Introduction
UK cookie law sits at the intersection of three legal instruments: the Privacy and Electronic Communications Regulations (PECR), the UK GDPR, and the Data Use and Access Act 2025 (DUAA). Together, they define when you can store or gain access to information on a user’s device and what counts as valid consent.
PECR Regulation 6 has, since 2003, required consent before storing or accessing information on terminal equipment, except where a specific exception applies. This is the core of the electronic communications regulations governing cookies and similar technologies in the UK.
The Data (Use and Access) Act came into force on 5 February 2026. DUAA introduced three new exceptions for low-risk cookies, expanded penalty powers, and broadened who counts as responsible when cookies set on a user’s device are instigated by third parties. DUAA aims to streamline data protection laws for easier compliance while maintaining strong user protections. PECR applies to all organizations using cookies in the UK, regardless of size.
The ICO’s updated cookies guidance, finalized after two rounds of consultation (December 2024 and July 2025), provides detailed guidance on how the Information Commissioner’s Office interprets these rules for enforcement. The UK Information Commissioner’s Office (ICO) does not radically change the law but adds more detail on practical implementation.

What’s New in the ICO’s Updated Cookie Guidance?
The ICO broadened the concept from “cookies” to storage and access technologies, explicitly covering cookies, HTML5 local storage, tracking pixels, SDKs, fingerprinting scripts, and access technologies that store or retrieve data from a user’s device. Using an alternative cookie-like technology without consent is not a workaround.
The updated guidance provides more detail on when low-risk cookies for statistical purposes (analytics in aggregate, non-profiling form) and appearance exceptions (UI preferences such as language or dark mode) can be set without prior consent, provided users get clear and comprehensive information and a simple means of objecting. The ICO received 70 responses during DUAA consultations on cookies, reflecting broad industry engagement.
The guidance acknowledges multi-purpose cookies, affiliate marketing tags, and online advertising technologies, clarifying how to assess if something qualifies for the strictly necessary exemption from the user’s perspective. It also sharpens expectations around consent renewal, simple opt-out mechanisms, and avoiding “consent fatigue” while meeting UK GDPR-level standards for cookie consent.
- No coding required
- Works with all Shopify themes
- Blocks tracking before consent
- Google Consent Mode v2 ready
- Trusted by 180k+ stores
- 2,900+ 5-star reviews
- Google CMP Partner
PECR Compliance and Valid Cookie Consent in the UK
The Privacy and Electronic Communications Regulations (PECR) continue to serve as the primary legal framework for cookies in the UK, while the UK GDPR sets the standards for valid consent and governs the personal data collected through cookies. According to PECR Regulation 6, organizations must provide users with clear and comprehensive information about cookies and similar technologies, and obtain consent before storing or accessing information on a user’s device for any non-essential purposes.
Consent must be given freely, be specific, informed, and unambiguous. It requires a clear affirmative action from the user. Under PECR, pre-ticked boxes are not considered valid consent. Consent cannot be assumed through continued browsing behavior. Furthermore, PECR mandates that consent must be actively and clearly provided, with transparent information regarding the purposes of cookies presented before consent is obtained.
Consent is required for most advertising cookies, analytics used for profiling, A/B testing, retargeting pixels, and many third-party cookies, as these are not strictly necessary and usually fall outside the statistical purposes exception. Consent is required for non-essential cookies under PECR as a baseline rule.
Critically, PECR consent is not a one-off exercise. Users must be able to easily withdraw or change their cookie preferences at any time, and businesses must respect those choices by stopping non-essential scripts from running.
What a Compliant UK Cookie Banner Should Look Like in 2026
The ICO’s latest cookies guidance places strong emphasis on the design and behavior of consent interfaces, especially the first-layer cookie banner.
A compliant banner should:
- Show clear information in plain language about what cookies are used and why
- Offer equally prominent “Accept all” and “Reject all” buttons on the first layer
- Provide a “Manage settings” option for more granular, category-level choices
- Default all non-essential cookies to off
Non-essential trackers should be switched off by default on websites. Mandatory transparency requires cookie banners to provide clear information about cookies used. A compliant cookie banner must offer “Accept all” and “Reject all” options. No advertising cookies or analytics tags should fire until the user has actively consented.
The ICO discourages dark patterns: making “Accept all” more visually prominent than “Reject all,” hiding reject options behind extra clicks, or nudging users with emotional language. For Shopify merchants, a tool like Pandectes’ consent banner can automatically block scripts until consent and then load tags based on selections.
How the ICO Treats “Simple Means of Objecting”
For cookies falling under the new statistical purposes or appearance exceptions, consent is not required, but a simple means of objecting is mandatory. Users must have a simple means to object to non-essential cookies.
In practice, this means:
- A persistent cookie icon or footer link (“Cookie settings”) that users can access at any time
- In-banner toggles allowing users to turn off those cookies quickly
- Clear documentation of how your tools provide this opt-out
Relying on browser settings or “do not track” signals alone is not sufficient under the ICO’s guidance. Merchants should document how their consent mechanisms provide this simple opt-out in case of ICO inquiries or audits.
Understanding the UK Cookie Exceptions: Strictly Necessary, Statistical, and Appearance
Misclassifying cookies is one of the most common compliance mistakes. The 2026 ICO guidance offers more detail on each PECR exception. The relevant exceptions where consent is not needed include: strictly necessary for providing a user-requested online service, communication (transmission) needs where session cookies for communication are exempt from consent requirements, statistical purposes under tight conditions, appearance/preferences where no profiling occurs, and emergency assistance exceptions where emergency assistance cookies do not require user consent.
Even when an exception applies, transparency obligations still stand: users should be told that these cookies exist and what they do.
Strictly Necessary Cookies
The strictly necessary exception is interpreted narrowly: the cookie must be essential to deliver a specific service explicitly requested by the user. The exemption for strictly necessary cookies is defined from the user’s perspective. Cookies strictly necessary for service do not require consent.
Examples that qualify in e-commerce:
- Session cookies for login and maintaining a shopping cart during checkout
- Payment workflow tokens
- Fraud prevention tokens are necessary to complete transactions
- Basic site security cookies
Examples that do not qualify:
- A/B testing tools, performance measurement, and personalization
- Online advertising, affiliate tracking, and advanced analytics
Business convenience or marketing insights do not make the same cookie strictly necessary under the ICO’s cookie guidance.
Statistical Purposes (Analytics) Cookies
DUAA and the ICO’s 2026 guidance recognize a narrow statistical purposes exception for some low-risk analytics, but the bar is high. Cookies for statistical purposes may not need consent under DUAA if configured correctly.
To qualify, analytics must produce aggregate statistics that cannot reasonably identify individuals, must not be combined with advertising data, and must not involve profiling. Many mainstream analytics implementations (such as full Google Analytics with user-level identifiers or remarketing integrations) will still require opt-in cookie consent in the UK.
Practical advice: scan your store, review analytics configurations, and treat most analytics as consent-based unless you can clearly document meeting the strict criteria for own purposes only.
Appearance and Preference Cookies
The ICO’s updated guidance clarifies an exception for cookies that only adapt the site’s appearance or remember basic users’ preferences. Cookies remembering user preferences do not require consent.
Examples that qualify: remembering language selection, currency, display preferences (dark mode), or layout settings that do not involve profiling or tracking across contexts.
This exception does not cover personalization based on detailed browsing history, behavioral profiles, or demographic segmentation. Even when the appearance exception applies, businesses must provide comprehensive information and a simple means for users to object.

Online Advertising, Similar Technologies, and ICO Expectations
Online advertising technologies are a primary concern for the Information Commissioner’s Office due to their intrusiveness. Advertising cookies used for behavioral targeting, retargeting, cross-site tracking, and profiling almost always require prior consent, whether first-party or third-party.
Technologies like tracking pixels for email campaigns, social media pixels, programmatic advertising tags, and affiliate tracking scripts are all covered by the updated PECR guidelines as storage and access technologies. As of August 2025/2026, low-risk advertising cookies may be used without explicit consent only under very specific, privacy-preserving conditions that most current ad-tech does not meet.
The ICO expects businesses to separate analytics from advertising purposes. You cannot rely on the statistical purposes exception if the data collected is combined with advertising or profiling. For Shopify merchants: identify all online advertising tools, categorize their cookies, and ensure those tags are blocked until valid consent is received via a consent management platform.
Multi-Purpose Cookies and Bundled Tracking
Many modern tags and SDKs set multi-purpose cookies that support analytics, personalization, and online advertising simultaneously. If a technology serves multiple purposes, consent must be obtained for the entire technology; you cannot split one tag across exempt and non-exempt categories.
If any purpose of a multi-purpose cookie involves advertising, profiling, or non-exempt analytics, consent is required, and the cookie cannot be treated as purely statistical or strictly necessary.
Review your marketing stack (Google Analytics with Google Ads linking, remarketing tags, affiliate networks) and implement granular consent categories. Tools like Pandectes support Google Consent Mode to ensure tags behave correctly based on UK users’ opt-in choices.
Practical Compliance Steps for Shopify Stores and Online Businesses
Here is a step-by-step guide to achieve PECR compliance within the next three to six months:
- Audit all storage and access technologies. Use automated scanning tools (such as the Pandectes GDPR Compliance Shopify app) to identify every cookie, pixel, SDK, and similar technology across your store, apps, and themes.
- Classify each cookie by purpose. Map each to strictly necessary, statistical purposes, appearance, advertising cookies, or functional. Document your reasoning for each classification.
- Redesign your cookie banner. Configure equal “Accept all / Reject all” prominence, clear categories, and toggles defaulted to off for non-essential categories.
- Implement technical enforcement. Use a consent management platform so non-essential scripts fire only after consent. Users opt in before anything loads.
- Update your cookie policy and privacy notice. List categories, purposes, retention periods, third parties involved, and clarify how users can manage cookie consent.
- Set up audit-ready consent logs. Maintain records of consent events and schedule periodic reviews, especially when installing new Shopify apps or marketing tools. App developers should also review their own integrations.
How Pandectes Helps You Operationalize UK Cookie Guidance
Pandectes is built to help Shopify merchants meet UK cookie and PECR compliance without deep legal or technical expertise.
Key features relevant to the ICO’s guidance include:
- Automated cookie and script scanning with dynamic categorization (strictly necessary, statistical, advertising)
- Pre-configured banner templates aligned with UK consent expectations and regulatory guidance
- Google-certified CMP supporting Google Consent Mode for correct analytics and advertising tag behavior
- Multi-region geolocation rules to show UK-specific cookie banners while also supporting EU GDPR, CCPA, LGPD, and other regimes

Conclusion
The combination of DUAA and updated ICO cookies guidance has raised the stakes. While PECR fines were historically capped at Β£500,000, DUAA aligns PECR fines with UK GDPR fines up to Β£17.5 million or 4% of global annual turnover for serious PECR breaches. This secondary legislation makes cookie compliance a material financial risk.
The ICO has publicly prioritized cookie and online tracking enforcement. Approximately 99% of the UK’s top 1,000 websites now meet compliance standards, but the ICO continues monitoring, and enforcement notices remain possible. SMEs and Shopify merchants are still at risk when user complaints arise, as UK law does not exempt smaller businesses from data protection law obligations.
Enforcement measures can include formal investigations, enforcement notices requiring changes to cookie practices, and reputational damage alongside financial penalties. Further changes to UK cookie rules remain possible under DUAA, as the Secretary of State may introduce new regulations following ICO recommendations. Treat cookie compliance as an ongoing program delivering regulatory certainty rather than a one-off project.


