What the law actually requires
Two laws govern cookie banners in the UK. The Privacy and Electronic Communications Regulations (PECR) require consent before you store or access anything non-essential on a visitor's device, which covers analytics cookies, advertising pixels and most personalisation. The UK GDPR then defines what valid consent looks like: freely given, specific, informed and unambiguous, given by a clear positive action.
The "strictly necessary" exemption is narrower than most people hope. Cookies that keep a basket working or maintain a login session qualify. Analytics does not, however harmless it feels. And enforcement is real: the ICO can fine up to £17.5 million or 4 per cent of global turnover under the UK GDPR, and it has publicly pressed the UK's most-visited websites to bring non-compliant banners into line.
Dark patterns that invite ICO attention
The regulator's position is easy to summarise: rejecting must be as easy as accepting. Patterns that fail that test include:
- An "Accept all" button on the first layer with rejection buried behind "Manage preferences".
- Pre-ticked boxes, which have been invalid since the EU's Planet49 ruling and remain so under UK GDPR.
- "Legitimate interest" toggles switched on by default alongside consent toggles, effectively double-counting the same processing.
- Cookie walls that block all content unless visitors accept everything.
- Making "reject" visually recessive: grey text on grey, tiny links, or guilt-laden wording.
Beyond the legal risk, these patterns spend customer trust at the exact moment a new visitor is forming a first impression of your business.
Need a hand with this?
Our team delivers Analytics & Data for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →
Designing a banner people don't hate
- Give "Accept all" and "Reject all" equal visual weight on the first layer, with a third route into granular settings.
- Write like a human: "We use cookies to see which pages work and to show more relevant ads" beats legal boilerplate.
- Keep the banner compact and never cover the whole screen on mobile.
- Make withdrawal easy with a persistent "Cookie settings" link in the footer.
- Make it accessible: keyboard navigable, decent colour contrast, and announced properly to screen readers.
Then respect the answer. Re-prompting on every visit because someone rejected is nagging, and the ICO has criticised it. Re-asking is legitimate when your cookie usage genuinely changes, or after a sensible interval; six to twelve months is common practice.
What honest design does to your data
Giving "reject" equal prominence does mean fewer people accept; every consultancy that has tested banner designs reports broadly the same pattern. But aggressive designs buy acceptance rates that are legally worthless and statistically misleading. The consented data you keep is cleaner, because it comes from people who made a real choice.
You can also soften the analytics loss legitimately. Google's Consent Mode v2, required since March 2024 for advertisers using its EEA and UK audience features, lets Google model conversions for non-consenting visitors so your ad reporting does not collapse. Privacy-focused analytics tools such as Plausible and Fathom are positioned as not requiring consent because they set no cookies and collect no personal data, though you should confirm that assessment for your own configuration before removing the analytics category from your banner.
Configuring your CMP properly
A consent management platform (CMP) only helps if it is configured correctly. The most common failure is a beautiful banner in front of a site whose tags fire regardless of the answer.
- If you run Google ads or AdSense, choose a Google-certified CMP; Cookiebot, CookieYes, OneTrust, Usercentrics, Termly and iubenda are established options with UK-suitable configurations.
- Enable automatic blocking so tags cannot fire before a choice is made, then verify it: open the browser's developer tools, load the page fresh, and check that no analytics or advertising requests appear before consent.
- Categorise cookies accurately after a scan; labelling an advertising cookie as necessary defeats the entire exercise.
- Pass the Consent Mode v2 signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) so Google tags respond to choices correctly.
- Keep consent records; a good CMP logs them automatically as your evidence.
Key Takeaway
Under PECR and UK GDPR, non-essential cookies need genuine consent: a first-layer reject button as prominent as accept, no pre-ticked boxes, and nothing loading before the choice is made. Use a Google-certified CMP with auto-blocking and Consent Mode v2 if you run Google ads, keep consent records, and re-scan your site quarterly. Honest banners collect slightly fewer yeses but far better data, and they keep you off the ICO's radar.
Keep it compliant after launch day
Cookie compliance decays. Every marketing tool, plugin or pixel added during the year can introduce cookies your banner has never heard of. Re-scan quarterly, update your cookie policy when the scan changes, and re-test the pre-consent blocking whenever anything new is added to the site. Ten minutes a quarter keeps the banner truthful.
Done well, a consent banner is thirty seconds of honest interface that most visitors dismiss once and forget. If you would like your banner, CMP configuration and analytics reviewed together, our team handles this alongside routine web and analytics work.
