Cookie Policy Template UK

What is a UK cookie policy?

Quick answer. A UK cookie policy is the document that explains what cookies and similar tracking technologies your website uses, what each does, what categories they fall into, the legal basis for using them, and how visitors can manage consent. It sits alongside the consent banner (the runtime mechanism) and the privacy policy (the UK GDPR transparency notice). Required by PECR Regulation 6 and the ICO's 2023 online tracking update.

The cookie policy is the static reference document; the cookie banner is the live runtime that captures consent before non-essential cookies are placed. Both are required, and they have to be consistent. A common failure pattern is updating the consent management platform (CMP) without updating the cookie policy, leaving the policy listing cookies the site no longer uses or omitting newly-added trackers. The ICO's enforcement focus since 2023 has been precisely this kind of drift.

The legal architecture is unusual because two regimes apply at once. PECR governs the storage event itself (the act of placing the cookie) and requires consent before any non-essential cookie is stored. UK GDPR governs the personal data the cookie processes once it's there. The two regimes have different consent definitions, different enforcement powers, and different reasonable expectations — which is why a cookie policy needs to explicitly cite both.

Who needs a UK cookie policy?

Quick answer. Effectively every website serving UK visitors. PECR applies to anyone storing or accessing information on a user's terminal equipment in the UK, regardless of the operator's location. So a US SaaS with UK customers needs UK cookie compliance just as much as a UK-based company. Particularly critical for: e-commerce sites, ad-supported publishers, B2B SaaS using analytics + marketing-attribution tools, and any site running A/B testing, heatmaps, or session-replay (Hotjar, FullStory, Microsoft Clarity).

The threshold is set by what cookies do, not by company size. If your site sets a single non-essential cookie — a Google Analytics ID, a LinkedIn Insight Tag, a Hotjar session-replay marker, an X conversion pixel — PECR consent rules apply from the first visit. Strictly necessary cookies (session ID for an authenticated app, shopping-cart state, CSRF tokens) are exempt and need no banner consent, but should still be documented in the cookie policy for transparency.

What must a UK cookie policy include?

Quick answer. Eight elements: (1) what cookies are, (2) the cookie inventory table (name × purpose × duration × first/third party × category), (3) consent categories with toggles (strictly necessary, functional, analytics, advertising), (4) legal basis citing PECR Regulation 6, (5) how to withdraw consent, (6) third-party cookies and the supplier's privacy notice link, (7) the relationship with the broader UK GDPR privacy policy, and (8) review cadence with named owner.

• What cookies are — a plain-English explanation of cookies, similar storage technologies (localStorage, sessionStorage, IndexedDB), tracking pixels, fingerprinting techniques, and SDK behaviour. Most policies stop at “cookies”; the ICO expects coverage of all storage mechanisms.
• Cookie inventory — the operational table, by cookie name. Columns: name, what it does, duration, first-party or third-party, category, and the supplier where third-party. Auditors and the ICO will sample-check the table against what the site actually sets via dev tools.
• Consent categories — the granular split that maps to the consent manager: strictly necessary (no consent needed), functional, analytics/performance, advertising/targeting. The ICO expects granular consent at this level, not a single “accept all/reject all” toggle.
• Legal basis — explicit citation of PECR Regulation 6 for the storage and the UK GDPR Article 6(1) basis for the personal data processed via the cookies (typically consent for non-essential, legitimate interests for fraud-prevention cookies, and contract for cart/login).
• How to withdraw consent — a clear instruction, with a link to the consent manager that lets visitors change their preferences. Withdrawal must be as easy as giving consent in the first place.
• Third-party cookies — named third-party suppliers (Google Analytics, LinkedIn Insight Tag, Meta Pixel, Hotjar, etc.) with links to each supplier's privacy notice. The ICO's 2023 update made third-party transparency the most-cited gap in reprimands.
• Relationship to the privacy policy — cross-reference to the broader UK GDPR privacy notice, with the demarcation explicit (cookie policy = PECR + storage; privacy policy = UK GDPR + processing).
• Review cadence — named owner (typically the DPO or head of marketing operations), the quarterly review trigger (any new tag added, any consent manager configuration change, any ICO guidance update), and the dated version stamp visible on the live page.

What are common cookie policy pitfalls?

Quick answer. Five recurring failures the ICO has reprimanded since 2023: (1) implied consent or pre-ticked boxes — both fail Regulation 6's “clear affirmative action” standard; (2) a missing or under-prominent “reject all” option, with consent decline harder than acceptance; (3) the cookie inventory drifting out of date as new tags are added without policy updates; (4) cookie walls that gate core content behind consent — restricted further by the EDPB's January 2025 guidelines; (5) silently re-categorising advertising cookies as “functional” to bypass consent. Avoid all five.

The ICO recorded over 12,000 personal-data breach notifications in 2023–24, with cookie-related transparency complaints a routine contributor. The fix in every case is the same: an honest cookie inventory, granular consent, equal prominence for accept and reject, and a quarterly review cadence that keeps documentation in lockstep with the runtime.

Related UK data protection resources

Frequently asked questions