The Information Commissioner’s Office has made its position clear, repeatedly: if your website drops non-essential cookies before obtaining explicit consent, you are breaking the law. The cookie banner that says “By continuing to browse, you consent” is not valid consent. The banner that has “Accept All” in bright green and “Manage Preferences” in grey text designed to be overlooked is arguably a dark pattern, and the ICO has publicly stated it considers such designs problematic.
So what cookies do you actually need? Far fewer than most websites set.
Strictly Necessary Cookies: No Consent Required
Strictly necessary cookies are the only category exempt from the consent requirement under PECR. These are cookies without which the website cannot function as the user expects. The test is functional necessity, not business convenience.
Session cookies that maintain a logged-in state are strictly necessary. A shopping cart cookie that remembers items during a single visit is strictly necessary. A cookie that stores the user’s cookie consent preference is, somewhat circularly, strictly necessary. A CSRF token cookie used to prevent cross-site request forgery on forms is strictly necessary. Load balancer cookies that route a user to the correct server are strictly necessary.
Cloudflare’s __cf_bm cookie, used for bot management, is also strictly necessary — it protects the site from automated attacks and does not track users for marketing purposes. Similarly, Cloudflare’s security challenge cookies fall into this category.
That is the complete list for most business websites. Everything beyond this requires informed, freely given, specific, and unambiguous consent — before the cookie is set.
Analytics Cookies: You Need Consent, or You Need a Different Approach
Google Analytics is the most common analytics tool on UK business websites, and it is also the most common source of PECR non-compliance. GA4 sets cookies that track users across sessions and, when linked to Google Signals, across devices. These are not strictly necessary cookies. They require consent.
This means that if your cookie banner is implemented correctly — no analytics cookies until the user actively clicks “Accept” — you will lose visibility on every visitor who declines or ignores the banner. Industry data suggests that between 30% and 50% of visitors either reject cookies or do not interact with the consent banner at all. Your analytics data, by definition, only represents the subset of visitors who opted in.
There are alternatives. Server-side analytics, which log requests at the web server level, require no cookies and no consent. Cloudflare Web Analytics, which Opyx includes as standard, is a privacy-first analytics tool that uses no cookies, no local storage, and no fingerprinting. It provides visit counts, page views, referral sources, and Core Web Vitals data without any client-side tracking whatsoever. For most business websites, this is sufficient to answer the questions that actually matter: where are visitors coming from, what pages are they viewing, and how fast is the site loading?
If you need behavioural analytics — heatmaps, scroll depth, funnel analysis — you need consent. But be honest about whether you are actually using that data. Most businesses install Google Analytics because they were told to, check it once a quarter, and never act on anything it tells them. If that describes you, removing it entirely is both legally simpler and operationally harmless.
Marketing and Advertising Cookies: The Real Problem
Marketing cookies are where most websites cross from passive non-compliance into active data collection without consent. The Facebook Pixel, Google Ads remarketing tags, LinkedIn Insight Tag, HubSpot tracking code — all of these drop cookies that track user behaviour, build advertising profiles, and transmit personal data to third-party platforms.
Under UK GDPR, personal data includes any information that can identify an individual, directly or indirectly. A cookie ID combined with an IP address is personal data. A Facebook Pixel that fires on page load transmits the visitor’s IP, the page URL, and a unique identifier to Meta’s servers — all before the visitor has done anything at all. If that pixel fires before consent is obtained, you are transmitting personal data to a third party without a lawful basis. That is a breach.
The practical impact is significant. Remarketing — showing ads to people who have previously visited your site — depends on these cookies. If you implement consent correctly, your remarketing audiences will shrink by 30% to 50%, because that is the proportion of visitors who do not consent. This is not a reason to implement consent incorrectly. It is a reason to build a lead generation strategy that does not depend entirely on tracking people across the internet without their knowledge.
What a Compliant Cookie Implementation Looks Like
A lawful cookie implementation under UK PECR and GDPR has specific requirements. No non-essential cookies are set on page load. The consent banner is presented with equal prominence for accept and reject options — no dark patterns, no pre-ticked boxes. Consent is recorded with a timestamp and a reference to the specific categories consented to. Non-essential scripts are blocked until consent is given and only fire for the specific categories the user has accepted. Users can withdraw consent as easily as they gave it, and withdrawing consent actually stops the cookies — it does not just hide the banner.
A Consent Management Platform handles the technical implementation of this. But a CMP is only as compliant as its configuration. A CMP that auto-loads Google Analytics and then asks for consent afterwards is worse than no CMP at all, because it creates an auditable record of non-compliance.
The ICO Is Not Just Sending Letters
The Information Commissioner’s Office has historically focused enforcement on large-scale data breaches and public sector failures. But its approach to cookies is shifting. In 2023 and 2024, the ICO contacted the top 100 most visited UK websites requiring changes to their cookie practices. It has published detailed guidance on consent design. And it has made clear that it intends to use its powers more broadly as awareness of cookie requirements becomes the norm rather than the exception.
For professional services businesses — solicitors, accountants, financial advisers, healthcare providers — the risk is not just a fine. It is reputational. A firm that advises clients on regulatory compliance while its own website breaks data protection law has a credibility problem that no amount of content marketing can fix.
What We Recommend
Strip your cookie footprint to the minimum. Use strictly necessary cookies only by default. Replace Google Analytics with Cloudflare Web Analytics or a server-side alternative unless you have a genuine, active use for behavioural data. If you need marketing cookies, implement a properly configured CMP that blocks all non-essential scripts until affirmative consent is obtained. Audit your site quarterly — plugins, themes, and embedded widgets can introduce new cookies without your knowledge.
Compliance is not a burden. It is a competitive signal. A website that respects visitor privacy, loads faster because it is not bloated with tracking scripts, and demonstrates regulatory awareness tells prospective clients something important about the business behind it.
That is the kind of signal that converts.