This year is a big year for online advertising in the eyes of the UK’s Information Commissioner’s Office (ICO)—from the launch of their 2025 online tracking strategy to the two open consultations seeking input on enforcing the Privacy and Electronic Communications Regulations (PECR) and guidance on storage and access technologies (SATs). Check out our blog on the recent online advertising-focused consultations that close this autumn.
As part of the 2025 online tracking review, the ICO is reviewing the UK’s top, most-visited 1,000 websites for non-compliant practices. This is a deliberate effort to enforce UK privacy laws (PECR and the UK GDPR) around online tracking. The 2025 strategy focuses on four main areas for their review of cookie compliance:
- Deceptive or missing choice: Failure to provide choices including where the selection is preset.
- Uninformed choice: Failure to provide fair or clear choices.
- Undermined choice: Failure to communicate or adhere to user choice.
- Irrevocable choice: Failure to provide users with a way to change their mind or withdraw consent.
In the ICO’s initial review of the website list, they found 134 of 200 UK websites failed to meet cookie compliance standards and violated some key data protection requirements. In that review, the ICO made clear its guidelines on the “consent or pay” model, emphasizing that companies cannot require users to opt in to non-essential cookies in exchange for access to a website. The ICO updated their guidance on this practice last month. Further, the ICO has made clear that dropping non-essential cookies before consent is obtained (such as a delayed drop) is not compliant and a clear violation of the regulations.
Common Cookie Compliance Issues the ICO is Flagging
In its review, the ICO focused on:
- Dropping non-essential cookies before obtaining consent;
- Not including a “reject all” option next to an “accept all” option or obfuscating a “reject all” option;
- Pre-selecting the consent option or prompting the user to select all;
- Any form of implied consent such as “by continuing to use our site…”;
- Vague or misleading wording making it difficult for users to make informed choices;
- No options for users to refuse or withdraw consent;
- Not providing a “reject all” option when other options are not granular; and
- Requiring users to consent to any or all cookies as a prerequisite to use the website.
What’s at Stake?
Violations of cookie requirements can lead to enforcement action, including fines. Under PECR, fines can reach as high as £500,000, and under the UK GDPR potentially up to £17.5 million or 4% of global turnover. Beyond fines, the reputational damage and regulatory scrutiny can be costly. What is clear from the review is that the UK ICO has dedicated substantial resources to its review, and is quick to follow up with companies following their submissions where the UK ICO does not believe a company has appropriately remediated its concerns.
Next Steps
We recommend auditing current cookie uses and cookie banner practices before the ICO knocks on your website’s front door. Here’s a checklist for audit compliance:
- Audit current cookie uses and identify cookie drop timeframes;
- Update your cookie banner to ensure it provides clear descriptions and equal choice for users while avoiding pre-selected options;
- Implement or update consent withdrawal mechanisms for users after their initial choice;
- Update your privacy/cookie policies to clearly describe your cookie practices and users’ rights;
- Consider a Consent Management Platform configured to UK requirements to present the banner, store consents, and manage cookie loading; and
- Document compliance efforts and engage in ongoing monitoring.
If you’d like to learn more about the ICO’s current review and its implications, or explore best practices for cookie compliance, feel free to reach out to any of the authors listed above.
