The PECR (Privacy and Electronic Communications Regulations 2003) govern the use of cookies and similar technologies that store or access information on users’ devices.
However, PECR compliance isn’t your only consideration when using cookies: in many cases, cookies also count as personal data under the GDPR (General Data Protection Regulation) because cookie identifiers can relate to an identifiable individual.
Ensuring you comply with both laws can be challenging. For example, if your site drops non-essential cookies too early, makes refusal harder than acceptance or lists cookies inaccurately, you might have a compliance gap even if you have cookie banners in place.
Here’s what you need to consider.
What are cookies and why do they matter for data protection?
Cookies are small text files placed on a user’s device when they visit a website or use an online service. They can support basic site functions, remember user preferences, measure website performance or enable advertising and cross-site tracking.
Some cookies are set by the website the user is visiting. Others are third-party cookies, usually set through external services such as analytics, advertising or embedded content providers. In practice, third-party cookies often create the greatest compliance risk because they can involve wider tracking, data sharing and profiling.
From a data protection perspective, the key question is whether the technology stores or accesses information and whether the resulting data relates to an identifiable individual.
Are cookies personal data under GDPR?
Article 4 of the UK GDPR defines personal data as any information relating to an identified or identifiable person, including “an online identifier”. The ICO (Information Commissioner’s Office) confirms that this includes cookie identifiers.
That means cookies can be personal data where – on their own or in combination with other information – they can “be used to create profiles of individuals and identify them”.
The ICO gives a very clear example: “Using cookies or similar technologies to track an individual across websites involves personal data if those identifiers are used to create a profile of that individual”.
However, not every cookie will automatically be personal data in every context.
Truly anonymous information may fall outside the GDPR. However, the ICO also makes clear that PECR applies whether or not the cookie data is anonymous, and that where identifiability is uncertain, organisations should generally treat the information as personal data as a matter of good practice.
In practical terms, then, you should treat analytics, advertising and cross-site tracking cookies as involving personal data, or as carrying enough identification risk that you should assess them on that basis. This is especially true where the cookie data is tied to user behaviour, marketing segments, device-level histories or third-party AdTech ecosystems.
Are cookies part of the GDPR or ePrivacy rules?
In the UK, cookie use is mainly regulated by the PECR, while the UK GDPR governs any personal data processed through those cookies. Where both laws apply, the PECR sets the specific rules on storing and accessing information on devices.
This basic split also exists in the EU. The EU GDPR covers personal data, while Article 5(3) of the ePrivacy Directive governs storing or accessing information on the user’s device. The EDPB’s final Guidelines 2/2023 confirm that this device-level rule has a broad technical scope and is not limited to classic browser cookies.
So, if you are asking “are cookies part of GDPR?”, the accurate answer is: partly.
The GDPR is relevant when cookie use involves personal data, but cookie compliance also depends on the separate ePrivacy regime. In the UK, that means PECR. In the EU, that means the national laws implementing the 2002 ePrivacy Directive.
What is cookie GDPR compliance?
Cookie GDPR compliance means more than adding a banner. It means understanding which technologies your site uses, what data they collect, whether that data is personal data, what legal rules apply and whether your consent and transparency mechanisms actually match what happens on the site.
For non-essential cookies, the usual compliance expectation has been prior consent. That remains the core position for advertising and many tracking uses. In the UK, the ICO’s enforcement work has focused heavily on whether non-essential advertising cookies are placed before choice, whether rejecting them is as easy as accepting them, and whether they continue to fire despite refusal.
Consent also has to be valid. That means it must be freely given, specific, informed and unambiguous. If the banner pushes users towards “accept all”, hides the refusal route or makes withdrawal materially harder, the consent may not be valid.
Since the Data (Use and Access) Act 2025 took effect, the PECR includes five exceptions, including a new statistical purposes exception for certain analytics and an appearance exception for user preferences. However, these exceptions are narrow and where they apply the ICO says you may still need to provide clear information and an easy way to object.
For organisations serving both UK and EU users, there is another layer of complexity, as a setup that may be lawful under these newer UK PECR exceptions may still require consent in the EU.
For many organisations, the simpler operational approach is to design practices that comply with the stricter standard.
What to include in a GDPR cookie check
A GDPR cookie check should establish what cookies and similar technologies your site uses, what they do, how long they last, what data they involve and whether your cookie information accurately reflects reality.
The ICO’s own checklist recommends understanding what cookies are in use, their purposes, whether they are session or persistent, and whether third-party arrangements are properly documented.
It should also test what happens in practice, not just what your documentation says. A scanner may identify many cookies, but manual testing is often needed to confirm which technologies fire on landing, which only fire after consent, and whether withdrawal really stops further processing.
This is one reason cookie compliance is harder than it looks. A technically clean scan does not by itself prove legal compliance, and a lawful-looking banner does not guarantee the site behaves the way the banner suggests. For organisations that want a reliable answer, it’s often worth getting a formal review of the website, banner, policy and consent management flow together rather than relying on a tool alone.
How to check cookie compliance online
Online cookie scanning tools can be useful as a starting point. They can help identify cookies in use, flag third-party scripts, list durations and show where certain trackers appear across the site. This can make them helpful for inventory work and for spotting obvious gaps in a cookie notice.
However, automated scans have limits. They can miss cookies that fire only on certain user journeys, for instance after interaction with embedded tools or under particular consent states. They also can’t reliably tell you whether a cookie truly falls within a legal exception, whether your banner design produces valid consent or whether your overall disclosures are sufficient in context.
Using a cookie compliance checker: what to look for
If you use a cookie compliance checker, look for full-site coverage, detection of third-party cookies and similar technologies, visibility into when cookies fire, support for different consent states and usable reporting. The more complex your site is, the more important it is that the tool can test beyond the homepage and pick up dynamic content, embedded services and plugin behaviour.
It’s also useful if the checker supports banner testing, evidence logs and geolocation-aware testing. That is particularly relevant for organisations that serve users in both the UK and EU and may need to compare what different users see.
However, it’s worth noting that a scanning or compliance checking tool tells you only what appears to be happening on the site – it doesn’t remove the need for legal analysis, accurate documentation or manual testing.
Common cookie compliance mistakes
A common mistake is treating analytics or marketing cookies as “necessary” because they are useful to your business. The ICO is clear that strict necessity must be judged from the user’s perspective, not your commercial preferences.
Another is making acceptance easier than refusal. Much of the ICO’s cookie compliance work in recent years has targeted banners that lacked an equally prominent reject option, which undermines freely given, specific and informed consent.
Other frequent failures include loading non-essential cookies before the user has made a choice, continuing to place them after refusal, not keeping cookie lists up to date and assuming that a consent management platform on its own is enough.
What happens if your cookies are not GDPR compliant?
The immediate risk is regulatory attention. In the UK, the ICO has already carried out large-scale compliance testing on the top 1,000 websites and says it has used direct engagement, investigations and preliminary enforcement notices to drive changes. For organisations that have treated cookies as a low-priority website issue, that should be enough to prompt a review.
The legal risk is not just theoretical, and neither is the commercial risk. Poor cookie practices can undermine user trust, create friction in digital marketing and leave privacy, legal, marketing and web teams arguing from different versions of the truth. A proper review tends to surface both compliance issues and governance issues around ownership, vendor control and documentation.
Ensuring ongoing cookie GDPR compliance
Cookie compliance is not a one-off website task. Cookies change, plugins change, marketing tags change and legal expectations change. That means reviews need to be repeated, especially after site redesigns, new integrations or expansion into new jurisdictions.
If you want a clearer picture of your risk without trying to untangle every script and banner rule internally, our Cookie Compliance Service reviews website cookies, the cookie policy and the consent management setup, then provides a report on obligations, current gaps and recommended actions.
Cookie compliance FAQs
Are cookies personal data under GDPR?
Often, yes. Cookie identifiers are online identifiers, and where they can distinguish, track or help identify a user, they are likely to be personal data.
Are cookie identifiers personal data?
They can be. The ICO explicitly lists cookie identifiers as online identifiers and says they may be personal data where they can be used, alone or with other data, to distinguish or profile individuals.
Are cookies part of GDPR or ePrivacy?
Both. The GDPR applies where personal data is involved. PECR in the UK, and ePrivacy rules in the EU, govern storing or accessing information on the device.
How do I check if my cookies are GDPR compliant?
Start with a cookie inventory and scan, but do not stop there. You also need to test when cookies fire, whether consent is valid, whether refusal is as easy as acceptance and whether your policy matches reality.
What is a cookie compliance checker?
It is a tool that scans a site for cookies and related technologies and reports what it finds. It is useful, but it does not by itself confirm legal compliance.