Clickport
Start free trial
Dashboard Engagement Tracking Goal Conversions Privacy First vs Google Analytics vs Matomo
For Bloggers For Affiliates For E-commerce For SaaS For Agencies
How It Works Blog Documentation GDPR Checker Updates WordPress Custom Events About Contact Status
· 26 min read

Cookie Consent and Analytics in the UK: What UK Website Owners Need to Know in 2026

Everything UK website owners thought they knew about cookie consent changed on 5 February 2026. The Data Use and Access Act introduced an analytics exception that shifts from opt-in to opt-out. Google Analytics doesn't qualify. Here's what does, what doesn't, and why it matters for your data.

Key Takeaways
  • The UK's ICO has roughly 1,000 staff and a £75 million budget but has issued exactly £0 in cookie fines since PECR came into force in 2003. France's CNIL, with 280 staff, has fined Google €150 million for cookies alone.
  • On 5 February 2026, the Data Use and Access Act introduced a statistical purposes exception that allows analytics cookies without consent. Instead of opt-in, you provide clear information and a simple opt-out. PECR fines simultaneously rose to £17.5 million.
  • Google Analytics almost certainly does not qualify for the DUAA exception. Google uses analytics data for its own advertising and AI purposes, making it a joint controller. The exception requires your analytics provider to act solely as your processor.
  • Cookie-based analytics miss 30-45% of UK visitors. Safari holds 30% UK market share (~43% on mobile) with ITP blocking third-party cookies. Ad blockers cover ~24% of UK adults. Compliant banners see 20-30% rejection rates.
  • The UK is the only major economy with a statutory analytics cookie exemption. The EU's Digital Omnibus proposes something similar but is not law yet. UK-only sites can act now. Sites serving EU visitors must still comply with EU rules.
In this article
  1. The UK's privacy paradox
  2. The ICO: 1,000 staff, £0 in cookie fines
  3. The rules you're actually subject to
  4. The DUAA: what changed on 5 February 2026
  5. Cookie consent: what gets you in trouble
  6. Google Analytics: technically legal, practically broken
  7. The data gap: what UK websites actually see
  8. UK vs EU: where the rules now diverge
  9. What's coming in 2026 and beyond
  10. What this means for your website
  11. Frequently asked questions

The UK's privacy paradox

George Orwell published "1984" in London in 1949. Seventy-seven years later, the country he warned about has 5.2 million CCTV cameras (one for every 13 people), a law requiring ISPs to store 12 months of internet connection records for every citizen, and a regulator that just made it easier to track website visitors without asking first.

The UK's relationship with privacy has always been a contradiction.

On one side: the Data Protection Act 1984 (one of the world's first), the Human Rights Act 1998 (Article 8: right to privacy), and organisations like Privacy International (founded in London in 1990), Big Brother Watch, and the Open Rights Group. Tim Berners-Lee, who invented the web, has spent two decades warning about the surveillance economy he accidentally enabled.

On the other side: GCHQ's Tempora program tapping 200+ fibre optic cables and sharing the data with the NSA. The Investigatory Powers Act 2016 (the "Snooper's Charter"), which Edward Snowden called "the most extreme surveillance in the history of western democracy." And in February 2025, Apple removed end-to-end encryption from iCloud in the UK rather than comply with a government demand for backdoor access.

The tension runs through cookie law too. The UK has strong data protection rules for companies and extensive surveillance powers for the state. A regulator with 1,000 staff that has never fined anyone for cookies. And a brand-new law that simultaneously relaxes analytics consent requirements and raises penalties to £17.5 million.

UK privacy milestones
1949
George Orwell publishes 1984 in London. "Big Brother is watching you" enters the English language.
1984
Data Protection Act 1984. One of the world's first comprehensive data protection laws.
1990
Privacy International founded in London. One of the world's oldest digital privacy organisations.
2003
PECR enacted. Cookie consent rules come into force. Zero fines issued in the 23 years since.
Jun 2013
Snowden reveals GCHQ's Tempora program. 200+ fibre optic cables tapped. 600 million telephone events per day.
Nov 2016
Investigatory Powers Act ("Snooper's Charter"). ISPs must store 12 months of internet connection records for every citizen.
May 2018
Data Protection Act 2018 and UK GDPR come into force.
Dec 2020
Brexit transition ends. UK GDPR becomes a standalone regime. ICO is now the sole regulator.
Feb 2026
Data Use and Access Act cookie exceptions come into force. Analytics cookies shift from opt-in to opt-out.

This is the country that produced the world's most famous anti-surveillance novel and named a surveillance law the "Regulation of Investigatory Powers Act." The privacy paradox is not a bug. It is the UK's operating system.

The Information Commissioner's Office (ICO) is the UK's data protection authority. It has roughly 1,000 employees, an annual budget of approximately £75 million, and offices in Wilmslow, London, Edinburgh, Belfast, and Cardiff. By headcount and budget, it is the largest single data protection authority in Europe.

It has issued exactly zero fines for cookie violations.

Not one, since PECR's cookie rules came into force in 2003. For comparison, France's CNIL (roughly 280 staff) fined Google €150 million and Facebook €60 million in January 2022 for making cookie rejection harder than acceptance. Spain's AEPD (roughly 270 staff) issues hundreds of data protection fines per year. The ICO, with nearly four times the staff, has collected £0 from cookies.

This is not because UK websites are compliant. In January 2025, the ICO reviewed the top 1,000 UK websites for cookie compliance. Of the first 200 assessed, 134 (67%) were non-compliant. After a year of letters and engagement, 564 websites improved. 17 received Preliminary Enforcement Notices. 21 remain non-compliant. But still: zero fines.

Cookie enforcement: ICO vs. CNIL
UK (ICO)
~1,000 staff, ~£75M budget
Total cookie fines: £0
Top 1,000 review: 67% initially non-compliant
Approach: letters, guidance, engagement
Largest overall fine: £20M (British Airways, data breach)
France (CNIL)
~280 staff, ~€24M budget
Cookie fines: €210M+ (Google + Facebook alone)
Google Analytics ruled illegal (Feb 2022)
Approach: enforce first, then guide
Largest overall fine: €150M (Google, cookies)
Both have the same cookie law origin (EU ePrivacy Directive). Same fundamental rules, radically different enforcement.

The ICO's approach has been described by Commissioner John Edwards as "pragmatic." He has called cookie banners "the most visible manifestation of data protection law" and admitted to clicking "accept all" on them "like everybody else." The ICO's stated priority is "the biggest harms," not technical cookie non-compliance.

The largest ICO fines tell the story. British Airways: £20 million (originally proposed at £183 million, reduced 89%). Marriott: £18.4 million (proposed £99 million, reduced 81%). TikTok: £12.7 million for processing children's data. All significant. None related to cookies.

But the ground is shifting. Private cookie litigation is emerging in the UK: individuals sending Letters of Claim to websites, demanding £500-1,000 per person for cookies placed without consent. And PECR fines just jumped from £500,000 to £17.5 million. The ICO's tolerance for cookie non-compliance may not survive that combination.

The rules you're actually subject to

Cookie consent in the UK is governed by Regulation 6 of PECR (Privacy and Electronic Communications Regulations 2003), the UK's implementation of the EU ePrivacy Directive. PECR is the actual cookie law. Most UK website owners have heard of GDPR. Far fewer have heard of PECR. But PECR is what governs whether you can set a cookie in the first place.

Prior consent is required for all non-essential storage and access technologies. If it stores information on, or reads information from, a visitor's device, and it is not strictly necessary to deliver the service the visitor requested, you need opt-in consent before it fires. Cookies, localStorage, sessionStorage, tracking pixels, scripts, fingerprinting. The law is technology-neutral.

There are two exemptions. A cookie is exempt if its sole purpose is transmitting a communication over a network, or if it is strictly necessary to provide a service the user explicitly requested. Session management, shopping carts, consent status storage, user authentication. That is the complete list.

Analytics cookies are not exempt. The ICO is unambiguous: analytics cookies measure website performance for the website operator's benefit, not the visitor's. They are not strictly necessary. They require consent. This applies regardless of whether the analytics tool is first-party, self-hosted, or "privacy-friendly." If it sets a cookie, you need consent.

PECR and UK GDPR are two separate layers. PECR applies first at the device-access layer (can you set this cookie?) and UK GDPR applies second at the data-processing layer (how can you use the data collected?). Even if you have a legitimate interest under UK GDPR for processing analytics data, that does not bypass PECR. Cookie consent is consent-only. There is no menu of lawful bases for device access.

How UK cookie law works: two layers
Layer 1: PECR (device access)
"Can I set this cookie / read this data from the device?"
Applies even if no personal data is involved
Only legal basis: consent (or strictly necessary exemption)
Legitimate interest does NOT apply here
↓ Only after PECR is satisfied ↓
Layer 2: UK GDPR (data processing)
"How can I process the personal data collected?"
Only applies if personal data is processed
Six lawful bases available (consent, legitimate interest, etc.)
If you already have PECR consent, use consent as your GDPR basis too
Cookieless analytics that don't access anything on the device skip Layer 1 entirely. No PECR consent required. Source: ICO guidance

If you target or offer services to UK visitors, PECR applies alongside the UK GDPR, regardless of where your business is based. If you set cookies on a UK visitor's device, you need to comply.

The ICO puts it plainly: "If you have obtained consent in compliance with PECR, then in practice consent is also the most appropriate lawful basis under the UK GDPR. Trying to apply another lawful basis such as legitimate interests when you already have UK GDPR-compliant consent would be an entirely unnecessary exercise."

The DUAA: what changed on 5 February 2026

The Data Use and Access Act 2025 (DUAA) received Royal Assent on 19 June 2025. Its cookie provisions came into force on 5 February 2026. This is the first meaningful post-Brexit divergence from EU cookie rules, and the single most important change for UK website analytics.

The DUAA introduces five exceptions to PECR Regulation 6:

  1. Communication: Cookies strictly necessary for communication transmission (existing, unchanged).
  2. Strictly necessary: Essential to provide a requested service (existing, unchanged).
  3. Statistical purposes: NEW. Analytics cookies can operate without prior consent.
  4. Appearance: Remembering display preferences like language or theme.
  5. Emergency assistance: Location data for emergency requests.

The statistical purposes exception is the one that matters for analytics. Here are the conditions:

Sole purpose must be aggregate statistics. The data must be collected for the purpose of understanding how a website or service is used, with a view to making improvements. It is "about how your service is used, not about who uses it."

No identification, tracking, or monitoring of individuals. The resulting data must be aggregate statistical data that cannot be used to identify people.

Third-party processors only. If using a third-party analytics provider, they must act solely as your processor. They cannot reuse the data for their own purposes.

Clear information required. You must provide "clear and comprehensive information" about what is being stored and why.

Opt-out required. You must provide a "simple and free" means for users to object, and you must stop if they do.

Does your analytics tool qualify for the DUAA exception?
Sole purpose is aggregate website usage statistics?
Clickport ✓ GA4 ✗
No identifying, tracking, or monitoring individuals?
Clickport ✓ GA4 ✗
Provider acts solely as your processor (no independent data use)?
Clickport ✓ GA4 ✗
No cross-site tracking or data combining?
Clickport ✓ GA4 ✗
Clear information provided to users?
Clickport ✓ GA4 ✓
Simple, free opt-out mechanism provided?
Clickport ✓ GA4 ✓
Google Analytics fails on purpose limitation (data feeds Google's advertising and AI systems), individual tracking (Client ID in _ga cookie), and controller status (Google is a joint controller, not a processor). Sources: ICO exceptions guidance, Data Protection Network analysis
DUAA analytics exception checker
Answer these questions about your analytics tool to see if it qualifies for the UK's statistical purposes exception.
1. Is the sole purpose of your analytics collecting aggregate statistics about how your site is used?
2. Does your analytics provider act solely as your processor (no independent use of the data)?
3. Is the data free from individual identification, tracking, or monitoring?
4. Do you provide clear information to users and a simple, free opt-out?

The distinction between "strictly necessary" and "statistical purposes" matters. Strictly necessary cookies require NO notification and NO opt-out. The statistical purposes exception requires BOTH clear information AND an opt-out mechanism. It is a middle ground: easier than full consent, stricter than essential cookies.

The ICO's draft guidance stresses that this "is not a broad exception." The ICO's finalised guidance on the new exceptions is expected in Spring 2026.

One more thing. PECR maximum fines rose simultaneously from £500,000 to £17.5 million or 4% of global annual turnover, aligning with UK GDPR. The message: the rules are slightly easier to follow, but the penalty for getting them wrong is 35 times higher than before.

The ICO has published detailed cookie guidance establishing concrete design requirements. Accept and Reject must be equally prominent. Pre-ticked boxes are invalid. Withdrawing consent must be as easy as giving it. No cookies before the user makes a choice.

Here is what has actually triggered enforcement.

Sky Betting and Gaming (Bonne Terre Ltd) received a formal ICO reprimand in September 2024 for dropping advertising cookies before users interacted with the consent banner. Between January and March 2023, personal data was shared with ad tech companies the moment users accessed the SkyBet website, before any consent was given. The ICO investigated after a complaint from Clean Up Gambling.

134 of the UK's top 200 websites failed compliance checks in January 2025. Common failures: no "Reject All" button on the first layer, cookies loading before any user interaction, and deceptive colour contrast between accept and reject options.

The ICO and CMA published a joint position paper on harmful design in digital markets (August 2023), identifying specific dark patterns that violate data protection law: no reject option on the first layer, deceptive colours, bundled consent, leading language, and pre-ticked boxes.

UK cookie enforcement: what went wrong
Sky Betting (Bonne Terre)
Ad cookies dropped before user interacted with consent banner. Data shared with ad tech on page load.
Reprimanded
134 of top 200 UK websites
No reject button, cookies before consent, deceptive colour contrast. 67% failure rate.
Warned
17 unnamed websites (top 1,000)
Failed to comply after initial ICO engagement. Received Preliminary Enforcement Notices.
PENs issued
The ICO reviewed 1,000 UK websites in 2025. By December, 979 passed compliance checks. 564 improved only after ICO intervention.

Pay-or-consent is permitted in the UK. Unlike the EU, where the EDPB has been sceptical of Meta's consent-or-pay model, the ICO has confirmed that "consent or pay" is allowed provided there is no power imbalance, the price is appropriate, and choices are presented with equal prominence. Multiple UK publishers have adopted it: The Sun (£4.99/month), The Guardian (£5/month), The Independent (£4/month), and several others.

One ruling limited the risk of mass cookie litigation. In Lloyd v Google (November 2021), the Supreme Court unanimously ruled that "loss of control" of personal data alone is not compensable. Each claimant must prove individual material damage or distress. This effectively closed off US-style class actions over cookies. But individual claims under PECR Regulation 30(1) are still viable, and the volume is growing.

The ICO has not ruled on Google Analytics specifically. Unlike Austria (December 2021), France (February 2022), and Italy (June 2022), the UK's data protection authority has never investigated or declared GA unlawful.

The transfer question is addressed. The UK-US Data Bridge (effective October 2023) extends the EU-US Data Privacy Framework to UK-US transfers. Google is DPF-certified. Sending analytics data to Google's US servers is currently legal from the UK.

But "currently legal" does not mean "compliant by default."

GA4 sets cookies that are not strictly necessary under PECR:

GA4 cookies and PECR status
_ga
Distinguishes unique visitors via Client ID. Duration: 2 years.
Consent required
_ga_<container-id>
Maintains session state. Duration: 2 years.
Consent required
_gac_<property-id>
Campaign/Google Ads information. Duration: 90 days.
Consent required
None of these qualify as strictly necessary under PECR. All require consent before being set. GA4 also does not qualify for the DUAA statistical purposes exception because Google uses analytics data for its own advertising and AI purposes. Source: Google's cookie documentation

GA4 does not qualify for the DUAA statistical purposes exception. Three disqualifying factors:

  1. Google uses analytics data for its own purposes. GA data feeds Google's advertising systems, machine learning models, and benchmarking products. Google is a joint controller of GA data, not a processor acting solely on your behalf.
  2. GA4 tracks individuals. The _ga cookie assigns a persistent Client ID that identifies returning visitors across sessions. This is individual tracking, not aggregate statistics.
  3. Cross-site data combining. Google processes analytics data across millions of properties. The exception requires single-site, aggregated-only analysis.

With Consent Mode v2 (required since March 2024 for UK and EEA websites), GA4 sends cookieless pings when consent is denied. Google uses machine learning to model the missing data. Google claims this recovers more than 70% of lost ad-click-to-conversion journeys, but the modelled data is estimated, not measured.

Meanwhile, Google abandoned its plan to deprecate third-party cookies in Chrome, partly under regulatory pressure from the CMA (Competition and Markets Authority). In December 2024, the ICO called Google's fingerprinting policy change "irresponsible." The relationship between the UK regulators and Google on privacy issues is not warm.

The data gap: what UK websites actually see

The UK has 68.1 million internet users (97.8% penetration), a £127 billion e-commerce market (one of the largest in Europe), 10.2 million .uk domains, and 5.7 million businesses. If you are making business decisions based on analytics data that misses a third of your visitors, those decisions are built on a biased sample.

Here is where the data disappears.

Where your UK visitor data disappears
Cookie consent rejected
Visitors who click Reject All on a compliant banner
~20-30%
Safari (ITP blocks third-party cookies)
30% all-device UK share, ~43% on mobile
~30%
Ad blockers
Block analytics scripts entirely
~24%
What cookie-based analytics actually see
After consent rejection, browser blocking, and ad blockers
~55-70%
Privacy-first analytics that don't use cookies or access device storage see 100% of visitors. No consent needed, no scripts to block. Sources: StatCounter UK, IAB UK, CookieYes

These numbers overlap (a Safari user who also has an ad blocker is counted once, not twice), so the combined loss is not the sum of each layer. The realistic estimate: cookie-based analytics on a UK website with a compliant banner see 55-70% of actual visitors. The rest are invisible, rejected, or blocked.

For context: 77% of all UK adult online time is on mobile (Ofcom, 2025), where Safari dominates. 68% of UK businesses have a website. Only 51% of UK organisations have implemented a consent management platform (DMA, 2023). The gap between what UK websites think they are measuring and what they are actually measuring is substantial.

UK vs EU: where the rules now diverge

The UK's DUAA analytics exception has no equivalent in EU law. The EU Digital Omnibus (proposed November 2025) includes a similar exemption for "aggregated audience measurement," but it is still in trilogue negotiations and not expected to take effect until mid-2027 at the earliest. For now, the UK stands alone.

UK vs. EU: analytics consent requirements in 2026
UK (PECR + DUAA)
Statistical purposes exception since Feb 2026
Opt-out model (no blocking consent banner needed)
No approved tools list (principles-based)
Pay-or-consent permitted
Max fine: £17.5M / 4% turnover
EU (ePrivacy Directive)
No EU-wide analytics exception (yet)
Opt-in consent required in most member states
France and Italy have national exemptions; Austria has none
Pay-or-consent: EDPB sceptical
Digital Omnibus proposed, expected mid-2027
The DUAA analytics exception only applies to UK visitors. Sites serving EU audiences must still comply with the relevant EU member state's cookie rules.

Other post-Brexit divergences relevant to analytics:

The practical implication: if your website serves only UK visitors, the DUAA analytics exception is available now. If your website serves both UK and EU visitors, you still need to comply with EU rules for EU visitors. A cookieless analytics tool that does not access device storage avoids the entire question in both jurisdictions.

What's coming in 2026 and beyond

ICO finalised cookie guidance (Spring 2026). The ICO consulted on draft guidance for the new DUAA exceptions until September 2025. Final guidance is expected in Spring 2026, which will clarify exactly how the statistical purposes exception works in practice, including what "simple and free opt-out" looks like.

PECR fines have teeth now. The increase from £500,000 to £17.5 million is not just symbolic. Private cookie litigation is growing. The ICO is expanding its review beyond websites to apps and connected TVs. The first major PECR fine feels imminent.

EU Digital Omnibus. The proposed regulation would create an EU-wide analytics consent exemption similar to the UK's DUAA. If adopted (expected mid-2027), it would harmonise the approach across 27 EU member states. Tools that qualify under the DUAA exception today will likely qualify under the Omnibus.

The DPF's uncertain future. Philippe Latombe's appeal to the CJEU to invalidate the Data Privacy Framework is pending, with a ruling expected in late 2026 or 2027. The PCLOB (Privacy and Civil Liberties Oversight Board), cited 31 times in the European Commission's adequacy decision, has been gutted by the Trump administration. If the DPF falls, the UK-US Data Bridge would not automatically be invalidated. But the legal ground under US data transfers would shift again, and UK businesses relying on GA would face familiar uncertainty.

Cookie consent litigation. Private claims under PECR Regulation 30(1) are growing. Individuals and claims management companies are sending Letters of Claim to websites, demanding compensation for cookies placed without valid consent. The Lloyd v Google ruling limits class actions, but individual claims at £500-1,000 per person can add up fast.

What this means for your website

If you run a website that serves UK visitors, you have three paths.

Path 1: Google Analytics with a consent banner. The data transfer to the US is legal under the Data Bridge. But GA4 does not qualify for the DUAA analytics exception. You still need full opt-in consent. A compliant banner with an equally prominent reject button means 20-30% of visitors opt out. Add Safari's ITP and ad blockers, and you are making business decisions based on 55-70% of your actual traffic. PECR fines are now £17.5 million.

Path 2: Cookie-based analytics under the DUAA exception. If your analytics tool meets every DUAA condition (aggregate only, no individual tracking, provider acts as processor only, clear information, opt-out provided), you can deploy it without a blocking consent banner. You still need to tell visitors and provide an opt-out. But this is a significant improvement over full consent. The limitation: not many cookie-based tools qualify, because most use the data for their own purposes.

Path 3: Cookieless analytics. If your analytics tool does not store anything on the visitor's device and does not process personal data, PECR's consent requirement does not trigger. No cookie banner needed for analytics. No opt-out mechanism needed. 100% of visitors visible from the first page load. This is the cleanest compliance path under both UK and EU law.

Clickport is built for path 3. No cookies, no fingerprinting, no cross-site tracking. EU-hosted, privacy-first by design. Every visitor is visible. No PECR consent requirement. No dependency on the DUAA exception. No dependency on the Data Bridge staying valid. You can try it free for 30 days, no credit card required, and see the difference in your data within the first hour.

The UK just made it easier to run analytics without a consent banner. But the simplest way to comply has always been to not need the exemption in the first place.

Frequently asked questions

If your website sets any non-essential cookies (analytics, advertising, social media embeds), yes. PECR Regulation 6 requires consent for all non-essential device access. The DUAA statistical purposes exception (from February 2026) allows qualifying analytics cookies to run with an opt-out instead of opt-in, but you still need to inform visitors. If you use cookieless analytics that do not access the device at all, no banner is needed for analytics.

Does Google Analytics comply with PECR?

GA4 sets cookies (_ga, _ga_<container-id>) that are not strictly necessary under PECR. You need explicit opt-in consent before GA4 sets any cookies. GA4 also does not qualify for the DUAA statistical purposes exception because Google uses analytics data for its own advertising and AI purposes, and acts as a joint controller rather than solely as your processor.

The Data Use and Access Act 2025 introduced five new exceptions to PECR. The most significant is the statistical purposes exception, which allows analytics cookies without prior consent if they are used solely for aggregate statistics, do not identify individuals, and the provider acts only as your processor. You must provide clear information and a simple opt-out. PECR fines also rose from £500,000 to £17.5 million.

Does the UK DUAA analytics exception apply to all analytics tools?

No. It requires the analytics data to be used solely for aggregate statistics about how a service is used. The analytics provider must act only as your processor and cannot reuse the data for its own purposes. Google Analytics fails this test. Tools that collect aggregate-only, first-party data for the website operator's exclusive use are more likely to qualify. The ICO has not published an approved list; it is a principles-based assessment.

Is the UK analytics exception the same as France's CNIL exemption?

Similar in intent, different in structure. France's CNIL maintained a formal list of approved tools (now transitioning to self-assessment). The UK's DUAA exception is purely principles-based: no list, no tool-specific approval. The DUAA requires an opt-out mechanism, which France does not explicitly require. Both exempt aggregate, first-party analytics from blocking consent banners.

If you target or offer services to people in the UK, PECR applies alongside the UK GDPR, regardless of where your business is based. If you set cookies on a UK visitor's device, you need to comply. If you also serve EU visitors, you are subject to the relevant EU member state's cookie rules as well.

Has the ICO ever fined anyone for cookies?

No. The ICO has never issued a monetary fine specifically for cookie violations. It has used letters, warnings, reprimands, and Preliminary Enforcement Notices. The ICO prefers "engagement over enforcement" for cookies. However, PECR maximum fines rose to £17.5 million in 2026, and private cookie litigation (individuals claiming compensation under PECR Regulation 30) is a growing trend.

No. The ICO has explicitly stated that implied consent (scrolling, continuing to browse, closing a banner) does not meet the UK GDPR standard for consent. Consent must be a clear, affirmative action. Pre-ticked boxes are also invalid.

David Karpik

David Karpik

Founder of Clickport Analytics
Building privacy-focused analytics for website owners who respect their visitors.

Related articles

Cookie Consent and Analytics in Italy: What Italian Website Owners Need to Know in 2026

March 26, 2026 · 10 min read

82% of Italian websites still ran Google Analytics after the Garante ruled it illegal. Italy also has a consent exemption for analytics that most website owners have never configured. Here's the full picture.

Cookie Consent and Analytics in Poland: What Polish Website Owners Need to Know in 2026

March 18, 2026 · 18 min read

Poland was the world's #1 country for ad blocker usage. Opera, with its built-in tracker blocker, holds 21% of Polish desktops. UODO has received 53 noyb complaints and issued zero decisions. And the Pegasus spyware scandal showed what happens when surveillance goes unchecked. Here's the full picture for 2026.

Cookie Consent and Analytics in Austria: What Austrian Website Owners Need to Know in 2026

March 15, 2026 · 19 min read

Austria was the first EU country to rule Google Analytics illegal. Unlike France, there is no consent exemption for analytics cookies. 34% of Austrian websites dropped GA after the ruling. Here's the full picture for 2026.

Cookie Consent and Analytics in France: What French Website Owners Need to Know in 2026

March 14, 2026 · 17 min read

CNIL has issued nearly 900 million euros in cookie fines since 2020. Fewer than 25% of French visitors accept cookies. And there's a consent exemption most French websites don't know about. Here's the full picture for 2026.

Comments

Loading comments...

Leave a comment