ICO starts enforcing stricter cookie compliance for UK websites
The Information Commissioner’s Office (ICO) is stepping up its enforcement of cookie compliance across the UK’s largest websites. In early 2025, the ICO announced an investigation into the top 1000 most visited sites in the UK. This initiative aims to ensure that businesses follow data protection laws and give users real control over their online privacy.
If your website collects data through cookies, trackers, or other scripts, this enforcement push could directly impact you. The days of vague consent banners and hidden tracking are over. Websites that fail to comply risk regulatory action, reputation damage, and potential fines.
Why is the ICO doing this now?
The ICO has been clear about its concerns with how businesses handle cookie consent. Many websites still make it difficult for users to reject tracking cookies or fail to provide a transparent choice. Some rely on pre-checked consent boxes or require users to navigate multiple pages to opt out. Others give no real option to refuse cookies at all.
This new enforcement effort is a response to widespread non-compliance. The ICO’s goal is to ensure that businesses follow the law and that users have a genuine choice when it comes to their data. Companies that continue to rely on outdated or misleading cookie banners will need to make changes fast.
The key ICO compliance requirements
To meet the ICO’s expectations, websites must ensure their cookie consent mechanisms follow these principles:
- Users must actively consent to cookies before they are stored on their device. Passive or implied consent does not count.
- Websites must give visitors a real choice to reject cookies as easily as they can accept them.
- Consent must be specific, meaning users should be able to choose which types of cookies they allow.
- Businesses must document and store records of user consent to prove compliance if needed.
- Websites cannot make access to content conditional on accepting cookies unless there is a legally valid reason.
These rules are not new, but enforcement has been inconsistent in the past. With the ICO now actively investigating sites, businesses that are not compliant could face serious consequences.
What happens if your website is not compliant?
If the ICO finds that a website is not following the rules, it can issue enforcement notices requiring immediate changes. In more serious cases, businesses can be fined under UK data protection law. Even if a website does not receive a fine, public exposure of non-compliance can harm customer trust.
Beyond legal penalties, failing to comply can also impact marketing effectiveness. Many ad platforms require compliance with data privacy regulations, and improper consent mechanisms could result in lost advertising revenue.
How businesses can prepare
To avoid regulatory action, businesses should audit their websites and ensure their cookie policies align with ICO requirements. This includes reviewing cookie banners, ensuring all trackers are accounted for, and implementing a clear consent mechanism.
For businesses managing multiple websites, staying compliant can be even more challenging. Large website portfolios require continuous monitoring, as new trackers and third-party scripts can be introduced over time.
The ICO’s crackdown means businesses can no longer afford to overlook cookie compliance. Organizations that take a proactive approach will protect their reputation, avoid regulatory scrutiny, and build better trust with users.
Let us help you. We’ll audit your website completly for free and provide you with a clear, detailed report on how it measures up against ICO requirements and UK GDPR.
