Do you need cookie consent for website visitor identification?

In the UK, the Privacy and Electronic Communications Regulations (PECR) govern cookies and similar technologies that store or access information on a visitor's device. Where PECR applies and no exemption is available, you generally need consent before that storage or access takes place.

Where consent is required, it has to meet the UK GDPR standard: freely given, specific, informed and unambiguous, given through a clear affirmative action. Pre-ticked boxes and assumed consent don't meet that bar. PECR also carries its own enforcement regime, with a separate fine ceiling of up to £500,000 under the current framework.

No — this is the most common misconception. It is not safe to assume that “cookieless” means “no consent needed”. The ICO's 2025 guidance made clear that PECR's scope reaches beyond traditional cookies to technologies such as web storage, tracking pixels, device fingerprinting and tag-based scripts.

Whether a given method falls outside the consent requirement usually depends on whether it is “strictly necessary” for a service the user has requested — and that exception is interpreted narrowly. So the question isn't simply “does it use cookies?” but “does it store or access information on the device, and if so, does a genuine exemption apply?” That is a judgement to make with your legal adviser, not an assumption to make from the word “cookieless” alone.

Warm AI gives you two scripts so you can choose your posture rather than having one imposed on you:

• 01warm.js is the default — it uses sessionStorage only, no cookies, and fires on every page.
• 02warm-pro.js fires only after consent is captured through a consent platform like Cookiebot, OneTrust or Transcend.

This lets you choose your posture. Which script and posture is right for you depends on your circumstances and your legal advice — Warm AI doesn't determine your lawful basis for you. For wider context, see our guide to the legality of visitor tracking and the GDPR explainer.

Treat this as a documented decision rather than a default setting. A sensible starting point is to consult your DPO or a data protection professional, review how your chosen method stores or accesses information on the device, and then align your consent setup to match the posture you adopt.

Whichever route you take, write down your reasoning — the lawful basis you're relying on, why you believe an exemption does or doesn't apply, and how your consent platform is configured. Professional review of that position is strongly recommended before you rely on it.