Blog June 24, 2025 15 Minutes

The ICO Is Watching: Is Your Cookie Banner Compliant?

Introduction

The UK’s Information Commissioner’s Office (ICO) recently launched the next round of its online tracking strategy, aimed at strengthening user control over personal data collection in accordance with the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). As part of this strategy, the ICO audited cookie compliance programs of the UK’s top 100 most visited websites in November of 2023, later expanding its review to the top 200 in 2024.

The ICO has extended its cookie compliance review to the top 1,000 most visited sites in the UK, as promised. Additionally, the ICO has begun exploring the use of AI to detect noncompliant cookie banners on UK sites. Even if your site isn’t currently under review, these developments signal increased regulatory scrutiny. Now is the time to assess and evaluate your cookie compliance procedures.

The “Why” Behind the Crackdown: Protecting Users in the Age of Online Tracking

It appears that a primary focus of the ICO is to ensure that online tracking gives people a choice in how their information is used by organizations. The ICO has emphasized that meaningful user control is crucial in online advertising, where tracking and profiling can reveal sensitive personal information. While some insights may be harmless, others create risks for individuals – especially those in vulnerable groups, leading them to change or limit their online behavior.

UK cookie compliance requires notifying users about what cookies and trackers are in use on websites when they visit, including what data they collect, the purpose(s) for that collection, and who can access collected data.
Other requirements include giving users consent choices about accepting or declining the use of all or some cookies and enabling them to later withdraw consent.

ICO’s Focus: Identifying & Addressing Non-Compliant Cookie Practices

The ICO’s ongoing review of online tracking practices zeroes in on whether cookie banners truly offer users genuine choice and transparency. The message is clear: cookie banners that obscure or prevent a real choice are no longer acceptable.

Enforcement in Action: A Look at the Numbers

During its initial enforcement efforts, the ICO scrutinized the UK’s top 200 most visited sites, issuing notices to 134 of them regarding non-compliant cookie usage. While, to date, only one formal reprimand has been issued specifically under the targeted cookie enforcement action, this shouldn’t be taken as leniency.

Organizations that fail to adapt face the prospect of formal investigations, reprimands, or fines under both the UK GDPR and PECR.

The ICO’s commitment to this is evident in its 2024 enforcement statistics. Out of 62 enforcement actions, 32 stemmed from UK GDPR violations breaches. Crucially, of the 18 fines issued, a significant 15 were for violations of PECR, and the remaining 3 were for UK GDPR breaches. This highlights the ICO’s current focus on online marketing practices and ensuring cookie compliance.

What Specifically is the ICO Assessing?

When the ICO assesses your website’s cookie banner, they will be looking for specific common failings. Key areas of scrutiny include whether:

Non-essential advertising cookies are placed before the user has a chance to give their consent.
Users find it more difficult to reject non-essential advertising cookies than to accept them.
Non-essential advertising cookies are placed even if the user has not consented to them.

A Call to Action:

These points underscore the importance for all organizations to proactively review and ensure their cookie banners adhere to PECR and UK GDPR requirements. It’s also critical to understand that the ICO’s monitoring and assessment of website compliance is an ongoing process.

Notable Points for Compliant Cookie Banners

To stay on the right side of the regulations, remember these core principles:

No Pre-Consent Tracking: You must not place non-essential advertising cookies, nor process personal data using such cookies, without first obtaining valid consent from individuals visiting your website.

Symmetry of Choice: When gathering consent, you must provide users with a means of rejecting non-essential advertising cookies that is as clear and simple as consenting to those cookies. This means options like a ‘Reject All’ button (or an equivalent unambiguous solution) should be as prominent as the option to accept cookies.

Respect User Decisions: You must respect individuals’ choices regarding the placement of non-essential advertising cookies. If a user does not consent to these cookies, they should not be placed, and no personal data should be processed using this technology.

The ICO provides further detailed guidance on compliance with UK GDPR and PECR, often available through their official communications. It’s important to be aware that if the ICO finds non-compliance during its assessments, it has a range of powers it can exercise to address these infringements, which are also detailed in its guidance documentation.

What Strategies & Practices Should Be Followed for Cookie Compliance?

Navigating the complexities of online tracking while staying compliant with UK GDPR and PECR can be challenging. However, organizations can take several steps to strengthen their cookie compliance programs and reduce regulatory risk.

1. Categorize Your Cookies

Start by identifying and classifying all cookies used on your website. The most important distinction is between essential and non-essential cookies:

Essential cookies are strictly necessary for the basic operation of your site—such as enabling secure logins, maintaining session integrity, or facilitating transactions.
Non-essential cookies include tools like analytics trackers, advertising pixels, and live chat widgets. These require user consent before being placed.

Tip: Ask yourself, would disabling this cookie affect the user’s ability to access or securely navigate the site? If not, it’s likely non-essential.

2. Obtain Valid Consent

Under UK GDPR, consent must be:

Freely given,
Specific & informed, and
Unambiguous.

This means:

Users must take clear affirmative action (e.g., ticking a box or clicking accept).
Consent cannot be implied through continued browsing.
Consent requests must not be hidden in lengthy policies or hard-to-find links.

A compliant cookie banner is more than a checkbox—it’s a dynamic tool for transparency and user empowerment.

Ensure your banner:

Clearly explains what cookies are used and for what purpose.
Offers both “Accept All” and “Reject All” options with equal prominence.
Avoids misleading language or design that nudges users toward acceptance.
Allows users to manage preferences or withdraw consent at any time.

Regular audits of your cookie practices help ensure your banner reflects current technologies and regulatory expectations.

3. Document & Communicate your Compliance Efforts

Transparency and accountability are key principles of data protection. To demonstrate compliance:

Maintaining records of user consent and internal compliance activities;
Regularly updating your privacy and cookie policies to reflect actual practices; and
Train internal teams, especially marketing, IT, and legal—on cookie compliance responsibilities based on established and documented internal processes.
- Having clear documentation not only supports internal governance but also prepares your organization to respond to ICO audits, inquiries, or user complaints.

Key Takeaways

Regulatory Focus Is Intensifying: The ICO is actively enforcing cookie compliance, as demonstrated by its expanded review of the UK’s top 1,000 websites.
Transparency Is Essential: Organizations must clearly disclose what cookies are in use, their purposes, and how users can manage or opt out of them.
Consent Must Be Balanced & Clear: Users must be given a genuine, easy-to-understand choice to accept or reject non-essential cookies—without nudging or design bias.
Now Is the Time to Act: Organizations should proactively review and update their cookie practices, cookie banners, and privacy policies to align with evolving regulatory expectations.

Looking for support with cookie practices? Click here to see how Myna can help.

Contact Us

Name(Required)

First Last

Email(Required)

Phone

Company Name(Required)

Job title

How can we help you?

Message(Required)

Please let us know what's on your mind. Have a question for us? Ask away.

Consent

Myna Partners is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. By clicking submit below, you consent to allow Myna Partners to store and process the personal information submitted above to provide you the content requested. You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit below, you consent to allow levelupconsult.com to store and process the personal information submitted above to provide you the content requested.

I agree to receive other communications from Myna Partners.