ICO Targets Top 1,000 UK Websites for Cookie Compliance
The UK’s Information Commissioner’s Office (ICO) has made it clear: cookie banners that fail to offer users a real choice are no longer acceptable. Common issues include banners that imply consent (“By using this site, you accept cookies”), drop tracking cookies like Google Analytics before consent is given, or fail to provide a visible “Reject All” option. If your website uses non-essential cookies and doesn’t meet these standards, you’re likely non-compliant, and the ICO is actively investigating.
The ICO recently reviewed 200 of the most visited UK websites and contacted 134 of them about non-compliant cookie practices. Now, the ICO is expanding its crackdown to include the top 1,000 websites. It doesn’t matter if you run a SaaS platform, an e-commerce site, or a healthcare portal; if your website uses cookies (and almost all do), now is the time to check your cookie compliance.
Why the ICO Is Cracking Down on Cookies
The ICO’s campaign isn’t a random spot-check – it’s a deliberate effort to enforce UK privacy laws (PECR and UK GDPR) around online tracking. Under these laws, you can’t set non-essential cookies on a user’s device without their consent. “Consent” means a freely given, informed choice – no pre-ticked boxes, no implied consent by default. The only cookies you can set without asking are those strictly necessary for your site to function (like remembering items in a shopping cart).
In late 2023, the ICO warned some of the UK’s biggest websites to shape up their cookie banners. Many did the update in January 2024, and the ICO noted that out of 53 major sites it initially contacted, 38 quickly adjusted their cookie banners to comply, and four more committed to changes within a month. Encouraged by this, the ICO didn’t stop at the top 100. It moved to the top 200 sites, then announced plans to review the top 1,000 most-visited UK websites for cookie compliance. This is part of the ICO’s 2025 online tracking strategy to ensure “people have meaningful choice” over how their data is used online.
What’s at stake if you’re not compliant?
The ICO has clarified that organisations ignoring the rules can face enforcement action, including fines. Under PECR, fines for serious breaches can go up to £500,000 (and under the UK GDPR, potentially much higher, up to £17.5 million or 4% of global turnover in theory). While a cookie banner violation alone might not incur the maximum penalty, the reputational damage and regulatory scrutiny from non-compliance can be costly.
Additionally, the ICO is increasingly sophisticated in its approach; it’s even exploring AI tools to detect non-compliant cookie banners on UK sites automatically. In other words, you can’t just fly under the radar.
What Does Non-Compliance Look Like?
It’s easy to assume your cookie banner is fine because you see similar ones everywhere. But many businesses (including big names) are getting it wrong. Here are common cookie compliance mistakes that the ICO has been flagging:
• Dropping cookies before consent: Many websites load marketing or analytics cookies as soon as the page opens, before the user can agree. If your site is doing this (even through third-party scripts like ad trackers), it’s a breach. The ICO expects sites to avoid setting non-essential cookies until the user consents.
• No “Reject All” option (or hiding it): Your banner needs to give users a real choice. That means an equally prominent “Reject All” button next to “Accept All.” If “Accept” is big and bright but “Reject” is buried in a link or missing entirely, that’s not a fair choice. The ICO explicitly looks for “equally weighted options to accept and reject cookies.” The bottom line is that if users can’t say “no” as easily as “yes,” it’s not consent.
• Pre-ticked boxes or implied consent: Some banners have boxes already checked for targeting or analytics cookies, or say “By continuing to use our site, you agree…” This does not count as valid consent. Consent must be an explicit affirmative action by the user – e.g. clicking “Accept” (with nothing pre-selected). The ICO found several sites using pre-ticked consent boxes or default “on” settings, which assume consent without a real choice. If your banner works this way, it needs to change immediately.
• Vague or misleading wording: Be direct about what the user is choosing. Don’t hide the implications behind “Settings” or obscure language. For example, a banner that just says “We use cookies to improve your experience” with an “OK” button is insufficient. Before agreeing, users need to know what they’re consenting to (tracking for ads, analytics, and personalisation). The ICO noticed many consent banners that were vague, hidden, or hard to understand, making it challenging for visitors to make an informed choice. Avoid dark patterns like colouring the “Accept” button in a way that draws the eye while the “Reject” is plain text.
• No way to refuse or withdraw consent: Some banners offer an “Accept” button and maybe a tiny “Manage cookies” link, but no quick way to refuse all. Once you’ve accepted, there is no easy way to change your mind later. Both are problems. Users should be able to say “no” upfront and have a way to withdraw consent later (for instance, a “Cookies” link in your footer or an icon where they can revisit preferences). The ICO’s guidance is that consent should be as easy to withdraw as it is to give. You’re not meeting best practices if your site doesn’t allow that.
• All-or-nothing choices (no granularity): While not strictly illegal to only offer a simple Accept/Reject all (indeed, many ICO-compliant banners do just that with two buttons), the ICO has noted that providing granular controls is a good practice. Many sites they reviewed forced users to accept everything or lose all the nice-to-have features. It’s better to let users choose categories (e.g. “Analytics”, “Marketing”, etc.), usually via a “Preferences” or “Settings” panel. Granularity shows you’re respecting user choices. However, you must have that Reject All option if you’re not offering detailed toggles.
• “Consent or Pay” walls done wrong: Some publishers try to comply by saying, “Accept cookies or subscribe/pay to use the site.” The ICO has published guidance on these so-called “consent or pay” models. The short version: be very careful. You cannot twist someone’s arm into accepting tracking by blocking content, unless you offer a fair alternative (like a reasonably priced ad-free subscription), and even the user’s choice must be voluntary. If you’re considering this approach, follow the ICO’s detailed guidance to the letter. This isn’t applicable for most SaaS and e-commerce businesses – you’re better off getting proper consent for cookies rather than trying to charge people to avoid them.
In summary, non-compliance usually boils down to not giving users a real choice. If your cookie notice is deceptive (there for show, but in practice, you track users however you want), the ICO will eventually catch on.
How to Check Your Cookie Compliance (and Fix It)
If you’re not entirely sure if your website is 100% compliant, here’s a practical game plan:
1. Audit your current cookies and consent flow
Do a thorough review of what cookies your website sets, and when. You can use browser developer tools or a cookie scanner to see which cookies land on your device before and after giving consent. Identify all the non-essential cookies (anything that’s not strictly necessary for the site’s basic operation). Common culprits include analytics packages (Google Analytics, etc.), advertising trackers (Google Ads, Facebook Pixel), live chat widgets, A/B testing tools, etc. Make a list of these and note when they load. If any are loading on page load before consent, that’s a red flag. Also, review your cookie banner’s text and options: what choices are you actually giving users? This audit might involve both your dev team and marketing since they often add tracking pixels. The goal is to map out “what are we doing now?” versus “what should we be doing?”
2. Update your cookie banner to meet UK requirements
Once you know where the gaps are, fix them. Key changes to implement include:
• No cookies before consent: Configure your site so that no non-essential cookies or trackers fire until the user clicks “Accept” (or another affirmative consent). This may mean adding scripts only after consent is given, or using a consent management platform (CMP) that automatically holds back those tags. Test this thoroughly – if one of your scripts is misbehaving and still dropping a cookie early, you need to catch it.
• Ensure “Reject All” is present and equal: Redesign your banner if needed to have a prominent “Reject All” button alongside “Accept All.” Both options should be clearly visible on the first layer of the banner, with equal visual weight. For instance, if “Accept” is a bright colour button, “Reject” should also be a button of equal size and contrast. It’s fine (even good) to have a “Manage settings” for granular choices, but there must be a one-click way to refuse all non-essentials. This fulfils the ICO’s requirement for “equally weighted options to accept and reject” cookies.
• Rewrite your banner text for clarity: Make sure what the banner is asking is immediately clear. Mention the purpose of the cookies you’d like to use (e.g. “analytics to improve our service, and marketing to show relevant ads”). Keep it short but not misleading. For example: “We use cookies to analyse site usage and to personalise ads. You can Accept All or Reject All non-essential cookies.” And provide a link to your full cookie policy for those who want details. Avoid any sneaky language that tries to guilt or trick the user – the ICO is looking for that.
• Remove any pre-ticked boxes or default consents: If your consent mechanism includes checkboxes or toggles for categories, make sure all optional ones start unchecked/off. The user should have to actively opt in to each category (or just click Accept All). Never assume consent. Similarly, if you had a notice that implied continuing to browse equals consent, that’s outdated and not compliant in the UK.
• Implement an easy way to change or withdraw consent: After a user makes a choice, you should honour it and give them a route to change their mind. Many companies now add a small “Cookie Settings” link in the footer or a floating icon that users can click to review or update their preferences. This isn’t explicitly mandated in the law’s text, but regulators strongly recommend it, and it aligns with GDPR principles. The ICO has noted that not providing a way to withdraw consent is a common failing. Ensure your solution (CMP or custom) can bring the banner or settings back up on demand.
• Consider a Consent Management Platform: If this sounds complex to build, you’re not alone. Many businesses use a Consent Management Platform (CMP) – a software tool that handles the cookie banner, stores consents, and manages the loading of cookies. Just be sure to configure any CMP you use to comply with UK requirements (which might be stricter than those of other regions). For example, some out-of-the-box banners from US-based CMPs might not include a Reject All button by default – you’d need to enable that for UK visitors. There are several reputable CMP providers; choose one that lets you customise the user experience and is up-to-date with legal guidance.
• If using “cookie wall” or pay alternative models: Most businesses can skip this, but if you do plan to require consent in exchange for service (or ask users to pay if they don’t consent to ads), study the ICO’s “Consent or Pay” guidance carefully. You must ensure the user has a free choice (e.g., the paid option is reasonable and accessible) and document why you believe any such model still gives “freely given” consent. This is a complex area – when in doubt, get professional advice. Providing a straightforward cookie banner with real choice is the safer route for the vast majority.
3. Document and communicate your compliance efforts
It’s essential to keep records of what you’ve done to comply. Update your privacy/cookie policy to reflect your current practices (list the cookies and their purposes, and describe how users can change their preferences). Record the version of the banner/CMP you’re using and the date you implemented these changes. If the ICO does come knocking, it helps to demonstrate that you took proactive steps. Internally, let your team (developers, marketing, IT, legal) know about the new procedures, for example, a policy that no new tracking tools are added to the site without going through the consent mechanism. Compliance is an ongoing process, not a one-time fix.
4. Be ready to respond to the ICO or user complaints.
If you were one of the companies that received an ICO warning letter, respond by the deadline, explaining precisely what you’re doing to fix the issues (and of course, do those fixes!). Even if you haven’t heard from the ICO, you should assume you’re on their radar given the 2025 plan. Also, regular users can report cookie concerns to the ICO. Proactively fixing things now means you won’t be scrambling later. The ICO has even set up a portal for businesses to self-report their cookie compliance, essentially a webform to “tell us about your use of cookies.” Consider filling it out to demonstrate your good-faith effort. You’ll need to confirm if all your websites:
• Refrain from setting cookies before consent.
• Offer equally weighted accept/reject options, and
• Don’t set cookies when a user has refused.
If you haven’t met all those points yet, the form asks when you expect to be compliant. You can find that form on the ICO’s site (under “Tell us about your use of cookies”); completing it is a smart move to show transparency.
Cookie Compliance Checklist for UK Businesses
For a busy founder or privacy lead, here’s a quick checklist to review your website’s cookie compliance. Use this as a final run-through:
• No cookies before consent: Check that no non-essential cookies (analytics, advertising, etc.) load until the user has given explicit consent. This may require scanning your site or browser dev tools to see what fires on first page load. Tip: If cookies or third-party requests happen without a user click, fix your consent script or tag manager setup. (ICO requirement: “refrain from setting cookies before asking for user consent”)
• “Accept All” and “Reject All” are present and equal: Your banner should have a clear “Accept All” button and an equally clear “Reject All” button on the first screen. Both should be easy to see and click, without extra clicks or scrolling. No hiding the reject option in a settings submenu or making it a tiny link. (ICO requirement: “offer equally weighted options to accept and reject cookies”)
• Consent is truly optional (no pressure): Ensure you aren’t forcing or sneaking consent. All optional cookie categories should be off until opted in. No pre-ticked boxes, and no messages like “By using our site, you agree to cookies” without an actual choice given. Users who reject cookies should still be able to use your site’s core functions. (UK GDPR consent standard: must be a clear affirmative action by the user – e.g. no pre-ticked boxes)
• No cookies set after refusal: If a user clicks “Reject All” (or otherwise says no), verify that your site truly does not set any non-essential cookies. Sometimes, a bug or misconfiguration might still let a tracker slip through. Test this by hitting “reject” and then checking what cookies are stored. It should only be the bare minimum necessary ones. (ICO requirement: do not set cookies if the user has refused consent)
• Clear info and purpose: Your banner (or an accessible policy) should briefly explain what cookies are used for, so the user can make an informed decision. For example, mention if you use cookies for analytics, ads, personalisation, etc. Transparency is key – part of being “informed” under GDPR. Also, ensure your full cookie policy is up to date and easy to find (linked from the banner and your site footer).
• Easy way to change mind: Provide a method for users to revisit their cookie preferences. This could be an ever-present icon or a link like “Cookie Settings” on your site. The idea is that after the initial choice, the user isn’t locked in forever; they can opt out later if they choose. This is good practice and aligns with the principle that withdrawing consent should be as easy as giving it.
• Documentation and accountability: Keep a record of consents and your compliance efforts. Many CMPs automatically log consent records. Even if you’re not required to submit these routinely, having them available demonstrates accountability. Also, double-check that your organisation is registered with the ICO and paying the annual data protection fee if required – it’s unrelated to cookies per se. Still, if you’re caught out on that, it’s an unnecessary headache (the ICO’s cookie self-assessment form will ask for your registration number).
If you can tick all the boxes above, you can be confident that you’re in good shape for cookie compliance. You’ll be ready if the ICO reviews your site or a user complains. It also means respecting your visitors, not just avoiding fines, but building trust.
Summary
The ICO’s sweep of the top 1,000 UK websites for cookie compliance is a wake-up call for everyone, not just the big players. The practical takeaway for UK businesses is clear: review your cookie consent approach before regulators (or your own users) force you to. The good news is compliance is achievable with some focused effort, and the ICO provides tools (like guidance and that self-report form) to help you get there.
You have a lot on your plate as a UK founder, privacy lead, or legal officer. But getting your cookie banner right should be a quick win. It’s a one-time fix with ongoing benefits. You’ll avoid regulatory trouble and show your users you respect their choices. In an age of increasing privacy awareness, that’s part of operating responsibly and staying competitive.
Take action now: audit your site, implement any needed changes, and consider proactively reporting your compliance via the ICO’s cookie compliance webform. Doing so will demonstrate that your business is on top of privacy obligations.
https://ico.org.uk/for-organisations/tell-us-about-your-use-of-cookies/
Citations
ICO takes action to tackle cookie compliance across the UK’s top 1,000 websites
ICO warns of fines for companies who do not get cookie banners right
ICO updates UK cookie guidelines and warns 134 websites – What marketers need to know for 2025
ICO updates UK cookie guidelines and warns 134 websites – What marketers need to know for 2025