Articles
Data privacy guides
ICO review of UK websites’ cookie compliance: What you need to know in 2025
Data privacy guides
new

ICO review of UK websites’ cookie compliance: What you need to know in 2025

Published  

10/22/2025

by 

Nial Ferguson

7
min read

Published  

October 22, 2025

by 

Nial Ferguson

10 min read
Summary

If your website targets UK users, your cookie banner may soon be subject to increased regulatory scrutiny.

Data protection laws in the UK and EU impose strict limits on how websites, mobile apps, and online platforms can deploy trackers. Under the UK GDPR and the Privacy and Electronic Communications Regulations (PECR), organiszations must obtain prior, informed consent from users before using analytics or advertising cookies.

In January 2025, the United Kingdom’s Data Protection Authority, the Information Commissioner's Office (ICO), launched a campaign to review whether popular UK websites use cookies and display cookie banners, assess their compliance with UK data protection law, and apply fines when necessary.

Whether you’ve already received the dreaded letter from the ICO or are simply curious to know how to stay on the right side of data privacy laws, keep reading to understand the requirements imposed on UK organizations and how to ensure your business remains in full compliance with UK data protection regulations.

What is behind the ICO’s audit of top UK websites' cookie compliance? 

While online tracking through cookies and similar technologies provides tangible benefits, such as more relevant advertising, a streamlined user experience, and personalissed content, it also presents significant risks.

One case involving cookie consent that captured national attention involved Sky Betting & Gaming. This UK gambling operator was found guilty of violating the UK GDPR and the PECR by a UK High Court for serving targeted ads to a gambling addict through cookies and trackers. The court held that the individual’s consent was invalid because it was impaired by his compulsion to access gambling services. Consent was not freely given and was too compromised to be legally valid.

The case highlighted the human consequences of consent failures. Beyond targeting vulnerable individuals, personalised advertising can also undermine personal autonomy, infringe upon privacy rights, and contribute to discriminatory practices against specific groups.

Recogniszing these potential harms and given that the ICO’s primary mission is to uphold information rights, the organisation has made online advertising and cookies a top priority for 2025 and has begun conducting assessments to determine whether the cookie and consent practices of the top 1,000 UK websites comply with UK data protection laws.

During this review, the office is looking at a range of legal compliance factors, including: 

  • The proper configuration of cookies
  • The adequacy of cookie consent notices
  • The availability of a lawful mechanism for withdrawing consent.

If the ICO audit determines that a website’s cookie and consent practices breach UK data protection regulations, it may send a warning letter to the relevant website owner. Let’s have a closer look at what this letter may include and what data privacy requirements it may impose on website operators.

What do the UK Information Commissioner’s Office (ICO) warning letters say?

If the UK Information Commissioner’s Office (ICO) finds that a website’s use of cookies and its consent collection and management processes violate the UK data protection laws, it may issue a warning letter to the relevant website owner. 

In practice, the warning letter usually includes the following information: 

1. Description of non-compliance failure

First, the letter describes how the website’s cookie banner and consent process fail to comply with the UK data protection laws.

For instance, the letter may point out that the ‘accept’ and ‘reject’ buttons for cookies are not equally prominent or that the analytics or advertising cookies are not turned off by default, contrary to the PECR’s requirements. Furthermore, the notice may also relate to other, more consent-related violations, such as insufficient information in the cookie banner or a lack of a proper mechanism for withdrawing consent.

Key areas of non-compliance emphasised by the ICO

The compliance pitfalls the ICO is targeting in its 2025 audit are:

  • Non-essential advertising cookies are placed before users give consent
  • Users must be able to reject cookies as easily as they can accept them
  • Non-essential cookies are sometimes placed even when users have refused consent

Continue reading to learn how Didomi can help with each of these points.

2. List of changes required

Based on the alleged violations of UK data protection laws, the letter will likely outline the specific changes that a website must implement to bring its cookie and consent practices into compliance with the UK GDPR and the PECR. For instance, it may state that the analytics and advertising cookies and trackers must be turned off by default until users give consent. 

Additionally, it may require the website owner to provide users with a mechanism to withdraw their consent, such as a persistent cookie banner. 

3. Deadline

The letter will also impose a strict deadline on website owners to rectify the alleged violations of the UK data protection laws. Therefore, a website owner must implement appropriate changes to their consent banner, consent configuration, and consent practices within this deadline. 

After the set deadline, the ICO will conduct another assessment of cookie usage to confirm whether the website owner has remedied the violations. 

4. Consequences for failure to comply

Finally, the letter will typically warn that if the website operator fails to remedy the identified violations, the Information Commissioner’s Office (ICO) may take further enforcement action, such as publishing the organisation’s name on its website as a non-compliant entity or imposing administrative fines.

How to ensure compliance with UK cookie laws to avoid enforcement action by the UK Information Commissioner’s Office (ICO)  

The ICO’s audit of prominent UK websites’ cookie usage reveals that online service providers, including websites and mobile apps, cannot overlook the compliance of their cookie usage with the UK GDPR and the PECR. 

Here are the best practices to ensure that your website or mobile app complies with the data protection law requirements under UK law: 

Understand the applicable data protection requirements

In the UK, the PECR is the primary law governing the use of cookies and similar technologies, such as device fingerprinting and local storage. The PECR requires that you obtain UK GDPR-compliant consent from end users before activating cookies and similar technologies, unless an exemption applies. 

In other words, while the PECR establishes the requirement for prior consent, the UK GDPR sets the standard for what constitutes valid consent, which should be freely given, specific, informed, and unambiguous.

Turn off specific cookie categories by default until the user gives consent

You cannot achieve compliance with the PECR and the UK GDPR’s consent rules without correctly identifying and classifying the cookies, trackers, and similar technologies your service uses.

For instance, cookies that fall under the “strictly necessary” or “communications” exemption may be set without user consent. However, cookies used for analytics (e.g., Google Analytics) or advertising (e.g., Meta Pixel) must be disabled by default until you have obtained GDPR-compliant consent from users.

Accurate classification of cookies and similar tools is therefore essential to achieving compliance.

Collect affirmative consent

Users must take an explicit, affirmative action to demonstrate their consent to cookies. For instance, if you display a consent banner to users and they click on an ‘I agree’ button, this will constitute affirmative action. 

However, as the ICO (UK's independent authority) sets out in its Consent Guidance, inaction, default settings, opt-out consent, or scrolling through a website do not amount to valid consent because the user must take a deliberate and unambiguous action to signal their consent to cookies. 

Are you unsure whether consent is required for specific actions on your digital properties? Refer to the following diagram, inspired by ICO documentation

Make sure that your consent banner’s ‘accept’ and ‘reject’ buttons are compliant

The ICO has made it clear that websites, mobile apps, and other online platforms must not use manipulative or deceptive design techniques (often referred to as “dark patterns”) to encourage users to accept cookies.

Accordingly, the “Accept” and “Reject” options should be presented with equal prominence, ensuring users can make a genuine, informed choice.

For instance, the ICO provides the following as an example of a non-compliant cookie banner because the reject button is equally prominent as the accept button, and it aims to trick users into giving consent:

Ensure that your cookie banner contains the required disclosures and complies with transparency requirements

As specified in the ICO’s Cookies Guidance, you must provide users with clear and accurate information about the cookies your site uses. This includes:

  • The types of cookies being used
  • The purpose of each cookie
  • Any personal data that may be processed through the cookies
  • The duration for which each cookie will remain active.

Additionally, you must provide conspicuous links to your cookie and privacy policies, which should offer more detailed information on your cookie usage and how you handle personal data.

Offer users a consent withdrawal and configuration mechanism

You must provide a mechanism that allows users to easily change their consent preferences, including the ability to withdraw consent for specific cookies or categories of cookies. This withdrawal mechanism must be as easy to use as giving consent. 

For example, a persistent cookie banner that enables users to update their consent preferences at any time is likely to satisfy this requirement.

What are the monetary fines for non-compliance with the cookie rules after receiving a warning letter? 

If the Information Commissioner’s Office (ICO) finds that your cookie usage violates the UK GDPR and the PECR, it may impose fines under both of those UK data protection regimes. 

Under the UK GDPR, the Information Commissioner’s Office may issue a fine of up to £17.5 million or 4% of worldwide annual turnover.

Under the PECR, the Information Commissioner’s Office (ICO) can currently issue fines of up to £500,000. These penalties may be imposed on the organisation operating a website or, in some cases, on its directors. 

The new Data (Use and Access) Act 2025 (DUAA) aligns the maximum PECR fines with those under the UK GDPR, namely up to £17.5 million or 4% of the worldwide annual turnover. However, the provisions increasing the PECR fines have not yet been commenced. Therefore, the £500,000 cap remains in force for now.

How Didomi can help with your compliance efforts in the UK

Achieving full cookie compliance can be technically and operationally complex. While a simple consent banner with “accept” and “reject” buttons is a great starting point, ensuring compliance with the ICO’s requirements goes much further.

Below is an overview of the ICO’s audit priorities and how Didomi helps address each one:

Beyond legal compliance, by making consent simple and transparent, we help you turn privacy into a competitive advantage, fostering trust, loyalty, and confidence among your users.

Discuss your privacy challenges and find out whether we can help you reach compliance by booking a chat with one of our experts:

{{talk-to-an-expert}}

Frequently Asked Questions (FAQ)

What is behind the UK ICO’s recent review into the top UK websites’ cookie usage? What does it cover? 

The UK Information Commissioner’s Office (ICO) has prioritised online advertising and cookies for 2025.

As part of this initiative, the Information Commissioner’s Office announced plans to assess whether the cookie and consent practices of the top 1,000 UK websites comply with the UK data protection regulations.

When conducting such reviews, the Information Commissioner’s Office examines a range of legal compliance factors, including the proper configuration of cookies, the adequacy of cookie consent notices, and the availability of a lawful mechanism for withdrawing consent.

What happens if I ignore the Information Commissioner’s Office’s warning letter? 

If you ignore a warning letter from the Information Commissioner’s Office for your alleged failure to comply with the UK GDPR and the PECR due to your cookie usage, you may face an enforcement or penalty notice. 

For instance, the Information Commissioner’s Office may impose an administrative fine, which can be up to £17.5 million or 4% of the organisation's worldwide annual turnover. 

What laws and regulations apply to cookies in the UK? 

In the UK, cookies and similar tracking technologies are mainly governed by the Privacy and Electronic Communications Regulations (PECR). Under PECR, a website or mobile app generally requires user consent before placing cookies, trackers, or using technologies such as device fingerprinting, unless an exemption applies (e.g., cookies strictly necessary for the service).

Additionally, cookie consent must meet the consent standards under the UK GDPR; that is, it must be freely given, specific, informed, and unambiguous.

What are the key cookie compliance requirements I should address? 

You must ensure that you accurately identify and classify all cookies, trackers, and similar technologies, and disable specific cookie categories, such as analytics and advertising cookies, by default. 

Furthermore, you must obtain affirmative consent, avoid manipulative consent tactics, and provide users with an effective mechanism to withdraw their consent. 

How does the new Data Use and Access Act 2025 affect cookies and the processing of personal data via cookies? 

The New Data Use and Access Act 2025 introduced significant changes to both the UK GDPR and the PECR. Specifically, specific categories of cookies will no longer require prior consent under the PECR, and the administrative fines under the PECR will also be increased. 

However, many of these changes have not yet been fully implemented and will depend on secondary legislation or a phased rollout.

Do the PECR's cookie rules apply to public authorities?

Yes, the PECR applies to public authorities and public bodies.

The author
Nial Ferguson
Managing Director UK & Ireland, Sourcepoint and Didomi
Nial Ferguson, a CIPP/E qualified privacy professional, has most recently overseen the growth of the Sourcepoint business in the UK and more recently across Europe. Nial brings a deep understanding of the publishing ecosystem to his role at Sourcepoint, following a career at publishers such as Future PLC and Emap/Bauer Consumer Media and as a successful consultant working with a number of technology companies.
Access author profile

Related Articles

Data privacy guides
The digital stack every marketing team needs in 2025 and beyond (Jellyfish x Didomi)
October 1, 2025
Read article
Data privacy guides
How to ensure the integrity of your consent flows
August 28, 2025
Read article
Data privacy guides
How to automate consent management with n8n (Elevate x Didomi)
August 26, 2025
Read article
Data privacy guides
Managing consent across domains and devices: How does it work?
August 21, 2025
Read article
Data privacy guides
Essential guide to mobile app compliance in 2025
June 17, 2025
Read article
Data privacy guides
Retail meets CTV: The perfect pairing for powerful and responsible advertising (Mediarithmics x TF1)
May 12, 2025
Read article