential cookies.

What must a UK Cookie Policy include?

A compliant Cookie Policy should cover:

• A clear explanation of what cookies are
• A list of cookies your site uses, categorised by type
• The name of each cookie, its purpose, and how long it lasts
• Which third-party companies set cookies on your site (e.g. Google, Meta)
• How users can manage or withdraw cookie consent
• Links to browser settings for controlling cookies
• How to opt out of interest-based advertising

Cookie Policy vs Privacy Policy — what's the difference?

These are two separate documents, though they're related:

• Your Privacy Policy covers all personal data you collect — names, emails, payment data, and more
• Your Cookie Policy specifically covers cookies and tracking technologies on your website

Many UK websites have both documents, with the Cookie Policy either as a separate page or as a dedicated section within the Privacy Policy. Having them separate makes them easier for users to find and understand.

Do I need a cookie consent banner?

Yes, if you use non-essential cookies. Under UK PECR, you must get informed consent before setting analytics or marketing cookies. This means:

• The consent banner must appear before cookies are set
• Users must be able to accept or reject non-essential cookies
• Pre-ticked boxes do not count as valid consent
• Refusing cookies must be as easy as accepting them

What are the penalties for non-compliance?

The ICO can issue fines of up to £500,000 under UK PECR for serious cookie consent violations, and up to £17.5 million under UK GDPR. In practice, the ICO tends to issue warnings and improvement notices to small businesses first.

Summary

If your UK website uses Google Analytics, any advertising tools, or any cookies beyond those strictly necessary for the site to function — you need a Cookie Policy and a cookie consent mechanism. The Cookie Policy must clearly explain what cookies you use, why, and how users can control them.