If you operate a website that can be accessed by visitors in the UK or EU, cookies are almost certainly regulated. The EU ePrivacy Directive (often called the "Cookie Law") and the UK's Privacy and Electronic Communications Regulations (PECR) impose clear obligations: certain cookies require explicit consent before they can be placed on a visitor's device, and you must provide a clear Cookie Policy explaining what you use and why.
Despite being over a decade old, cookie law remains poorly implemented across much of the web. Data protection authorities in the EU continue to issue significant fines for non-compliance, and the UK ICO has signalled increasing enforcement focus on cookie banners. Getting this right is not optional. For the broader data protection picture, see our companion guide on what a GDPR-compliant Privacy Policy must include.
What Are Cookies and Why Are They Regulated?
Cookies are small files placed on a user's device by a website. They can remember user preferences, track behaviour across sessions, identify returning visitors, and feed data into advertising systems. Some cookies are essential for the website to function; others exist purely to track or monetise user behaviour.
The regulation of cookies exists because non-essential cookies can intrude on personal privacy without the user's knowledge. The legal framework requires informed, active consent before such cookies are deployed — and that consent must be genuine, not manufactured through confusing banner design.
The Legal Framework
EU — ePrivacy Directive (2002/58/EC, amended 2009): The ePrivacy Directive requires that websites inform users about the use of cookies and obtain their consent before placing any non-essential cookies. Consent must meet the GDPR standard: freely given, specific, informed, and unambiguous. Pre-ticked boxes and "by continuing to use this site, you consent" banners do not meet this standard.
UK — Privacy and Electronic Communications Regulations (PECR): The UK's PECR sets out nearly identical requirements for cookies, email marketing, and tracking technologies. The UK ICO has stated that PECR rules apply to any organisation providing an information society service to people in the UK — regardless of where that organisation is based. A US LLC with a UK-facing website is within scope.
Which Cookies Require Consent?
Not all cookies require explicit consent. The law distinguishes between strictly necessary cookies and non-essential cookies.
Strictly necessary cookies — no consent required: Cookies that are essential for the website to function or to deliver a service explicitly requested by the user are exempt. Examples include session cookies that keep a user logged in, cookies that store shopping basket contents, and security-related cookies that prevent fraud.
Non-essential cookies — consent required before placement: Any cookie that goes beyond what is strictly necessary requires prior, explicit consent. This includes:
- Analytics cookies — such as Google Analytics, which tracks page visits and user behaviour
- Advertising and retargeting cookies — used to serve targeted ads across other websites
- Social media tracking pixels — Facebook Pixel, LinkedIn Insight Tag, TikTok Pixel
- Performance measurement cookies — tools that measure conversion rates or A/B test results
- Personalisation cookies — cookies that customise content based on inferred user preferences
What a Compliant Cookie Banner Must Do
Many websites display cookie banners that do not actually comply with the law. A compliant consent mechanism must meet all of the following requirements:
- Be presented before cookies are placed — not after, not simultaneously with placement
- Offer a genuine choice — there must be an equally prominent "reject" option alongside "accept"; hiding the reject option in fine print does not constitute valid consent
- Not use pre-ticked boxes — silence or inaction cannot constitute consent under GDPR or PECR
- Be specific — consent for "analytics" is different from consent for "advertising"; allow granular consent by category where possible
- Be documented — you must be able to demonstrate that consent was given, including when and how
- Allow easy withdrawal — users must be able to withdraw consent as easily as they gave it, at any time, without detriment
Dark patterns — such as making the "accept" button large and brightly coloured while the "reject" option is small and grey — have been found non-compliant by multiple EU data protection authorities, resulting in fines against both large platforms and smaller operators.
What Your Cookie Policy Must Contain
Alongside the consent banner, you must publish a Cookie Policy that provides full transparency about your cookie use. A compliant Cookie Policy should cover:
- A clear explanation of what cookies are and how they work
- Which cookies you use, categorised by type (necessary, analytics, marketing, personalisation)
- For each cookie: the name, provider, purpose, and duration (session or persistent, with expiry period)
- First-party vs third-party cookies — clearly distinguishing between cookies you set and those set by embedded third-party services
- Browser management instructions — how users can manage or delete cookies via their browser settings
- Links to opt-out tools — such as the Google Analytics opt-out browser add-on and the IAB opt-out framework for advertising cookies
- How users can withdraw consent — including a link back to the cookie consent banner or preference centre
- Contact details for privacy-related queries
The Cookie Policy should link to your Privacy Policy and vice versa. They are companion documents and regulators expect them to be mutually consistent.
Third-Party Cookies: A Special Consideration
Many websites use third-party tools that set their own cookies — Google Analytics being the most common example. When you embed or integrate third-party services, those services may set cookies on your visitors' devices regardless of your own cookie practices.
You are responsible for disclosing third-party cookies in your Cookie Policy and ensuring they are covered by your consent mechanism. The fact that Google, Facebook, or another third party sets the cookie does not relieve you of the obligation to obtain consent for it before it is placed.
Cookie Consent and Google Analytics
Following the introduction of Google Analytics 4 and updated EU regulatory guidance, the use of Google Analytics without proper consent is problematic in several EU member states. Austria, France, Italy, and others have found that routing analytics data through US servers without adequate transfer safeguards raises GDPR compliance issues alongside the consent requirement.
The practical implication is clear: analytics cookies must be categorised as non-essential, blocked by default, and only activated after the user gives explicit, informed consent. This applies regardless of whether you use GA4, a self-hosted analytics tool, or any other session tracking solution.
Consequences of Non-Compliance
Cookie law enforcement has increased significantly in recent years. Major technology companies have received substantial fines for non-compliant consent mechanisms, and the French CNIL, Irish DPC, German DSK, and UK ICO have all published detailed guidance confirming that cookie banners must present genuine, uncoerced choice.
For smaller websites, the risk of an immediate large fine may be lower than for major platforms, but the legal obligation is identical regardless of business size. Non-compliant websites also risk user complaints, which trigger regulatory investigations that can result in enforcement action disproportionate to the original infringement.
Our Cookie Policy
You can read the Wyoming LLC UK Cookie Policy at cookie-policy.html. It categorises our cookies by type, explains what consent is required for each, and provides instructions for managing preferences at any time.
Need Help Setting Up Your US LLC?
We help UK and European founders form US companies remotely. If you are building a business that serves UK or EU customers, getting your legal documents right from day one matters — both for compliance and for the trust of your customers.
View Pricing