PECR and the Cookie Rule: Analytics Without a Banner
The UK's PECR is the reason cookie banners exist. What the rule actually says, why analytics cookies are not "strictly necessary", and how to measure without one.
Last reviewed July 2026
Every cookie banner in Europe traces back to one rule. In the UK it lives in PECR, the Privacy and Electronic Communications Regulations, which implement the EU ePrivacy Directive. The rule is short: storing information on someone's device, or accessing information already there, requires clearly informed consent, unless it is strictly necessary for a service the person asked for.
Analytics teams meet this rule the moment they add a measurement script. This guide explains what it demands and how to measure without triggering it. It is general information, not legal advice.
What the rule actually says
Regulation 6 of PECR is technology-neutral. It covers cookies, localStorage, and any script that reads information from the device, fingerprinting included. Two things follow that surprise people:
- It does not matter whether the data is personal. The GDPR regulates personal data; PECR regulates the act of storing and reading on a device. A cookie holding a random ID still needs consent.
- First-party cookies are not exempt. The exemption is about necessity, not about who sets the cookie.
The strictly-necessary exemption is narrow: shopping baskets, login sessions, security tokens, consent choices themselves. The ICO's guidance says plainly that analytics cookies are not strictly necessary, however useful they are to the site owner. The visitor asked to read the page, not to be measured.
Consent, meanwhile, must meet the GDPR standard: a real choice, informed, and as easy to decline as to accept. "By continuing to browse you agree" stopped being acceptable years ago.
The cost of the banner
Complying via a banner works, but the measurement price is heavy. Between visitors who click reject and visitors who never interact with the banner at all, cookie-based analytics commonly loses 30 to 60 percent of sessions in the UK and EU. Campaign numbers, conversion rates, and content decisions all inherit that gap. The banner also adds friction on exactly the first pageview where bounce is decided.
Measuring without triggering the rule
PECR's rule has a clean escape: do not store, and do not access. An analytics approach that writes nothing to the device and reads nothing from it beyond the standard HTTP request the browser sends anyway sits outside Regulation 6 entirely. There is nothing to consent to, so there is no banner.
That is the design behind cookieless analytics and behind Analyse. Visits, sources, and funnels are counted server-side from short-lived, non-reversible tokens, nothing persists on the device, and no fingerprint is built. The same design keeps you clear of the GDPR's consent requirements, covered in the GDPR guide, because no personal data is kept either.
One caution: "cookieless" only escapes PECR if it is honest. A tool that skips cookies but actively fingerprints devices is accessing information on the device and is back inside the rule, with regulators increasingly explicit on that point.
A practical checklist
- Open your site's developer tools and list every cookie and localStorage entry your pages set. Attribute each one to a tool.
- Sort them into strictly necessary and everything else. Analytics, A/B testing, and marketing tags land in the second pile.
- Either gate that second pile behind a compliant consent banner, or replace the tools with ones that do not store or access at all.
- If you go cookieless for analytics, remove the analytics entry from your banner or drop the banner entirely if nothing else needs it. The GA4 comparison shows what changes in practice.
- Keep records. A short note of what each remaining cookie does is most of a PECR cookie audit.
Frequently asked questions
Are analytics cookies exempt from PECR consent?
No. The ICO is explicit that the strictly-necessary exemption does not cover analytics, because the site works without measurement. First-party analytics cookies need consent just like third-party ones.
Is PECR the same as the GDPR?
No. PECR implements the ePrivacy Directive in the UK and regulates storing or accessing anything on a device. The GDPR regulates personal data. Analytics cookies usually trigger both, and consent under PECR must meet the GDPR's standard.
Does PECR apply to localStorage and fingerprinting too?
Yes. The rule covers storing information or gaining access to information on a device by any technique. Regulators treat localStorage, scripts reading device details for fingerprinting, and similar methods the same as cookies.
How do cookieless tools avoid the PECR consent requirement?
They neither store anything on the device nor read information from it beyond what the browser sends with any normal page request, so the storage-and-access rule is not triggered and there is nothing to ask consent for.
Analytics without the banner
Analyse measures every visitor, funnel, and traffic source without cookies, so there is nothing for a consent banner to ask about. Try every feature free for 3 days.
Start free