If your website uses cookies — and almost every website does — you've probably wondered whether you legally need a cookie banner. The short answer is: almost certainly yes. Here's what you need to know.
What counts as a cookie?
A cookie is a small file stored in a visitor's browser. Cookies are used for all sorts of things: keeping users logged in, remembering shopping carts, tracking which pages are visited, and delivering targeted adverts. Even if you haven't deliberately added cookies, installing Google Analytics, a Facebook pixel, a live chat widget, or an embedded YouTube video will almost always place cookies on your visitors' devices.
When does the law require a cookie banner?
Under UK GDPR, EU GDPR, and the Privacy and Electronic Communications Regulations (PECR), you must obtain informed consent before placing non-essential cookies on a user's device. Non-essential means any cookie that isn't strictly necessary for the website to function — so analytics cookies, marketing cookies, and preference cookies all require consent. Strictly necessary cookies (like session cookies that keep a user logged in) do not require consent, but you must still disclose them in your privacy or cookie policy.
Does the size of my website matter?
No. GDPR applies equally to a sole trader with a personal portfolio site and a FTSE 100 company. If you collect personal data from people in the UK or EU — which includes IP addresses captured by analytics tools — the rules apply to you. There is no small business exemption.
What if I only use Google Analytics?
Google Analytics uses cookies and collects IP addresses, which are personal data under GDPR. You need consent before loading it. Google's own Consent Mode v2 is designed to let Analytics work even when consent is declined, sending cookieless pings instead — but you still need a compliant consent banner in place to drive the consent signal.
What happens if I don't have a cookie banner?
Regulators across Europe have issued millions of euros in fines for missing or non-compliant cookie banners. In the UK, the ICO has the power to fine up to £17.5 million or 4% of global turnover. For most small businesses the immediate risk is a formal enforcement notice or complaint, which can be time-consuming and reputationally damaging even if no fine is issued. The practical fix takes minutes — a compliant banner like MyCookieKit can be live on any site in under 2 minutes.
The bottom line
If your website uses Google Analytics, a Facebook pixel, YouTube embeds, advertising scripts, live chat, or any third-party tool that sets cookies, you need a cookie consent banner. The good news is that adding one is straightforward. A single line of code is all it takes.