Blue gradient overlay

ePrivacy PECR Flash Briefing

PECR Checklist - how do you match up to our initial five point plan?

  • Audit your sites' cookies - for number, function and how they work
  • Update your Cookie consent form
  • Change your site to only deploy the correct cookies at the right time
  • Update your Cookie page
  • Update your social media profiles

Key questions answered


Privacy and Electronic Communications Regulations (PECR) say that you must tell people the cookies are there, explain what the cookies are doing and why and get the person’s consent to store a cookie on their device.

When? Since June 2019, sites have been expected to comply with the higher level of consent in GDPR for their cookie notices, too.


  • Your cookie consent form must be clear
  • Positive action must be taken for consent (No pre-ticked boxes)
  • Clearly explain the cookies that will be set and what they do – including any third party cookies and strictly necessary cookies
  • Users must have control over any non-essential cookies, like analytics, marketing or social
  • Non-essential cookies must not be set on landing pages before you gain the user’s consent
  • Your Cookie page and social media profiles must be updated.
  • Who?
  • This applies to all sites, even if you have used a 'legitimate interest' argument for GDPR or have a cookie wall

What's the tricky bit? 

PECR applies to your specific cookies, and your site may have a lot of them. Each one may work differently, and whilst we already have a long list of ones we have seen there are thousands of services, which use cookies. The technical challenge is stopping cookies being deployed on your site, which can be tricky with some services.

How does the NDP PECR Audit work? 

First, we will run a cookie scan on your website, in order to identify all the cookies that can be set by all the pages and elements of the site. We review the results of the scan and categorise all the cookies identified across three categories:

  • Essential (which is defined as essential to the proper functioning of the website from the user's perspective). For instance, cookies necessary to track the items that a user has added to their shopping cart on the site.
  • First party: cookies directly set by the website (for instance, Hotjar or Google Analytics cookies).
  • Third party: cookies set by other services, via embedded elements on your site (for instance, cookies set by Google when a user views a YouTube video embedded on your site, or by Facebook/Twitter if a user clicks a social sharing button on one of your site's pages).

Finally, we will review each cookie, how it is set and how we can block it (if it is non-essential and a user chooses to reject cookies). At the end of this process, we will deliver the conclusions of our Cookie Audit to you, which will include our recommendations on how to manage the cookies on your site.