Plain English explanation of the law, what it actually requires, and why proper cookie consent management is more complex than it looks.
Cookie banners exist because of legislation — specifically the UK PECR (Privacy and Electronic Communications Regulations) and, for sites targeting EU visitors, the GDPR. Together these laws require websites to tell visitors what cookies they use, what those cookies do, and — critically — to obtain consent before setting any cookies that are not strictly necessary for the site to function.
This applies to the vast majority of commercial websites because almost all of them use some form of tracking or analytics — Google Analytics being the most common. Google Analytics sets cookies. Those cookies track visitor behaviour. That tracking requires consent under UK and EU law.
The banner is how that consent is obtained.
The legal requirements are more specific than most people realise. A compliant cookie consent banner must:
That last point is where most cheap or DIY solutions fall short. Showing a banner is not enough — the site must actually withhold the cookies until consent is confirmed. That requires technical integration between the consent tool and every script or service on the site that uses cookies.
Important: This article provides general information only. Cookie and privacy law is complex and changes regularly. For advice specific to your website and business, consult a qualified legal professional or data protection specialist.
This is the question most website owners ask when they receive a quote for cookie consent management. The answer lies in what is actually involved.
A compliant cookie consent solution is not simply a pop-up that says "we use cookies." It is a consent management platform (CMP) that scans the site to identify all cookies, categorises them, blocks non-essential ones until consent is given, logs consent records, and provides a preference centre where visitors can change their choices. That is a sophisticated piece of software.
The cookies on a website depend entirely on what services and scripts it uses. Google Analytics, Facebook Pixel, YouTube embeds, live chat tools, payment processors, advertising networks — each sets its own cookies. A proper consent solution has to identify, categorise, and control all of them. The more services a site uses, the more complex the implementation.
Blocking scripts conditionally based on consent status is technically demanding. It requires the consent tool to load before anything else on the page, intercept all cookie-setting scripts, and release them only when appropriate consent is given — all without breaking the site or slowing it down noticeably. Getting this right takes time and expertise.
Under UK PECR and GDPR, businesses must be able to demonstrate that consent was obtained. That means logging consent records — who consented, when, to what, and using which version of the consent notice. Storing and managing those records requires infrastructure and ongoing maintenance.
Cookie and privacy law is not static. Guidance from the ICO (Information Commissioner's Office) evolves, court rulings change what is and is not acceptable, and the platforms themselves update how their scripts behave. A compliant solution today may need updating in six or twelve months. Consent management platforms factor ongoing compliance maintenance into their pricing.
A cheap or free cookie banner that simply displays a notice without actually blocking cookies is not compliant. It creates the appearance of compliance while providing none of the legal protection — and the ICO has the power to issue significant fines for non-compliance.
Consent management platform subscriptions for small business websites typically range from around £100 to £400 per year depending on the provider and the complexity of the site. Add the cost of professional implementation — correctly integrating the CMP with all the scripts on the site — and the total cost becomes clear.
For a simple site with minimal third-party scripts, implementation is relatively straightforward. For a site with advertising pixels, embedded social media, live chat, analytics, and payment tools all running simultaneously, implementation is a serious technical undertaking.
When a developer quotes what seems like a high price for cookie compliance, that price reflects the genuine complexity of doing it properly — not an attempt to overcharge for something simple.
