Cookie Consent Basics

What requires consent, what is exempt, and what you must implement.

The Legal Framework

In the UK, cookie consent is governed by PECR (Privacy and Electronic Communications Regulations) alongside UK GDPR. In the EU, the ePrivacy Directive (implemented nationally) and GDPR apply. Both regimes require informed consent before storing or accessing information on a user's device — unless an exemption applies.

Always confirm requirements with qualified legal counsel for your specific markets, product type, and data processing activities.

What Typically Requires Consent

  • Analytics cookies — cookies that track browsing behaviour across sessions (e.g. Google Analytics, Mixpanel)
  • Advertising/retargeting cookies — cookies used for targeted advertising or cross-site tracking
  • Social media pixels — Meta Pixel, LinkedIn Insight Tag, etc.
  • Cross-site identifiers — persistent IDs shared across multiple websites or services
  • Device fingerprinting — identifying users by browser/device characteristics without explicit storage

What Is Usually Exempt

Strictly necessary cookies are generally exempt from consent requirements. Examples:

  • Session cookies required for login and authentication
  • Security tokens (CSRF protection)
  • Load balancing and server session management
  • Cookie consent preference storage itself

The key test: would removing this cookie prevent the user from completing a service they explicitly requested?

Key Implementation Requirements

Before consent fires

  • Non-essential tags must not fire before a consent choice is made
  • No pre-set cookies except strictly necessary ones
  • User should be able to access and use strictly necessary features without accepting cookies

The consent mechanism

  • Consent must be freely given, specific, informed, and unambiguous
  • An affirmative action is required — scrolling or continued use is not valid consent
  • Users must be able to withdraw consent as easily as they gave it
  • Consent choices must be stored with a timestamp and category breakdown

Granularity

  • Users should be able to accept/reject by category (analytics, marketing, functional)
  • Bundling all cookies into a single accept/reject is increasingly challenged by regulators

For OTT Web Players

Embedded video players often load third-party SDKs for analytics, DRM, and ad delivery. Each of these may set cookies or access local storage. They must be covered by your consent mechanism.

Common player SDKs that may require consent:

  • Video analytics (Mux, Conviva, Youbora)
  • Ad delivery SDKs (IMA, SpotX, Magnite)
  • DRM SDKs (where they access device identifiers)

Start with a complete tag and SDK inventory before implementing your CMP.

Not sure if your consent setup is compliant?

We will review your banner, tag firing, and storage against current PECR/ePrivacy guidance.

Book a consent implementation call
Tag & SDK Inventory