UK cookie banner in 2026 for UK SaaS: compliant and fast

Most UK SaaS founders are overthinking this. The UK cookie rules in 2026 are clearer than they have been for years — the Data (Use and Access) Act 2025 changed enough that first-party analytics is now largely exempt from consent, which is what sinks most builder projects in compliance dread. What is left is a fairly tight list of things you actually need, and almost all of it can be shipped in 30 minutes with Claude Code and shadcn/ui.

This is a builder's playbook. Plain English on the regs, a decision tree for essential vs non-essential cookies, three implementation paths with code sketches, and the honest answer on when you actually need a paid Consent Management Platform (spoiler: later than the vendors want you to believe).

The UK rules in plain English

Three pieces of law together decide what goes in a UK cookie banner:

1. UK GDPR — the data-protection framework. Controls what you do with personal data, including data derived from cookies.
2. PECR (Privacy and Electronic Communications Regulations 2003, as amended) — this is the cookie-specific law. Regulation 6 is the one that matters: you need consent for any storage of information on a user's device, with narrow exceptions.
3. DUA Act 2025 (Data (Use and Access) Act 2025) — the newest piece. Among other things, it explicitly exempts first-party analytics cookies for site-improvement purposes from consent, provided data is properly anonymised.

Put together, the UK rules in 2026 are:

• Essential cookies (auth, session, Stripe checkout, cart state) — no consent needed.
• First-party analytics cookies for site improvement, anonymised — no consent needed (DUA Act 2025).
• Marketing, retargeting, third-party tracking cookies — consent required, opt-in, before the cookie is set.

That is the whole list. Everything else in this article is how to implement those three rules correctly.

Essential vs non-essential for a typical B2B SaaS

Walk through your SaaS and classify each cookie:

Essential (no banner needed):

• Authentication session (e.g. Supabase auth cookie).
• CSRF token.
• Stripe Checkout cookie for in-flight payments.
• Shopping cart state.
• Load balancer / CDN routing cookies.
• Preferences strictly required for the app to function (language, currency).

Exempt under DUA Act 2025 (no banner needed) — if all conditions are met:

• First-party analytics cookies (your own domain only, not Google Analytics by default).
• Used solely for site improvement.
• Data anonymised (no identification of individual users).

In 2026, Plausible Analytics self-hosted or Umami Cloud EU configured correctly are the two common setups that meet the DUA Act exemption. Google Analytics does not meet it by default because it uses a third-party domain. Vercel Analytics is borderline — check the specific configuration; cookieless flavour is fine, the identified-user flavour is not.

Consent required (opt-in before loading):

• Marketing cookies (HubSpot, Marketo, Pardot).
• Retargeting pixels (Meta, LinkedIn, TikTok).
• Third-party embeds that drop cookies (YouTube default-embed, Intercom, Tawk.to chat widgets).
• Customer success tools that track named users (FullStory, Hotjar, Mixpanel).
• A/B testing tools with persistent cookies.

If your B2B SaaS only uses the first two categories, you strictly do not need a consent banner at all under UK law — just a clear cookie policy link in the footer.

The 2026 banner checklist

When you do need consent (third category above), the ICO's 2026 guidance expects your banner to have:

• A clear, concise purpose summary. Not "we use cookies to enhance your experience" — tell the user what cookies do.
• An Accept all button.
• A Reject all button, equally prominent to Accept. Same colour, same size, same weight. This is the single point most bad banners fail on.
• A Manage preferences link.
• Non-essential cookies blocked until consent is given. No pre-loading, no "we'll drop the cookies and respect your choice later" — that is non-compliant.
• No "cookie wall" — you cannot block access to the site unless the user consents. Users must be able to reject and continue.
• Pre-ticked boxes in preferences are invalid. All non-essential toggles must default to off.

That is it. Ten bullets. Ship them in a modal, a bottom bar, or an inline page section. No vendor required.

Three implementation paths

Path 1: Hand-roll with Claude Code (30 minutes)

For a solo UK builder with fewer than a few thousand users, this is the pragmatic choice.

The data model is tiny: a single localStorage value with a JSON object storing {acceptedAt: ISO-date, essential: true, analytics: bool, marketing: bool}. Render the banner if that key is missing or older than 12 months (the ICO's expected re-consent interval).

Minimal logic:

// cookie-consent.ts
const KEY = 'cookie-consent-v1';
const VERSION = 1;

export function getConsent() {
  try {
    const raw = localStorage.getItem(KEY);
    if (!raw) return null;
    const parsed = JSON.parse(raw);
    if (parsed.version !== VERSION) return null;
    const age = Date.now() - new Date(parsed.acceptedAt).getTime();
    if (age > 365 * 24 * 60 * 60 * 1000) return null;
    return parsed;
  } catch { return null; }
}

export function setConsent(choice: { analytics: boolean; marketing: boolean }) {
  localStorage.setItem(KEY, JSON.stringify({
    version: VERSION,
    acceptedAt: new Date().toISOString(),
    essential: true,
    analytics: choice.analytics,
    marketing: choice.marketing,
  }));
  window.dispatchEvent(new Event('cookie-consent-changed'));
}

export function acceptAll() { setConsent({ analytics: true, marketing: true }); }
export function rejectAll() { setConsent({ analytics: false, marketing: false }); }

The banner UI is a shadcn/ui Dialog or fixed bottom panel with three buttons. Load any marketing cookies conditionally by listening for the cookie-consent-changed event.

Claude Code will write this in two or three prompts. Test that non-essential scripts don't load until consent is given, and you are done. Total time to compliant: 30 minutes.

Path 2: Open-source library

If you don't want to hand-roll, cookieconsent by Orest Bida (https://github.com/orestbida/cookieconsent) is the strongest open-source option in 2026. MIT licence, under 20KB, fully ICO-compliant defaults, geo-targeting if you need it. Good for a solo builder who would rather configure than code.

Install, configure (about 10 lines of JS), done. 20 minutes. Zero ongoing cost.

Path 3: Paid Consent Management Platform

Only reach for a paid CMP (Usercentrics, Cookiebot, OneTrust) when one of these is true:

• You need geo-targeting (different banners for UK vs EU vs California residents).
• You have audit-trail requirements (enterprise sales, SOC 2, or regulated industry).
• You use dozens of third-party vendors and need them managed centrally.
• You have multiple domains and want a unified consent record.

Cost: GBP 20-80/month at the small-business tier. At the first-100-users stage of a UK SaaS, a CMP is almost always over-built. Defer the decision until real customers demand it.

UK-specific gotchas

1. Pre-ticked boxes are invalid consent — same rule as the EU. Default all non-essential toggles to off.
2. "Cookie walls" (block the site unless consent) are non-compliant under UK GDPR Article 7 and ICO guidance.
3. DUA Act 2025 analytics exemption is specific — first-party, site-improvement only, anonymised. Google Analytics does not qualify by default; Plausible self-hosted and Umami typically do.
4. Third-party embeds require consent before loading. YouTube's default embed sets third-party cookies; use youtube-nocookie.com or conditional loading behind consent. Same for HubSpot forms, Intercom widgets, Tawk.to chat.
5. Preferences must be re-accessible. A user who accepted must be able to withdraw consent later, typically through a footer link to a preferences page.
6. Re-consent every 12 months. The ICO expects you to re-ask if consent is older than a year. Your localStorage or cookie logic should check this.

Fine risk for a small UK SaaS

Headline ICO fines are up to GBP 17.5m or 4% of global turnover, which is the noise you'll see in legal-marketing posts. Real enforcement against a small UK SaaS in 2024-2026 has typically meant:

• A warning letter.
• A required fix within 28-90 days.
• Reputational visibility in the ICO's public enforcement register.

The ICO rarely fines a small business that is making a reasonable, traceable attempt at compliance and fixes issues promptly when flagged. The bigger practical risk is enterprise customers refusing to buy from a SaaS that has an obvious compliance gap. Either way, this is not something to lose sleep over if you have a functional banner; it is something to lose sleep over if you ignored it.

The 30-minute ship plan

1. Map your cookies. Classify as essential, DUA-exempt or consent-required.
2. Write the localStorage consent logic (Claude Code prompt: "Write a TypeScript module for cookie consent with accept/reject/preferences, localStorage-backed, 12-month re-consent").
3. Build the banner UI (Claude Code prompt: "Build a shadcn/ui bottom-banner with Accept all, Reject all and Manage preferences buttons, equal visual weight").
4. Wire the banner to your app root (Claude Code prompt: "Add the banner to _app.tsx, only render if consent is missing").
5. Make non-essential scripts conditional on consent (Claude Code prompt: "Load Meta Pixel and Intercom only when analytics or marketing consent is present").
6. Add a Cookie Preferences link in the footer that reopens the preferences modal.
7. Link a plain-English cookie policy page (one paragraph per cookie category).
8. Test: open incognito, verify reject blocks third-party cookies, verify preferences are remembered across navigation.

30 minutes, ICO-compliant, zero monthly cost.

Key takeaways

• Most UK B2B SaaS products need an opt-in banner for marketing cookies; session, auth and Stripe cookies are essential and do not need consent.
• The DUA Act 2025 exempts first-party analytics for site improvement, provided data is anonymised.
• Reject must be as easy as Accept; pre-ticked boxes and cookie walls are both non-compliant.
• A hand-rolled banner with Claude Code plus shadcn/ui ships in 30 minutes and is compliant for the first 1,000 users.
• Switch to a paid CMP only when you need geo-targeting, audit trails, or support for dozens of third-party vendors.

FAQs

Do I need a cookie banner for a UK SaaS that only uses session cookies?

No. Session cookies (auth, CSRF, Stripe checkout) are essential under PECR and do not require consent. A cookie policy link in the footer explaining what you use is good practice, but a consent banner is not legally required if your site only uses essential cookies.

Can I use Google Analytics without consent under the DUA Act 2025?

No, not by default. The DUA Act exemption is specifically for first-party, anonymised, site-improvement analytics. Google Analytics uses third-party cookies on google-analytics.com, which takes it outside the exemption. Plausible self-hosted, Umami, or a properly configured Vercel Analytics (cookieless mode) are the common setups that do qualify.

Is a hand-rolled cookie banner ICO-compliant?

It can be, yes. Compliance is about the banner's behaviour (reject-as-easy-as-accept, no pre-ticked boxes, no cookie walls, non-essential cookies blocked until consent, 12-month re-consent) not about the vendor behind it. A well-built hand-rolled banner is as compliant as a GBP 50/month CMP.

What is the ICO fine risk for a small UK SaaS with a bad banner?

In practice, the ICO's enforcement against small SaaS has been warning letters and fix-it orders rather than headline fines. The bigger risk is enterprise customers refusing to sign because of obvious compliance gaps. Either way, making a reasonable, traceable effort is the pragmatic standard.

When should I switch from a hand-rolled banner to a paid CMP?

When you need geo-targeting for UK + EU + California visitors, when you have audit-trail requirements from enterprise sales, when you use dozens of third-party vendors, or when you run multiple domains needing unified consent. For the first hundred or a thousand users of a typical UK SaaS, a hand-rolled banner is enough.

---

Get the latest free IdeaStack report each Thursday: ideastack.co. One deeply researched UK business idea, real keyword data, competitor analysis, builder prompts.