Now taking new projects, limited availability each month.

Do You Need a Cookie Banner on Your Website? A Plain-English Guide

You have almost certainly seen cookie banners — those pop-ups that ask whether you accept tracking before you can read a page. They seem like a standard feature of the modern web. But do you actually need one on your website? The answer depends on what your site does, not what everyone else has done.

If your website uses Google Analytics, Facebook Pixel, advertising cookies, or any other non-essential tracking, you need a cookie banner under UK law. If your site only uses cookies that are strictly necessary for it to function — such as remembering a visitor's preferences — you do not need a banner, though a brief privacy notice is still good practice.

There is a particular moment most people know well. You arrive at a website — perhaps looking up a plumber's opening hours or checking a local restaurant menu — and before you can read a single word, a large panel appears asking whether you consent to cookies. You click something, vaguely, mostly just to make it go away. Then you wonder, briefly, what you just agreed to.

If you are building a website of your own, you may now be wondering whether you need to do that to other people. The honest answer is: it depends on what your site actually does. The assumption that every website needs a cookie banner is understandable, but it is not correct — and acting on it can mean either adding unnecessary complexity or, worse, adding a banner that does not actually comply with the rules.

Let us start with what a cookie actually is.

What Is a Cookie?

A cookie is a small text file that a website saves onto your device when you visit it. The website can then read that file on future visits. That is it. The name is faintly whimsical — they were named after fortune cookies because they contain a small piece of information hidden inside.

What matters is what that information is used for. Some cookies are there purely to make the site work: they remember what is in your basket, or that you have already logged in. Without them, the website would not function. These are called "strictly necessary" cookies, and no one needs to ask your permission to use them.

Other cookies go further. They record which pages you visit, how long you spend reading, where you came from, and what device you are carrying. This information flows either back to the website owner — who wants to understand their visitors — or outward to advertising networks, which use it to follow you around the internet. These are "non-essential" cookies. And this is where the rules begin.

What UK Law Actually Says

In the UK, the relevant rules come from the Privacy and Electronic Communications Regulations — commonly known as PECR — alongside the UK GDPR. The core requirement is not complicated, even if it is often implemented badly: before you place non-essential cookies on someone's device, you must explain what those cookies do and get their genuine consent. They must be able to say no just as easily as they can say yes, and with no penalty for doing so.

In practice, a cookie banner is required if your website uses:

  • Google Analytics. This tracks visitor behaviour — pages visited, time spent, traffic sources. It is non-essential and requires consent.
  • Facebook Pixel or similar. These connect your website visitors to advertising platforms. They are non-essential and require consent.
  • YouTube embeds. Embedding a YouTube video on your site causes YouTube to set cookies on your visitors' devices. These require consent.
  • Live chat tools. Many live chat tools set cookies. Check whether yours does.
  • Advertising networks. Any cookie used to show or measure adverts requires consent.

The test is not what everyone else in your industry has done. The test is what your own site actually places on a visitor's device.

When You Do Not Need a Cookie Banner

If your website does none of the above, you may not need a cookie banner at all. A simple static website — one that shows your contact details, your services, a photograph of your team — can easily operate without any non-essential cookies. There is nothing to consent to, because there is nothing being tracked.

Hand-coded static websites are often completely cookie-free by nature. At GitFoundry, the sites we build do not place non-essential cookies unless a client specifically asks for analytics. When they do, we add a proper consent mechanism. But for a clean site with no tracking, asking visitors for permission would be asking them to consent to something that is not happening.

Even so, a short privacy notice is worth having — not as a legal shield, but as a small act of courtesy. A sentence in your footer explaining that your site does not track visitors takes seconds to write and reassures people who have learned, reasonably enough, to be cautious.

What Makes a Cookie Banner Actually Compliant?

This is where many websites quietly fail. The regulations require genuine informed consent — which means that accepting and declining must be equally easy, equally visible, equally unobstructed. A large green "Accept all" button sitting next to a greyed-out "Manage preferences" link in small print is not consent. It is the appearance of consent, and the ICO knows the difference.

A compliant cookie banner needs to do four things well:

  • Explain what cookies are being set and why.
  • Offer a genuine decline option that is as prominent as the accept option.
  • Not set any non-essential cookies until the visitor has consented.
  • Allow visitors to change their mind and withdraw consent later.

That last point is the one that catches people. If a visitor accepts cookies on Monday and comes back on Thursday wanting to change their mind, there should be a way for them to do so — usually a link in your privacy policy or a small accessible control somewhere on the page. It is not a high bar. It just requires having thought about it.

The Practical Answer for Most Small Businesses

Most small business websites can answer the question in a couple of steps.

Do you use Google Analytics? If you do, you need a proper cookie banner — one that holds Analytics back until the visitor has actively consented. Displaying a notice while running Analytics underneath it regardless is not compliance; it is decoration.

Do you embed YouTube videos, run Facebook Pixel, or use any other third-party tracking? The same answer applies: you need a banner, and you need the consent to be real.

Does your site do none of those things? Then you probably do not need a banner at all. A short privacy notice in your footer, explaining that your site does not track visitors, is enough. Write it plainly. People appreciate it.

There is something worth saying here that often goes unsaid. A website that collects no personal data and places no non-essential cookies is not a lesser thing — it is often a cleaner, faster, more trustworthy one. If you are building a new site, it is worth pausing before you add analytics to ask what you would actually do with the information. For many small businesses, the honest answer is: not much.

Frequently asked

What happens if I do not have a cookie banner and I should?
The Information Commissioner's Office (ICO) is the UK body responsible for enforcing these rules. For most small businesses, the risk of a formal fine for a missing cookie banner is relatively low — but non-compliance is still a legal issue, and it undermines the trust of visitors who notice. It is better to get it right from the start.
Can I just add a banner and not worry about what it does?
No. A cookie banner that does not actually block non-essential cookies until consent is given is not compliant — it is just cosmetic. The banner itself is not the point; blocking the cookies until consent is received is the point. If you use a cookie management tool, check that it is correctly configured to hold cookies until the visitor accepts.
Do I need a cookie banner if my website only has a contact form?
A contact form itself does not require cookies. If the form is served by a third-party tool that sets its own cookies — such as certain embedded form providers — those may be non-essential and require consent. A simple hand-coded contact form that sends an email does not set cookies.
Does GitFoundry add cookie banners to the sites it builds?
We add a cookie notice whenever a site uses Google Analytics or other non-essential cookies. If a site does not need tracking, we do not add one. Every site we build includes a clear privacy policy so visitors understand exactly what data, if any, is collected.