UK GDPR

UK General Data Protection Regulation + Data Protection Act 2018

Flag of GB
United KingdomOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
May 25, 2018
Enacted
May 23, 2018
Enforcing Authority
Information Commissioner's Office (ICO)
Consent Model
Opt-in
Fulfillment Time
30 days
Consent Recollection
365 days
Applies To
Any organization processing personal data of UK residents

Overview

The UK GDPR is the retained version of the EU GDPR following Brexit, with consent standards identical to the EU version. Combined with PECR (the UK's cookie-specific law), it forms the complete legal framework for cookie consent in the UK. The UK adequacy decision was renewed in December 2025, valid until December 2031.

What This Means for Your Website

  • Consent must be freely given, specific, informed, and unambiguous via clear affirmative action
  • Pre-ticked boxes, silence, and inactivity do not constitute valid consent
  • Visitors must be able to withdraw consent as easily as they gave it
  • Data subject access requests must be fulfilled within one month
  • The ICO enforces both UK GDPR and PECR requirements

Key Requirements

The ICO enforces the UK GDPR with two penalty tiers: up to GBP 8.7 million or 2% of global turnover (Tier 1) and up to GBP 17.5 million or 4% of global turnover (Tier 2). The UK adequacy decision renewal ensures continued data flows between the UK and EU. Consent standards remain identical to the EU GDPR, maintaining consistency for organizations operating across both jurisdictions.

How ConsentStack Handles This

ConsentStack detects UK visitors and applies the same opt-in consent standards as the EU GDPR. The platform's GDPR-compliant consent banner meets both UK and EU requirements simultaneously.

Penalties

Tier 1: Up to GBP 8.7 million or 2% global turnover. Tier 2: Up to GBP 17.5 million or 4% global turnover.

Maximum Fine
GBP17,500,000 aggregate
Revenue-based
4% of annual revenue

Key Requirements

  • Consent must be freely given, specific, informed, and unambiguous
  • Pre-ticked boxes, silence, and inactivity are NOT consent
  • Withdrawal of consent must be as easy as giving it
  • Data subject rights aligned with EU GDPR
  • Data Protection Impact Assessments for high-risk processing

Notable Provisions

  • UK adequacy decision renewed December 2025, valid until December 2031
  • Consent standards identical to EU GDPR
  • Post-Brexit retained EU law

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
Loi Informatique et LibertésFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.
SI 336/2011Ireland
Ireland implements the ePrivacy Directive through SI 336/2011. The DPC is the lead supervisory authority for major tech companies headquartered in Ireland including Meta, Google, Apple, and Microsoft. Uniquely, cookie consent is limited to 6 months and must then be refreshed.

Frequently Asked Questions

Is the UK GDPR different from the EU GDPR?

Consent standards are identical. The UK GDPR is the retained EU GDPR post-Brexit. The UK adequacy decision, renewed December 2025, ensures continued alignment until December 2031.

What are the UK GDPR penalties?

Up to GBP 17.5 million or 4% of global turnover, whichever is higher. The ICO enforces these through both UK GDPR and PECR.

Does the UK have a separate cookie law?

Yes. PECR (Privacy and Electronic Communications Regulations) is the UK's cookie-specific law. It works alongside the UK GDPR, which defines the consent standard.

Stay compliant with UK GDPR

ConsentStack helps you implement Opt-in consent for United Kingdom automatically.

Get started