← Back to Blog·Mar 26, 2025·8 min read
Compliance

PECR and Website Analytics: UK Cookie Rules Explained

PECR is the UK regulation that governs cookies and electronic communications. It applies to every website with UK visitors — and it is stricter than GDPR on cookies.

PECR is stricter than GDPR on cookies. Most websites are not compliant.

UK cookie rules for analytics: what you must do, and how cookieless tools solve it.

Jump to section

What Is PECR and How Does It Relate to GDPR?

PECR stands for the Privacy and Electronic Communications Regulations 2003, updated in 2011 and 2018. It is the UK law that specifically governs cookies, electronic marketing, and telecommunications privacy.

Many website owners assume GDPR is the only regulation they need to worry about. In the UK, PECR works alongside GDPR and is actually stricter when it comes to cookies. GDPR provides the general framework for data protection; PECR adds specific rules about storing information on devices — which is exactly what analytics cookies do.

The practical impact: even if your analytics data processing is lawful under GDPR (e.g., via legitimate interest), you still need PECR consent before setting the cookie that enables that processing. PECR consent for cookies cannot be bypassed by claiming legitimate interest.

Critical Distinction

GDPR allows "legitimate interest" as a legal basis for analytics processing. PECR does not. Cookie consent under PECR must be explicit, informed, and freely given — regardless of your GDPR basis.

ICO Enforcement: What Happens If You Do Not Comply?

The ICO is the UK's data protection authority and enforces both GDPR and PECR. It has the power to issue fines, enforcement notices, and audit orders.

PECR violations can result in fines up to 500,000 GBP. When combined with UK GDPR violations, penalties can be significantly higher.

The ICO has increasingly focused on cookie compliance. In 2022-2023, it wrote to the top 200 UK websites warning about non-compliant cookie banners. Several organizations received formal enforcement notices.

ICO Cookie Sweep

The ICO conducts periodic "cookie sweeps" auditing popular UK websites for PECR compliance. Non-compliant sites receive formal letters and deadlines to fix their practices.

Bring External Site Data Into Copper

Pull roadmaps, blog metadata, and operational signals into one dashboard without asking every team to learn a new workflow.

Get Started FreeView Pricing

Which Analytics Tools Are PECR Compliant?

PECR compliance for analytics comes down to one question: does the tool set cookies on the visitor's device? If yes, you need consent. If no, you do not.

ToolUses CookiesPECR Consent NeededNotes
Copper AnalyticsNoNoCookieless by design, no device storage
PlausibleNoNoCookieless, EU-hosted
FathomNoNoCookieless
Google Analytics 4YesYesSets _ga and _gid cookies
Adobe AnalyticsYesYesFirst-party cookies for visitor ID
Matomo (default)YesYesUses cookies unless explicitly configured cookieless
Matomo (cookieless)NoNoRequires manual configuration
HotjarYesYesSession recording cookies

The simplest path to PECR compliance is choosing a cookieless analytics tool. No cookies means no PECR consent requirement — you can track all visitors without a consent banner and without losing data from visitors who would have rejected.

The Cookieless Solution: Skip PECR Cookie Consent Entirely

Cookieless analytics tools avoid PECR cookie rules because they do not store anything on the visitor's device. No cookies, no local storage, no device fingerprinting. PECR Regulation 6 simply does not apply.

This is not a loophole — it is the intended outcome of the regulation. PECR was designed to protect users from unwanted tracking via their devices. If no tracking occurs on the device, the user needs no protection.

Copper Analytics is cookieless by design. It uses non-identifying signals (page URL, referrer, screen size, language) to count visitors without storing anything on their device. You get pageviews, visitors, sources, top pages, and engagement metrics — all without triggering PECR.

0

Cookies set

No

PECR consent needed

100%

Visitor data accuracy

<1KB

Script size

PECR-Compliant Analytics Without a Consent Banner

Copper Analytics uses zero cookies. No PECR consent required. See all your traffic data with 100% accuracy.

Get Started FreePrivacy Features

Frequently Asked Questions

What is PECR?

The Privacy and Electronic Communications Regulations — a UK law that specifically governs cookies, electronic marketing, and telecommunications privacy. It works alongside UK GDPR and is stricter than GDPR on cookie consent requirements.

Do I need consent for Google Analytics under PECR?

Yes. GA4 sets cookies (_ga, _gid) on visitor devices, which requires explicit, informed consent under PECR Regulation 6. You cannot bypass PECR cookie consent by claiming legitimate interest under GDPR.

Does PECR apply to non-UK businesses?

Yes, if your website has UK visitors. PECR applies based on where visitors are located, not where your business is headquartered. Any website accessible in the UK should comply.

How do I avoid PECR cookie consent for analytics?

Use a cookieless analytics tool like Copper Analytics, Plausible, or Fathom. These tools set zero cookies, so PECR Regulation 6 does not apply. No consent banner needed, and you see 100% of visitors.

What is the penalty for PECR non-compliance?

The ICO can fine up to 500,000 GBP for PECR violations. Combined with UK GDPR penalties, total fines can be significantly higher. The ICO also conducts periodic cookie audits and issues enforcement notices with mandatory remediation deadlines.

What to Do Next

The right stack depends on how much visibility, workflow control, and reporting depth you need. If you want a simpler way to centralize site reporting and operational data, compare plans on the pricing page and start with a free Copper Analytics account.

You can also keep exploring related guides from the Copper Analytics blog to compare tools, setup patterns, and reporting workflows before making a decision.