Do cookie banners make you GDPR compliant? (No — here's the rest)
On this page
Short answer: no. A cookie banner covers one obligation — getting consent before non-essential cookies load — and even then, most banners are set up in a way that doesn’t actually meet the rule. Real compliance also covers your privacy notice, contracts with the apps that handle your data, retention, and responding to data requests. The banner is the doormat, not the house.
What does UK cookie law actually require?
Cookies are governed by PECR (the Privacy and Electronic Communications Regulations), which works alongside UK GDPR. The core requirement is simple to state and easy to get wrong: non-essential cookies and similar tracking must not be set until the user has given consent.
“Non-essential” means anything not strictly required to deliver the service the visitor asked for — analytics, advertising pixels, some chat widgets, some reviews and personalisation tools. Cookies that are genuinely essential (keeping a shopping basket, security) don’t need consent. The line between the two is where most stores slip.
Why most cookie banners quietly fail
A banner on the page is not the same as compliance. The common failures are:
- Tags fire before consent. The banner appears, but the analytics and ad scripts have already loaded in the background. Under PECR, that consent came too late — it wasn’t consent at all.
- No real “reject”. If refusing is harder than accepting — hidden, greyed out, or several clicks away — the consent isn’t freely given.
- Pre-ticked or implied consent. “By continuing to browse you agree” does not meet the standard. Consent must be a clear, affirmative action.
- No record. Even a correct banner leaves you exposed if you can’t later evidence who consented to what and when.
The awkward truth is that a store can have a perfectly nice-looking banner and still be non-compliant on every one of these points, because the failures are invisible from the front end.
What compliance covers beyond cookies
Treating cookies as the whole job is the classic trap. For a typical UK online business, the obligations that also apply include:
- A privacy notice that matches reality — what you collect, why, who you share it with, how long you keep it (UK GDPR Articles 13–14).
- Data Processing Agreements with your apps — every third-party tool that touches customer data is a processor you need a contract with (Article 28).
- Data retention — a lawful reason to hold each type of data, and a point where you delete it.
- Subject access requests — a one-month deadline to give a customer everything you hold on them.
Cookie consent is one of these — an important one, but one. Buying a banner and considering the job done is how the other obligations quietly drift out of compliance.
How to check your cookie setup (and the rest)
The reliable way to know whether your banner actually holds up is to look at what loads before consent, on the live site — not what the settings claim. That, plus the wider signals (privacy notice, security, business identity), is exactly what GuardianStack’s free public check reviews in about 30 seconds, in plain English, with each finding mapped to the rule behind it.
The bottom line
A cookie banner is necessary but nowhere near sufficient. Make sure the one you have actually blocks tracking until consent and records it — then look past it to the obligations a banner was never going to cover.
Sources
The primary sources behind this guide — check them yourself:
Frequently asked questions
Is a cookie banner legally required in the UK?
If your site sets non-essential cookies (analytics, advertising, some widgets), then under PECR you must get consent before they load, and a compliant consent mechanism — usually a banner — is how you do it. Sites that only use strictly necessary cookies don't need consent for those.
Does having a cookie banner mean I'm GDPR compliant?
No. A banner addresses cookie consent under PECR. UK GDPR also requires a truthful privacy notice, processor contracts (Article 28 DPAs), data retention limits, and honouring data subject requests. Cookie consent is one obligation among several.
Why might my cookie banner not be compliant?
The most common reasons are that tracking scripts load before the visitor consents, that rejecting is harder than accepting, that consent is implied rather than actively given, or that there's no record of consent. All of these are invisible from the front of the site, which is why they persist.
See where your store actually stands
Run a free outside-in compliance check of your website — no login required, results in about 30 seconds.
Run the free website check