Cookie consent in 2023: what's actually required in the UK
The ICO has been clearer than ever about cookie consent requirements. Most UK websites still get it wrong. Here's what the rules actually say.
I audit a lot of websites, and cookie consent is one of those areas where almost everyone thinks they're compliant and almost nobody is. The rules haven't changed dramatically, but the ICO's enforcement and guidance have become more specific, and the gap between what most sites do and what they're supposed to do is wider than you'd think. Is your site actually compliant?
If you're running a UK website, here's what you need to know. The legal basis is the Privacy and Electronic Communications Regulations 2003 (PECR), supplemented by the UK GDPR. The core rule is simple: you cannot set non-essential cookies without the user's informed, specific consent. Essential cookies, those strictly necessary for the site to function (session cookies, authentication, shopping cart), don't need consent. Everything else does.
What "consent" actually means
Consent must be a clear, affirmative action. Pre-ticked boxes don't count. "By continuing to browse you accept cookies" doesn't count, the ICO has been explicit about this. Consent must be freely given, which means the user needs a genuine choice: they must be able to reject non-essential cookies as easily as they accept them. A consent banner with a prominent "Accept all" button and a tiny "Manage preferences" link that leads to three screens of toggles doesn't meet the bar.
The ICO published updated guidance in 2023 stating that the reject option should be as prominent as the accept option. No dark patterns, no making refusal deliberately difficult.
What needs consent
Analytics cookies (Google Analytics, Hotjar, Mixpanel) require consent. Marketing cookies (Facebook Pixel, Google Ads remarketing, LinkedIn Insight Tag) require consent. Personalisation cookies require consent. The only cookies exempt from consent are those strictly necessary for a service the user has explicitly requested, logging in, adding items to a basket, remembering the user's cookie preference itself.
Google Analytics is the one that catches most people. GA4 sets cookies, and those cookies are not strictly necessary. You cannot load GA4 before the user consents. If consent is refused, GA4 should not load at all. The same applies to Google Tag Manager when it's used to load tracking scripts.
What to actually implement
A compliant consent mechanism has: a clear banner explaining what cookies you use and why; equally prominent accept and reject buttons; a way to manage granular preferences (analytics, marketing, functional); no non-essential cookies set before consent is given; a way to withdraw consent at any time; a cookie policy page with specifics about each cookie, its purpose, and its expiry.
I use Cookiebot on most client projects, it's one of the few consent management platforms that actually blocks scripts until consent is given, rather than just recording a preference and hoping your tag manager respects it. At around EUR 9/month for small sites, it's a small price for genuine compliance.
The enforcement reality
The ICO has been issuing more guidance than fines for most businesses (and yours might be one of them), but that's shifting. They've fined several organisations for cookie non-compliance and have published a list of the top UK websites they've contacted about cookie issues. The direction of travel is clear: enforcement is increasing, and "everyone does it this way" is not a defence.
If you're unsure whether your site's cookie consent is actually compliant, I can audit it for you, just get in touch.
Chris Ryan
Managing Director
17+ years in full-stack web development, most of it leading teams agency-side across e-commerce, CMS platforms, and bespoke applications. Specialises in infrastructure, system integration, and data privacy, with hands-on experience as a Data Protection Officer. Founded Innatus Digital in 2020 to offer the kind of honest, technically-led partnership that he felt was missing from the agency world.