Compliance Services
PECR penalties have increased significantly From £500,000 to £17.5 million or 4% of worldwide turnover
The Data (Use and Access) Act 2025 substantially strengthened the enforcement regime under the Privacy and Electronic Communications Regulations 2003, commonly known as PECR.
The Information Commissioner can now impose a maximum penalty of:
£17.5 million or 4% of total annual worldwide turnover, whichever is higher
Before these changes, the maximum monetary penalty for a breach of PECR was £500,000.
The maximum penalty will not apply to every infringement. Regulatory action will depend on the seriousness, duration and circumstances of the breach. However, the increased penalty ceiling means cookie and tracking compliance should no longer be treated as a minor website or documentation issue.
It is now an important legal, financial and governance risk.
Cookie Compliance Review
Is your website’s use of cookies compliant?
Cookies, analytics tools, advertising pixels and other tracking technologies can create significant data-protection and privacy risks when they are installed without appropriate information, consent or technical controls.
Our Cookie Compliance Review Service examines how your website uses cookies and similar technologies, identifies potential compliance gaps and provides practical recommendations for your management and web-development teams.
What are the cookie rules?
PECR contains the primary UK rules governing the storage of information on, or access to information held on, a user’s device.
As a general rule, storing or accessing information is prohibited unless:
the user has been given clear and comprehensive information;
valid consent has been obtained; or
a specific legal exception applies.
Where cookies or similar technologies process personal data, the UK GDPR and Data Protection Act 2018 may also apply.
The Data (Use and Access) Act 2025 introduced changes and additional exceptions, but it did not remove the need for organisations to understand, document and control the technologies operating on their websites.
Could your website be placing cookies unlawfully?
Many organisations rely on cookie banners or consent-management platforms without checking whether the underlying technology operates correctly.
Common problems include:
Analytics, advertising or tracking cookies being placed before consent.
Tracking continuing after a visitor selects “Reject”.
An “Accept” option being more prominent than the rejection option.
Consent being obtained through unclear wording or pre-selected settings.
Third-party pixels and scripts bypassing the consent-management platform.
Consent preferences not being recorded or respected.
Users being unable to withdraw or change their choices easily.
Cookies listed in the policy no longer matching those used by the website.
Cookies, pixels, local storage and similar technologies not being disclosed.
Cookie durations, providers or purposes being inaccurate or incomplete.
A cookie banner alone does not demonstrate compliance. The website’s actual behaviour must support the choices presented to the user.
Our Cookie Compliance Review Service
We conduct a structured, point-in-time assessment of your website’s use of cookies and similar technologies.
The review can include:
Website and technology scanning
We scan agreed pages and user journeys to identify technologies such as:
Cookies.
Tracking pixels.
Analytics tags.
Advertising technologies.
Local and session storage.
Embedded content.
Social-media integrations.
Third-party scripts.
Software development kits.
Other device storage and access technologies.
Consent testing
We test what happens:
Before the visitor makes a choice.
After the visitor accepts cookies.
After the visitor rejects optional cookies.
After consent preferences are changed.
After consent is withdrawn.
Across agreed pages and user journeys.
Cookie-banner assessment
We review whether:
Accept and reject choices are presented fairly.
Optional cookies are prevented from operating before consent.
The wording is clear and understandable.
Consent is freely given, specific, informed and unambiguous.
There are no pre-selected optional categories.
Users can reject optional technologies as easily as they can accept them.
Consent preferences are recorded and respected.
Users can subsequently withdraw or amend consent.
Rejected technologies remain disabled.
Cookie-policy review
We assess your existing cookie policy for:
Completeness and accuracy.
Clear descriptions of cookie purposes.
Appropriate cookie categorisation.
Identification of third-party providers.
Cookie and storage durations.
Consent requirements.
Instructions for changing or withdrawing consent.
Consistency with the technologies observed during testing.
Consistency with your privacy information and cookie banner.
What you will receive
An executive summary
Your overall cookie-compliance position.
Key legal, regulatory and reputational risks.
The number and severity of findings.
Priority remediation actions.
Matters requiring management decisions.
Recommended owners and target completion dates.
The residual risk following the assessment.
Findings may be classified as critical, high, medium, low or advisory, depending on their nature and potential impact.
Technical Remediation Schedule
A developer-focused schedule identifying:
The affected page, cookie, script or technology.
The behaviour observed during testing.
The relevant compliance requirement.
Why the implementation may be non-compliant.
Outline of technical or configuration change.
Suggested acceptance criteria.
Remediation priority.
Evidence required to demonstrate closure.
Updated Cookie Policy
Following the review, we prepare updated cookie-policy wording for your organisation.
The policy will be supplied in a format suitable for review and upload by your website-development team.
The final policy will reflect the agreed website configuration and will depend on your organisation implementing the recommended changes and confirming the technologies that will remain in use.
Common Questions
Some of the more popular questions we get.
Does every website need a cookie banner?
Not necessarily. The requirement depends on the technologies being used and whether a PECR exception applies. However, most websites using optional analytics, advertising or tracking technologies will require an appropriate consent mechanism.
Are analytics cookies always exempt from consent?
No. The Data (Use and Access) Act 2025 introduced and amended certain exceptions, but these are subject to specific conditions. An organisation should not assume that all analytics technologies can operate without consent.
Is having a cookie policy enough?
No. The policy must accurately describe the technologies operating on the website, and the technical implementation must respect the visitor’s choices.
Is having a consent-management platform enough?
No. A platform may be incorrectly configured, may not control every script or may fail to prevent technologies from operating before consent.
Does the UK GDPR apply to cookies?
It may apply where cookies, device identifiers or similar technologies involve the processing of personal data. In those circumstances, PECR and the UK GDPR must be considered together.
Is the review a guarantee of compliance?
The review is a point-in-time assessment based on the agreed scope, website configuration, testing environment and information available at the time. Websites and third-party technologies can change, so periodic reviews and appropriate change controls remain important.
Ensure Complete GDPR Compliance
Safeguard your business with expert Data Protection Officer services tailored for the UK market. Protect data privacy and uphold regulations effortlessly.
This website uses cookies please use the link in the footer of this website to review the essential cookies this site uses.