Cookies and Consent: the ICO's Cookie Review

Published on: 05/02/2025

#Data Protection

In the digital age, cookies play a crucial role in how websites operate and interact with users. Companies use cookies to help websites remember preferences, track user behaviour, and deliver personalised content. Whilst this can lead to a more effective and personalised service, the non-consensual use of these cookies has raised significant privacy concerns, leading to stringent regulations on how they should be managed. The Information Commissioner's Office (ICO) has been at the forefront of ensuring that people’s rights are upheld by the digital advertising industry. As part of this, the ICO has announced that it is expanding its review of cookie usage from the top 200 websites in the UK to the top 1,000 websites, to bring them into compliance with data protection law.

Understanding Cookies and Consent

Cookies are small text files that are placed on user devices by websites that the user visits. These can be broadly categorised into essential and non-essential (or analytics) cookies. Essential cookies are necessary for the basic functioning of a website, such as maintaining user sessions or remembering items in a shopping cart. Non-essential cookies, on the other hand, are used for purposes like analytics, advertising, and personalisation. These cookies often track user behaviour across different websites, and the ICO has flagged the potential harm that can be caused from the use of this, such as gambling addicts being targeted with more betting ads due to their browsing history.

Under the UK General Data Protection Regulation (GDPR), websites must obtain explicit consent from users before placing non-essential cookies on their devices. This means users should be informed about the types of cookies being used, their purposes, and must be given a clear choice to accept or reject them.

The ICO's Review of the Top 1,000 Websites

In January 2025, the ICO announced an ambitious plan to review the cookie usage of the top 1,000 most-visited websites in the UK. This initiative is part of the ICO's broader strategy to ensure online tracking gives people clear choices and confidence in how their information is used.

The review follows a successful assessment of the top 200 websites, where the ICO identified significant compliance issues. Out of these 200 websites, 134 were found to have shortcomings in their cookie usage practices, prompting the ICO to communicate their concerns to these organisations, setting clear regulatory expectations that the organisations must comply with. The expanded review aims to build on this progress, ensuring that a larger number of websites adhere to data protection laws.

Key Findings and Recommendations

The ICO's review has highlighted several common issues with cookie compliance:

  1. Lack of Clear Consent Mechanisms: Many websites fail to provide users with a straightforward way to accept or reject non-essential cookies. The ICO emphasises that consent must be freely given, specific, informed, and unambiguous.
  2. Misleading Cookie Banners: Some websites use deceptive designs, such as pre-ticked boxes or confusing language, to nudge users into accepting cookies. The ICO insists that cookie banners should be clear and easy to understand.
  3. Inadequate Information: Users often lack sufficient information about the types of cookies being used and their purposes. The ICO recommends that websites provide detailed explanations and make this information easily accessible.

The Path Forward

To address these issues, the ICO has issued new guidance and best practices for websites:

  • Transparency: Websites must clearly inform users about the use of cookies and provide detailed information about their purposes.
  • User Control: Users should be given a genuine choice to accept or reject non-essential cookies, with equal prominence given to both options.
  • Regular Audits: Websites should conduct regular audits of their cookie practices to ensure ongoing compliance with data protection laws.

The ICO's review of the top 1,000 websites in the UK underscores the importance of transparency and user control in cookie practices. By adhering to the ICO's guidance, websites can build trust with their users and ensure compliance with data protection regulations. As the digital landscape continues to evolve, responsible data use will remain a cornerstone of user privacy and trust.

Lucy White
Solicitor
lucy.white@clarkslegal.com +44 118 960 4655

Disclaimer

This information is for guidance purposes only and should not be regarded as a substitute for taking professional and legal advice. Please refer to the full General Notices on our website.

Related HR Articles

20 Sep 22

The Data Protection and Digital Information Bill

In September 2021, the government launched a consultation – ‘Data: a new direction’ – as part of its proposals to reform the UK’s data protection laws following Brexit, the responses to which were published in June this year. 

19 Jan 18

Covert surveillance breaches right to privacy and data protection law
Covert surveillance at work was found to be in breach of the right to privacy and data protection law by the European Court of Human Rights(ECtHR) in Lopez Ribalda & Ors v Spain.

26 Sep 18

ICO Publishes First GDPR and Data Protection Act 2018 Enforcement Notice
As recently reported in the media, the Information Commissioner’s Office (“ICO”) has issued its first Enforcement Notice under the Data Protection Act 2018 (“DPA 2018”) against AggregateIQ Data Services Ltd (“AIQ”), a Canadian data analytics company. AIQ was associated with targeted advertising for the ‘Vote Leave’ campaign during the Brexit referendum.
More HR Articles