Skip to content

ICO reviews cookie compliance on the UK’s top 1000 websites

As part of ongoing initiatives and their 2025 online strategy, the ICO is reviewing the cookie compliance of the top 1000 websites in the UK and giving noncompliant operators 30 days to comply with regulatory requirements. We look at noncompliant tracking, consent requirements, and more.
Resources / Blog / ICO reviews cookie compliance on the UK’s top 1000 websites
Published by Usercentrics
5 mins to read
Mar 14, 2025
Start free scan

On January 23, 2025, the United Kingdom’s Information Commissioner’s Office (ICO) announced plans to review the top 1000 websites in the UK to bring them into compliance with UK law with regards to use of tracking cookies. The ICO is the independent body that oversees data privacy and protection and regulatory enforcement in the UK.

The initiative actually started some time ago. Per an earlier ICO statement from November 2023, “The action is part of our broader work to ensure that people’s rights are upheld by the online advertising industry.”

In 2024, the ICO assessed the top 200 UK websites, finding privacy compliance concerns with 134, or two-thirds of them. It will be interesting to see if the noncompliance percentages remain consistent with five times more sites reviewed.

The site owners have received warnings that they face enforcement action if they do not make changes to comply with the law. They have been given 30 days to comply (known as a “cure period”).

We look at what is required for cookie compliance in the UK, what laws and penalties noncompliant companies face, and what those companies will need to do to achieve and maintain their privacy compliance.

What privacy laws are in effect in the UK?

In the UK there are several laws governing data privacy and protection, individuals’ rights, and companies’ responsibilities regarding use of technologies to collect and process personal data. Here are the most important ones.

UK GDPR

Upon leaving the European Union in 2020, the UK adopted its own, very similar version of the General Data Protection Regulation (GDPR), commonly known as the UK GDPR. The regulation explicitly addresses cookie use, with requirements like:

  • Informing users if you set cookies 
  • Explaining what the cookies do and why (e.g. collect data for analytics, advertising, etc.)
  • Obtain user’s explicit and active consent (for cookies that are non-essential)

Data Protection Act (DPA) 2018

The Data Protection Act governs the flow and use of personal data in the UK. It took effect the same day the GDPR came into effect, and was also amended post-Brexit. The DPA is meant to work in conjunction with the UK GDPR.

The DPA established the overarching data protection framework for the UK, and while less explicit about cookie compliance, it does include relevant requirements like providing notification and obtaining valid consent.

Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003

The PECR is the implementation of the ePrivacy Directive in the UK. It affects electronic communications, including email, SMS, and other channels. It includes requirements for cookie use for marketing purposes, requiring valid consent from individuals for data access and use.

Like the UK GDPR, the PECR requires informing users if you set cookies, what they’re for, and obtaining explicit consent for their use.

To date, the ICO has found that user tracking without compliant consent is common. Companies can potentially access sensitive information, create detailed profiles of individuals, and target them with advertising with considerable — and potentially harmful — accuracy.

Stephen Almond, ICO Executive Director of Regulatory Risk, noted:

“Uncontrolled tracking intrudes on the most private parts of our lives and can lead to harm. For example, gambling addicts being targeted with more betting ads due to their browsing history or LGBTQ+ people altering their online behaviour for fear of unintended disclosure of their sexuality.”

In some cases, the sites did not provide sufficient choice to visitors about being tracked for personalized advertising. UK law requires that rejecting advertising cookies be as easy to do as accepting their use.

If users decline cookie use for personalized ads, UK sites can still display ads, but they cannot use personal data for personalization, instead being contextual, for example.

Almond also noted:

“We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent.”

Valid consent is critical to cookie compliance. Under the UK GDPR and other laws, user consent must be freely given, specific, informed, unambiguous, and explicit.

Some ways websites can fail cookie compliance include:

  • Not notifying visitors of cookie use (particularly with granular information about types of cookies used)
  • Not notifying visitors about what data is being collected, for what purposes, and who it may be shared with
  • Not providing visitors with valid options to accept or decline consent for non-essential cookie use
  • Not providing visitors with the ability to revoke consent easily at any time

Best practices would also involve users being able to change their consent preferences at a granular level, e.g. yes to analytics cookies, no to marketing cookies.

One of the ICO’s main goals with their 2025 online strategy is to ensure that “everybody has meaningful choice over how they are tracked online”.

Checking the websites would need to involve determining what tracking and data collection is done, by what means, how it may be shared, and if that’s reflected in user notifications.

Additionally, checks would need to be done to see if consent management is in place and if it’s being used compliantly.

For example, it’s possible to implement a consent management platform, as the ICO recommends, but employ dark patterns to manipulate users into providing full consent for cookie use.

Compliant consent management would require clear notifications and equally accessible options for accepting or declining non-essential cookie use.

Almond commented:

“Tracking should work for everyone – giving people clear choices and confidence in how their information is used, while enabling businesses to operate fairly and responsibly. Our strategy ensures both.”

The ICO is continuing its review of the top 1000 websites, and said that it will provide updates, as well as information on companies that have not addressed cookie compliance issues.

One of the most important things that noncompliant websites can do is implement a consent management platform (CMP), which is also an ICO recommendation. Additionally, the CMP needs to be set up correctly to provide the required information to website visitors and provide them with valid consent choices.

Usercentrics Web CMP automatically scans websites to detect all cookies and trackers in use and automatically categorize and enable the information to be displayed in the CMP’s cookie banner. Website operators can also customize the CMP for relevant laws and use geolocation features for UK or other visitors.

Setting up a compliant cookie banner can be fast, easy, and user-friendly. Also importantly, it can enable your site to pass ICO review with flying colors and continue to build trust with your visitors and customers.

Frequently asked questions

What is the UK ICO?

The UK ICO refers to the Information Commissioner’s Office, which is an independent body that covers data privacy and protection, including investigations and enforcement, like with this project to review the top 1000 websites. It also creates policies and guidelines for organizations to enable compliance.

What is UK cookie compliance?

UK cookie compliance requires notifying users, like website visitors, about what cookies and trackers are in use on your website, what data they collect and for what purposes, and who may access the data. Compliance also requires giving users consent choices about accepting or declining the use of all or some cookies, and being able to revoke consent later.

How can UK websites be cookie compliant?

UK websites can be cookie compliant by implementing a consent management platform like Usercentrics CMP. It scans websites for cookies in use so information about them can be provided to users, and certain kinds of cookies can be blocked if users decline consent.

What privacy laws are in the UK?

The main data privacy laws in the UK are the UK General Data Protection Regulation (UK GDPR), Data Protection Act (DPA) 2018, and Privacy and Electronic Communications (EC Directive) Regulations (PECR), which is the UK implementation of the EU’s ePrivacy Directive.

Do UK websites need to obtain user consent?

Websites that use cookies to collect users’ personal data for advertising, analytics, and other purposes do need to obtain user consent for those cookie uses. Users also need to be able to revoke consent later on as easily as they initially gave it.

Article
Apr 22, 2025
Enforcement of data privacy regulations is ramping up in the United States as more such laws come into force. We look at six class action lawsuits filed in California and dig into the alleged violations, how consent management was involved, and how companies can achieve better data and privacy compliance.
Read more
Article
Apr 17, 2025
The second Trump administration has stated goals of streamlining and rooting out fraud. Central to those efforts is the Department of Government Efficiency. However, their actions have sparked concerns and legal challenges around security and data privacy in the US and abroad.
Read more
Article
Apr 8, 2025
The Digital Operational Resilience Act brings improved standards, transparency, and more robust security to the EU’s financial sector. Reliance on technology, much of it third-party, with the movement of vast amounts of data and increasing threats requires strong rules and enforcement mechanisms.
Read more