What happened? The ICO’s latest cookie compliance action
In January 2025, the UK’s Information Commissioner’s Office (ICO) made it clear that cookie compliance isn’t something to overlook. They found that 134 out of 200 UK websites they checked had failed to meet cookie compliance standards, with some breaching key data protection laws.
This is part of the ICO’s ongoing broader push – See: ICO’s online tracking strategy for 2025 – aimed at ensuring the UK’s top 1000 websites adhere to compliant cookie practices, respecting users’ rights.
The ICO’s latest update highlights that many websites failed to meet legal standards for obtaining user consent for cookies, with cookie banners that were non-compliant with the UK’s strict requirements.
The ICO also updated the “consent or pay” guideline, which makes it clear that websites cannot require users to opt in to non-essential cookies in exchange for access to content, and published draft guidance on tracking people using storage and access technologies such as cookies and fingerprinting.
The ICO has made it clear that if left unaddressed, these violations could lead to further actions, including potential fines.
Get compliant with ICO’s new cookie compliance guidelines today
Stay compliant, avoid fines and maintain a seamless user experience with a cookie banner tool built for marketers.
Key cookie compliance violations uncovered: What the ICO found in its latest review
In its review of 200 UK websites, the ICO identified several types of violations related to cookie compliance, underscoring the need for stricter adherence to the UK’s data privacy laws. Out of the 200 websites analyzed, 134 were found to be non-compliant.
Examples of cookie compliance violations found by the ICO
Lack of clear consent:
Many websites didn’t make it easy for users to understand what they were agreeing to or didn’t present users with an option to opt out of non-essential data processing. Some employ deceptive tactics, where consent banners were vague or hidden away, making it tough for visitors to make informed decisions.
Pre-ticked consent boxes:
Several websites used pre-ticked boxes or default settings, assuming consent for all cookies without giving users the option to easily opt out or customize their preferences.
Non-compliant cookie banners:
A significant number of websites had cookie notices that failed to meet legal requirements. These banners either lacked essential information about the types and purposes of cookies used, or didn’t provide users with genuine choices to refuse cookies.
No granularity in cookie preferences:
Many websites lacked granular consent controls, preventing users from opting in or out to specific categories of cookies (e.g., marketing, analytics or functional cookies), instead forcing users into an all-or-nothing choice.
Difficult to withdraw consent:
In some cases, once users consented to cookies, there was no clear or easy way for them to withdraw their consent later on, lacking clear or accessible mechanisms to change cookie preferences. This violates the ICO’s guidelines on ease of withdrawal.
New ICO cookie compliance guidelines: So what’s changed?
No major changes have been introduced to how cookie banners, consent management, and tracking practices should work. The updates mostly reaffirmed existing standards and clarified enforcement expectations, in a continued push for greater accountability and transparency in cookie consent practices. The main new element introduced is the stronger enforcement of the “consent or pay” rule.
The ICO has also ramped up its focus on ensuring the UK’s top 1,000 websites meet compliance standards, and it has signaled that violations will lead to stronger enforcement actions, including potential fines.
Here’s a summary of what was reinforced or expanded:
Cookie compliance in the UK: old vs. new cookie guidelines (January 2025)
Stronger enforcement of existing principles
The ICO has highlighted that cookie compliance is a priority and has called attention to websites failing to meet key legal standards, specifically regarding cookie banners and consent mechanisms. While the principles themselves (e.g., valid consent, consent records’ retention limits, third-party transparency, etc.) haven’t fundamentally changed, the ICO has taken a stronger stance on enforcement.
Increased focus on large websites
There’s a heightened focus on the UK’s top 1000 websites. These websites are under increased scrutiny, as the ICO found significant violations when reviewing the top 200. The strategy includes scaling efforts to ensure these major websites comply with cookie regulations, which could lead to increased penalties for non-compliance.
Non-essential cookies
The new guidelines emphasize that consent for non-essential cookies (such as marketing cookies) can’t be made a condition for accessing content. This reinforces the idea that users shouldn’t be forced into consenting to optional cookies in exchange for services or content. It ensures that consent is truly informed and not forced.
Transparency and accountability
The ICO has continued to stress the need for greater transparency in how cookies are used, with more detailed explanations about third-party cookies and the specific purposes for which they collect user data. There is also an increased emphasis on record-keeping and accountability, urging companies to demonstrate that they are taking compliance seriously.
The ICO’s latest communications repeated the concept “meaningful choice” referring to users having real control over how their data is collected and used.
Implement a cookie banner that meets ICO’s new cookie requirements
Stay compliant, avoid fines, and maintain a seamless user experience with a cookie banner tool built for marketers.
What UK marketers need to do now: Ensure cookie compliance and protect your brand
The ICO is cracking down on cookie consent compliance, so if you’re a marketer, website admin or business owner, now’s the time to take action and get your website in line with the new rules.
If you’re working on client websites as a freelancer or digital marketing agency, you have a heavier responsibility. Ultimately, it’s your clients’ reputation and financial health that’s on the line.
Achieving compliance with the ICO’s updated cookie guidelines is determining for ensuring your website – and/or your clients’ – meets legal requirements while respecting user privacy. To help you navigate this process, we’ve put together the checklist below, outlining the key actions you should take to achieve cookie compliance.
Here’s a step-by-step guide to getting your site ICO-compliant:
How to achieve compliance with the new ICO cookie guidelines (Checklist)
1. Review cookie consent banners
2. Implement a consent management platform (CMP)
Our consent solution is tailored to help you optimize opt-in rates and increase trust among your existing and potential customers. It also integrates natively with Google’s Consent Mode v2, enabling accurate analytics and targeted advertising while ensuring full compliance with privacy regulations like the UK General Data Protection Regulation (GDPR) and PECR.
Bonus: Start a free 14-day trial to test all our features and see how easy ICO cookie compliance can be. Your website might also qualify to use our free CMP plan, which is so complete it rivals other paid consent solutions.
3. Audit your cookie usage
4. Update your privacy policy
5. Monitor and adjust regularly
How Cookie Information’s cookie banner for websites can help you comply with ICO's new cookie guidelines
Cookie Information’s customizable banners make it easy for your website to stay on top of the latest privacy rules, including the ICO’s updated cookie compliance guidelines. Designed for marketers with user trust and privacy in mind, our consent solution ensures that your website meets compliance requirements, especially regarding the UK GDPR and PECR.
Here’s how our cookie consent banner can support your compliance journey:
Valid consent must meet seven key principles under the ICO guidelines. These include:
- Automated cookie audits
Our system regularly scans your website (typically every week) to identify all cookies and trackers in use. This ensures you have full visibility and control, keeping you compliant and on top of your cookie usage.
- Compliant banner design
Our banners are specifically designed to adhere to the ICO’s requirements, offering equal prominence to both the “Accept” and “Reject” options. This ensures that users have a clear, easy choice and that your website follows best practices for transparency.
- Customizable consent solutions
Tailor the design, messaging, and functionality of your cookie popup to fit your website’s branding while ensuring that your consent mechanism remains fully compliant with the latest regulations.
- Real-time monitoring
With our intuitive dashboard, you can stay informed about your cookie compliance status across multiple websites. You can track consent and cookie usage in real time, allowing for swift adjustments and peace of mind.
By using Cookie Information’s solution, you can easily implement a cookie consent system that is user-friendly and fully compliant with the ICO’s new guidelines. This will help you build trust with your audience while avoiding potential fines.
How digital marketing agencies can benefit from partnering with Cookie Information
As a digital marketing agency, you understand the importance of helping your clients stay ahead of evolving regulations. With the ICO’s tightened cookie compliance guidelines, it’s crucial to offer solutions that ensure your clients are fully compliant with the UK GDPR and PECR, while maintaining a smooth user experience.
Cookie Information offers a simple way to keep your clients’ websites compliant with the ICO’s guidelines. Our customizable cookie consent banners help ensure your clients avoid fines while staying aligned with the latest regulations.
Why partner with Cookie Information?
- Seamless integration: Our platform integrates natively with Google Consent Mode v2, enabling accurate analytics and advertising while keeping your clients’ data compliant.
- Automated compliance management: You can monitor and manage cookie compliance for multiple clients through one easy-to-use platform.
- Tailored solutions for agencies: We offer a unique partner program that provides the tools, resources, and support to help you offer cookie compliance as a service to your clients.
Learn more about our partner program and sign up to become a partner.
Quick overview: Key UK data privacy laws you need to know
To stay fully compliant, it’s essential to understand the key pieces of UK cookie law that govern cookie usage and personal data processing.
PECR (Privacy and Electronic Communications Regulations)
The PECR govern the use of cookies and other tracking technologies on UK websites. Similar to the EU’s ePrivacy Directive, PECR sets out clear rules that websites must follow when using cookies. The regulations require websites to obtain informed, specific and explicit consent before placing non-essential cookies, like tracking cookies, on internet users’ devices.
The Data Protection Act 2018 (UK GDPR)
The Data Protection Act 2018, also known as the UK GDPR, is the foundation of the UK’s privacy laws. It outlines how personal data should be processed, and while it’s very similar to the EU’s GDPR, it’s been adjusted to reflect post-Brexit UK regulations. Under the UK GDPR, organizations must lawfully, transparently, and fairly process personal data. It also gives individuals certain rights over their data, such as the right to access, erase, or restrict its processing.
UK GDPR vs. EU GDPR
- Geographical scope: UK GDPR applies to organizations that process the personal data of UK residents, while EU GDPR applies to those who handle the data of EU residents.
- Supervisory authority: In the UK, the ICO oversees compliance, whereas, in the EU, it’s the Data Protection Authorities (DPAs) of individual member states.
Key points of the UK GDPR
- Valid consent: Organizations must obtain informed, specific, and explicit consent from users before collecting personal data.
- Data minimization: Only collect data necessary for your outlined specific purposes.
- Right to access and deletion: Individuals have the right to access their data and request its deletion if it’s no longer needed.
- Security: Organizations must implement appropriate technical and organizational measures to safeguard personal data.
Ready to take action?
Start your free trial of Cookie Information Cookie Banner for Websites today to ensure your website meets ICO’s recommendations and stays ahead of evolving regulations.
Frequently asked questions: ICO’s new cookie guidelines explained
Frequently asked questions for digital marketing agencies
By using Cookie Information’s customizable consent banners, your agency can easily manage and implement cookie compliance across multiple client websites. Our automated cookie audits and real-time tracking make it simple to stay cookie compliant with the ICO’s new guidelines, while also optimizing user consent rates.
Absolutely! Cookie Information’s platform is designed with agencies in mind. You can integrate our solution into your client offerings, ensuring their websites are cookie compliant and user-friendly. We also provide a partner program with resources to help you manage cookie compliance efficiently.
Cookie Information is fully aligned with the latest ICO guidelines, offering a more user-friendly and flexible solution for both your agency and your clients. It also integrates with Google Consent Mode v2 for better analytics and advertising control, ensuring your clients’ cookie consent processes don’t compromise their digital marketing strategies. Our CMP pricing includes a free 14-day trial period and a free CMP plan.
Yes! Our platform’s intuitive compliance dashboard allows you to monitor and manage cookie consent for multiple websites. It provides real-time compliance tracking, making it easy to ensure your clients stay cookie compliant without constant manual checks.
The ICO (Information Commissioner’s Office) is the UK’s independent authority for upholding information rights and enforcing data privacy regulations, including cookie compliance. They issue warnings, enforce fines, and provide guidance to ensure organizations comply with the UK GDPR and the PECR.
The Privacy and Electronic Communications Regulations (PECR) govern cookie usage cookies on UK websites. PECR requires websites to obtain informed and explicit consent before placing optional cookies on users’ devices, such as those used for tracking or marketing purposes.
The UK GDPR is a UK-specific version of the EU GDPR that applies to organizations processing the personal data of UK residents. While the core principles are largely the same, the enforcement authority is the ICO in the UK, as opposed to Data Protection Authorities (DPAs) in EU member states.
No, essential cookies – such as those necessary for the website’s basic functionality – don’t require user consent, as per the ICO’s new guidelines. However, you must obtain explicit consent for non-essential cookies, like those used for analytics or marketing.
To ensure compliance with the ICO’s guidelines, your website must have clear, user-friendly cookie consent banners with equal prominence given to “Accept” and “Reject” options. Implement a Consent Management Platform (CMP) to manage user preferences and regularly audit your cookies. Update your privacy policy to reflect the types of cookies used and their purpose.
Failure to comply with ICO guidelines may result in penalties, including fines. The severity of the fine depends on the nature and scope of the violations, so it’s essential to stay up-to-date with compliance requirements to avoid these risks.
The ICO has not yet imposed significant fines specifically for cookie compliance violations, but it has issued warnings and emphasized that it will consider fines if businesses do not improve their practices. For example, in November 2023, the ICO warned 53 UK websites about potential enforcement actions for non-compliance with cookie regulations (Source: ICO Press Release).
However, other European regulators, like the CNIL in France, have imposed large fines. For example, Amazon, Carrefour and Carrefour Bank were fined a combined €38 million for cookie consent violations in 2020.
The “consent or pay” principle means that websites cannot require users to opt in to non-essential cookies (like marketing cookies) as a condition to access content. Users must be given a genuine choice to opt in or opt out to cookies, and access to the website must not be conditional on accepting optional cookies.
However, other European regulators, like the CNIL in France, have imposed large fines. For example, Amazon, Carrefour and Carrefour Bank were fined a combined €38 million for cookie consent violations in 2020.
The ICO has reinforced the importance of transparency when it comes to third-party cookies. Websites must disclose third-party cookie usage, including which third parties are tracking users and for what purposes. This is part of a broader emphasis on transparency and accountability.
However, other European regulators, like the CNIL in France, have imposed large fines. For example, Amazon, Carrefour and Carrefour Bank were fined a combined €38 million for cookie consent violations in 2020.
You can automate cookie compliance across multiple websites using a Consent Management Platform (CMP). Cookie Information’s CMP, for example, offers real-time monitoring and cookie audits, allowing you to track compliance status and adjust your cookie banners as needed. Start free 14-day trial
The ICO has increased its scrutiny of the UK’s top 1,000 websites, aiming to ensure these major sites comply with cookie regulations. Websites that fail to meet compliance may face increased penalties. This heightened focus stems from the ICO’s analysis of 200 websites, where a significant number were found to be non-compliant.
“Meaningful choice” refers to the user’s ability to make an informed decision about cookie consent, with clear, accessible options to opt in or opt out to cookies. Websites must enable real control over data collection, ensuring users are not coerced into consenting to optional cookies, and that consent is freely given.
