Cookie consent for healthcare websites: UK implementation guide

Cookie consent implementation on healthcare websites is more complex than for standard business websites. Healthcare sites often collect sensitive patient data, integrate with NHS systems, use appointment booking platforms, and run analytics that track user behaviour across clinical service pages. Each of these activities involves cookies or similar tracking technologies that fall under UK data protection regulations.

Getting cookie consent wrong on a healthcare website carries heightened risk. The Information Commissioner's Office (ICO) has increasingly focused enforcement on healthcare organisations, and patients are more privacy-conscious when interacting with clinical services online. A non-compliant cookie banner does not just risk regulatory action; it undermines the trust that is essential to patient engagement.

This guide explains the legal requirements, practical implementation steps, and common mistakes to avoid when setting up cookie consent on UK healthcare websites.

What are the legal requirements for cookies on UK healthcare websites?

Two pieces of legislation govern cookie use on UK websites: PECR and UK GDPR. Understanding how they interact is essential for compliant implementation.

Privacy and Electronic Communications Regulations (PECR)

PECR is the primary UK law governing cookies and similar tracking technologies. The key requirement is straightforward:

You must not set non-essential cookies on a user's device without their informed, explicit consent.

This means:

• Analytics cookies (Google Analytics, Hotjar, Clarity) cannot load until the user actively consents.
• Marketing cookies (Google Ads, Facebook Pixel, LinkedIn Insight) cannot load until consent is given.
• Third-party cookies from embedded content (YouTube videos, social media widgets, chat tools) cannot load until consent is given.
• The only exceptions are cookies that are "strictly necessary" for the service the user has requested.

UK GDPR

UK GDPR adds additional requirements about how the personal data collected via cookies is processed:

• You must have a lawful basis for processing the data collected by cookies.
• You must inform users about what data is collected and how it is used.
• Users must be able to withdraw consent as easily as they gave it.
• You must keep records of consent for accountability purposes.

Healthcare-specific considerations

Healthcare websites face additional complexities:

• Health data inference: If your analytics tracking reveals that a user visited pages about specific medical conditions or treatments, that browsing data could be considered health-related information, which is special category data under UK GDPR. This adds a higher standard of protection and consent requirements.
• NHS Digital requirements: If your website integrates with NHS systems, additional data handling standards may apply.
• Professional regulatory expectations: Bodies such as the General Pharmaceutical Council (GPhC), General Dental Council (GDC), and Care Quality Commission (CQC) expect healthcare providers to demonstrate responsible data handling online.

What cookie categories exist on a typical healthcare website?

Understanding your cookie landscape is the first step to compliant implementation. Conduct a thorough cookie audit to identify every cookie your website sets.

Strictly necessary cookies (exempt from consent)

These cookies are essential for the website to function and are exempt from consent requirements:

• Session cookies: Maintain user session state during a visit.
• Authentication cookies: Keep users logged into patient portals or booking systems.
• Security cookies: CSRF tokens and similar security mechanisms.
• Consent cookies: Store the user's cookie preferences.
• Load balancing cookies: Distribute traffic across servers.

Important: A cookie is only "strictly necessary" if the website or service genuinely cannot function without it. You cannot classify analytics or marketing cookies as strictly necessary.

Analytics cookies (consent required)

Analytics tools help you understand how patients use your website:

• Google Analytics 4: Sets multiple cookies (_ga, ga*, _gid) to track user sessions and behaviour.
• Hotjar / Microsoft Clarity: Session recording and heatmap cookies.
• Custom analytics: Any first-party analytics tracking you implement.

These cookies provide valuable insights but are not necessary for the website to function, so they require consent.

Marketing and advertising cookies (consent required)

Marketing cookies track users for advertising purposes:

• Google Ads remarketing: Tracks users to show targeted advertisements.
• Facebook Pixel / Meta Pixel: Tracks conversions and builds advertising audiences.
• LinkedIn Insight Tag: Tracks website visitors for LinkedIn advertising.
• Email marketing tracking: Cookies set by platforms like Mailchimp or ActiveCampaign.

Healthcare websites should be particularly careful with marketing cookies. Showing retargeted advertisements for medical services to patients who browsed clinical pages raises significant ethical and legal concerns.

Functional cookies (consent usually required)

Functional cookies enhance user experience but are not strictly necessary:

• Live chat cookies: Tools like Intercom, Zendesk, or Tidio set cookies for chat functionality.
• Video player cookies: YouTube and Vimeo set cookies that track viewing behaviour.
• Social media cookies: Share buttons and embedded posts set tracking cookies.
• Language and accessibility preference cookies: May be strictly necessary depending on implementation.

How to conduct a cookie audit

1. Clear all cookies and cache from your browser.
2. Visit your website and use a tool like Cookiebot's scanner, CookieMetrix, or the browser developer tools to identify all cookies set.
3. Document each cookie: name, provider, purpose, duration, and type (first-party or third-party).
4. Categorise each cookie into the appropriate consent category.
5. Identify any cookies you cannot account for, which often indicates third-party scripts setting undocumented cookies.
6. Repeat the audit quarterly, as third-party services frequently update their cookie behaviour.

How should you implement a cookie consent banner?

Implementation quality determines whether your consent mechanism is genuinely compliant or merely cosmetic.

Design requirements

Your cookie consent banner must meet these design criteria to be compliant:

Clear and prominent placement: The banner should be clearly visible when the user first visits the site. It should not be easily dismissed accidentally or hidden in a corner.

Plain language: Avoid legal jargon. Explain what cookies are and why you use them in straightforward terms that patients can understand.

Granular choices: Provide category-level consent options (analytics, marketing, functional) rather than just an "Accept All" button. Each category should have a clear description of what it includes and why.

Equal prominence for all options: The "Reject All" or "Decline Non-Essential" option must be as easy to find and use as the "Accept All" option. Using a bright, prominent button for "Accept" and a small text link for "Reject" is considered a dark pattern and is not compliant.

No pre-ticked boxes: All non-essential cookie categories must be unticked by default. Users must actively opt in.

Accessible design: The banner must be accessible to users with disabilities, including keyboard navigability, screen reader compatibility, and sufficient colour contrast.

Technical implementation

The technical implementation must ensure that non-essential cookies are genuinely blocked until consent is given:

Script blocking: The most reliable approach is to prevent non-essential scripts from loading until consent is received. This can be achieved by:

• Changing script type attributes from text/javascript to text/plain and modifying them back after consent.
• Using a consent management platform that handles script blocking automatically.
• Loading scripts dynamically via JavaScript only after consent is confirmed.

Server-side blocking: For cookies set by server-side processes, implement conditional logic that checks consent status before setting cookies.

Consent storage: Store the user's consent preferences in a first-party cookie (which is itself strictly necessary). This preference should persist for a reasonable period (typically 6-12 months) to avoid repeatedly asking returning visitors.

Consent withdrawal: Provide a persistent mechanism (typically a link in the footer labelled "Cookie Settings" or "Manage Cookies") that allows users to change their preferences at any time. When consent is withdrawn, previously set cookies should be deleted.

Consent management platforms for healthcare websites

Several platforms are well-suited to healthcare website requirements:

Cookiebot (by Usercentrics): Scans your website automatically to detect cookies, categorises them, and provides a configurable consent banner with automatic script blocking. Pricing starts from free for small sites, with paid plans for larger implementations. Strong PECR compliance features.

CookieYes: Cost-effective consent management with automatic script blocking, cookie scanning, and detailed consent logging. Good WordPress integration through a dedicated plugin.

Complianz (WordPress plugin): A WordPress-specific solution that detects cookies, generates a cookie policy, and implements a consent banner with script blocking. The premium version supports advanced features including consent logging and A/B testing of banner designs.

Osano: Enterprise-grade consent management with detailed audit trails, vendor management, and advanced compliance reporting. Suited to larger healthcare organisations with complex compliance requirements.

OneTrust: Enterprise platform used by NHS trusts and large healthcare groups. Comprehensive but complex and significantly more expensive than alternatives.

When choosing a platform, prioritise automatic script blocking capability. Manual implementations where developers must individually tag each script are error-prone and difficult to maintain as new third-party services are added.

What impact does cookie consent have on analytics?

One of the most common concerns healthcare website owners raise is the impact of cookie consent on analytics data. When users decline analytics cookies, their visits are not tracked, resulting in incomplete data.

Typical consent rates

Across UK healthcare websites, typical analytics cookie consent rates range from 40% to 70%, depending on the consent banner design and the trust relationship with the audience. This means 30% to 60% of visits may not appear in your analytics.

Mitigating analytics data loss

Several approaches can reduce the impact without compromising compliance:

Server-side analytics: Tools like Plausible Analytics or Fathom operate without cookies and can be classified as strictly necessary if configured correctly (no personal data collection, no cross-site tracking). This provides basic traffic data without requiring consent.

Google Consent Mode v2: Google Analytics 4 supports consent mode, which sends cookieless pings when consent is not given. Google uses modelling to estimate the behaviour of users who declined consent, providing more complete (though estimated) data.

First-party data strategies: Focus on collecting consented first-party data through form submissions, bookings, and account registrations rather than relying on cookie-based tracking.

Improving consent rates ethically: A well-designed consent banner that clearly explains the benefit of analytics (improving the website experience) typically achieves higher consent rates than a generic banner. However, never use manipulative designs to inflate consent rates.

Analytics accuracy versus compliance

Accept that your analytics will be incomplete. This is the reality of compliant cookie consent. Plan your measurement strategy around this limitation:

• Use analytics data for trends and patterns rather than exact numbers.
• Supplement analytics with server-side metrics (server logs, API data) for accurate traffic volume.
• Focus on conversion tracking through consented form submissions and bookings rather than cookie-based attribution.

What are the most common cookie consent mistakes on healthcare websites?

Avoiding these common errors significantly reduces your compliance risk.

1. Setting cookies before consent

The most serious and most common violation. Many healthcare websites load Google Analytics, Facebook Pixel, and chat widgets before the consent banner even appears. This is non-compliant regardless of what the banner says.

Fix: Implement automatic script blocking through your consent management platform. Verify by checking your browser's developer tools (Application > Cookies) on a fresh visit before interacting with the banner.

2. Cookie walls (accept or leave)

Blocking access to website content unless the user accepts all cookies is not compliant under ICO guidance. Users must be able to access your healthcare information and services regardless of their cookie preferences.

Fix: Ensure the website is fully functional (including booking and contact features) even when all non-essential cookies are declined.

3. Missing "Reject All" option

Offering an "Accept All" button without an equally accessible "Reject All" option does not provide genuine choice.

Fix: Include a "Reject All" button on the first layer of your consent banner, equally prominent to "Accept All".

4. Implied consent (scrolling or continued browsing)

Assuming consent because a user continues browsing or scrolls past the cookie banner is not valid consent under PECR.

Fix: Require an affirmative action (button click) to set non-essential cookies. Treat continued browsing as a decline of non-essential cookies.

5. Not keeping consent records

You must be able to demonstrate that consent was obtained if challenged by the ICO.

Fix: Use a consent management platform that automatically logs consent events, including timestamp, consent choices, and the version of the consent banner presented.

6. Ignoring consent withdrawal

Users who change their preferences must have previously set cookies deleted.

Fix: Implement a footer link to "Cookie Settings" that re-opens the consent banner with current preferences. When preferences are changed, delete cookies from revoked categories.

7. Not re-auditing after updates

Adding a new chat widget, video embed, or analytics tool introduces new cookies that may not be covered by your existing consent mechanism.

Fix: Re-audit cookies quarterly and after any significant website changes. Update your consent categories and cookie policy accordingly.

Template cookie policy for healthcare websites

Your cookie policy should include the following sections:

1. What cookies are: A plain-language explanation of cookies and similar technologies.
2. How we use cookies: Description of each cookie category with specific cookies listed.
3. Your choices: How to manage cookie preferences through the consent banner and browser settings.
4. Third-party cookies: Identification of all third parties that set cookies through your website.
5. How to contact us: Contact details for privacy-related enquiries.
6. Updates to this policy: When the policy was last reviewed and how changes are communicated.

Present cookie information in a table format for clarity:

Keep this table updated as your cookie landscape changes.

Next steps

Cookie consent is a compliance requirement that healthcare websites cannot afford to get wrong. Start by auditing your current cookie landscape, implement a consent management platform with automatic script blocking, and establish a regular review cycle.

If your healthcare website needs a compliant cookie consent implementation or a compliance audit of your current setup, we build healthcare websites with privacy-first architecture and compliant consent management.

About the Author

Pankaj Karad

Founder & CEO

Pankaj Karad is the founder of Karad Infotech, a London-based agency specialising in web design, SEO, and software development for healthcare businesses across the UK.

Connect on LinkedIn