UK PECR and GA4: What the Privacy Regulations Mean for Your Analytics

What PECR Requires for Analytics Cookies

PECR requires that website operators obtain informed consent before setting non essential cookies on a user's device.

GA4's _ga and _ga_XXXXXXXX cookies are persistent first party cookies that store unique user identifiers, they are not "strictly necessary" for the website to function, which means PECR requires consent before they are set.

In practice, this often leads to the same outcome as GDPR consent requirements for analytics, but it applies through a different legal instrument.

The ICO (Information Commissioner's Office) has published guidance clarifying that analytics cookies require consent under PECR, and that this consent must be freely given, specific, informed, and unambiguous.

Pre-ticked consent boxes, cookie walls that block access unless users accept cookies, and consent notices that only present accept options without a genuine decline mechanism are all non compliant under PECR as interpreted by the ICO.

PECR vs EU GDPR: Practical Differences for GA4

For organisations that operate in both the UK and EU, the practical difference between PECR and EU ePrivacy Directive/GDPR is small in terms of GA4 implementation, both require consent before analytics cookies are set.

The divergence is more significant in enforcement approach and in potential regulatory developments.

The ICO has historically been less aggressive in enforcing cookie compliance than some EU data protection authorities, but it has signalled increasing intent to take action against non compliant cookie implementations.

The UK's proposed reforms to data protection law (the Data Protection and Digital Information Bill, in various iterations) have at various points proposed relaxed requirements for analytics cookies, but PECR still requires consent for non essential cookies under the current regime.

UK organisations using a CMP that was designed for EU compliance can generally apply the same consent logic to UK users, though the legal basis references in the privacy notice may need to reference UK GDPR and PECR rather than EU GDPR and the ePrivacy Directive.

Audit Checklist for PECR-Compliant GA4

A PECR compliance audit for GA4 should verify:

• no GA4 cookies are set before user consent is obtained (test this by clearing cookies, visiting the site, and inspecting the cookie jar before interacting with the consent banner)
• the consent banner clearly describes the use of analytics cookies and provides a genuine, prominently displayed option to decline
• declining analytics cookies correctly triggers GA4's denied consent state and prevents the _ga cookie from being written
• the consent choice is stored and respected on return visits, so users do not need to re consent on every visit
• your privacy policy accurately describes your use of GA4 and links to Google's privacy information.

The ICO also recommends that consent be documented, keeping records of what consent was presented to users, when, and what choices they made is best practice and defensible in the event of a regulatory enquiry.