Orrick's Founder Series offers monthly top tips for UK startups on key considerations at each stage of their lifecycle, from incorporating a company through to possible exit strategies. The Series is written by members of our market-leading London Technology Companies Group (TCG), with valued contributions from practitioners across Orrick’s recognised practice areas. Our Band 1-ranked London TCG team successfully completed over 350 financings and tech M&A transactions in 2023 & 2024 totaling $5B+ and has dominated the European venture capital tech market for 37 quarters in a row (Pitchbook, Q1 2025). View previous series instalments here.
Cookies – Delicious or a Health Risk to Your Company?
Cookies, pixels and other tracking technologies have become an integral part of how websites operate — enabling businesses to monitor performance, identify bugs, prevent fraud and advertise online. But they’re also a regular source of user frustration, whether that’s complaints about having to click through cumbersome consent banners or concerns over invasive tracking of online behaviour.
While regulators across Europe — particularly in France — have been active in enforcing cookie rules for several years, UK founders should take note that the UK Information Commissioner’s Office (ICO) is stepping up its scrutiny as well. Last year, the ICO began auditing the top 200 websites in the UK for compliance with cookie requirements. In 2025, that number has grown to the top 1,000, and it’s expected that the ICO will widen its focus even further.
For UK-based companies with an online presence (in other words, nearly all UK companies), now is a good time to take stock. Reviewing your use of cookies and other trackers can help ensure your business is ready for regulatory attention — and avoid potential compliance pitfalls.
Here are 10 essential tips to help you stay compliant.
1. Know Your Legal Obligations
In the UK, the use of cookies is primarily governed by the Privacy and Electronic Communications Regulations 2003 (PECR), which sits alongside the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Under PECR, cookies may only be used if the user has given their consent or if the cookie is strictly necessary for the transmission of a communication or provision of a service requested by the user. This consent must meet UK GDPR standards: it must be specific, informed, freely given, and unambiguous.
2. Use Valid Consent Mechanisms
Active consent is required for any cookie that isn’t essential to provide a specific feature the user has requested. This typically includes most analytics, advertising and performance cookies.
A common method to gather valid consent is via a cookie banner that allows users to accept all cookies, reject all cookies, or customise their preferences. Simply informing users and assuming continued use equals consent is not compliant.
3. Avoid Misclassification of Cookies
Companies sometimes incorrectly label analytics or advertising cookies as “strictly necessary” because they are essential from a business standpoint. But necessity under PECR is assessed from the user's perspective.
Analytics and advertising cookies generally require consent, even if they are important for performance monitoring or marketing.
4. Review Automated Consent Tools
Many websites rely on consent management tools that scan and categorise cookies. While these tools are useful, they can mislabel or fail to recognise certain cookies. Some may place unknown cookies into an “uncategorised” bucket or assume a cookie’s function based on past usage that no longer applies.
To ensure valid, informed consent, manual verification of the cookies used and how they’re categorised remains essential.
5. Avoid Implied or Default Consent
Under PECR and UK GDPR, implied consent is not recognised. Users must take a clear, affirmative action to accept cookies. Continuing to browse the site or interacting with content does not constitute valid consent.
Consent interfaces must also avoid default opt-in settings. All non-essential cookies must be off by default and activated only when the user gives explicit permission.
6. Design Consent Options Fairly
Some banners are designed to steer users toward accepting cookies, such as by making the “accept” button more prominent or hiding the reject option. These dark patterns can invalidate consent by undermining user choice.
Compliant design requires that both “accept” and “reject” options are equally visible and accessible. Giving consent should not be easier than refusing it.
7. Let Users Revoke Consent Easily
To meet the standard of “freely given” consent, users must be able to withdraw their consent at any time in a manner as simple as granting it.
This typically means providing a visible, persistent way for users to revisit and change their cookie preferences — such as a floating widget or a footer link.
8. Prevent Premature Tracking
One of the most frequent implementation errors is deploying non-essential cookies before obtaining consent. This often happens due to incorrect banner configuration or loading scripts in the wrong order.
Even if the consent mechanism appears compliant, dropping cookies before consent is received is a clear breach. You must ensure all tracking scripts are blocked until consent is actively given.
9. Understand the Risks of Non-Compliance
Regulators in both the UK and EU are increasing proactive enforcement. Investigations used to be driven by user complaints; now, they are often initiated by regulators themselves. With automated scanning tools and AI, it’s easier than ever for authorities to detect breaches.
Fines under PECR can reach up to £500,000, but proposed changes to the UK data regime may raise this to UK GDPR levels — up to £17.5 million or 4% of global turnover.
Beyond fines, failure to secure valid consent can disrupt advertising effectiveness, as adtech providers may not be able to deliver personalised content without recognised consent strings.
10. Don’t Assume Anonymisation or Alternative Methods Are Exempt
Some companies rely on “anonymised” data collection to sidestep cookie rules. But truly anonymising data under the GDPR is a high bar, and tracking someone’s behaviour — even without knowing their name — will still involve personal data.
Moreover, PECR applies to any information stored on or accessed from a user’s device, whether or not it’s personal data. That means even so-called “cookieless” technologies like device fingerprinting fall within its scope. The law is technology-neutral and applies regardless of the method used.
Next Steps for Founders
If your business has an online presence in the UK, it's time to audit your website for cookie compliance. Ensure the following:
- Not dropping any non-essential cookies before consent.
- Providing a banner that gives equal weight to “accept all” and “reject all” options.
- Defaulting all optional cookies to “off” unless explicitly enabled by the user.
- Offering clear, accurate information about each cookie category.
- Allowing users to easily revisit and update their preferences.
If you don’t yet have a system in place, a range of consent management platforms (CMPs) are available, including those certified with major ad networks and standards bodies like Google and the IAB Transparency and Consent Framework.
What This Means for Your Business
Cookie compliance is no longer a technical afterthought — it’s a real legal, operational and reputational issue. As the ICO expands its oversight, UK founders must act now to bring their cookie practices in line with regulatory expectations.
The good news: most fixes are achievable with the right approach. By prioritising user choice, maintaining transparency, and configuring consent flows correctly, your business can stay compliant and build trust with users.
[View source.]
