UK Data Regulator Takes Action on Cookie Consent Compliance
In a significant move to enhance data privacy, the Information Commissioner’s Office (ICO) in the UK took decisive action throughout 2025. The regulator issued 17 preliminary enforcement notices and contacted hundreds of website operators, resulting in 979 of the top 1,000 UK websites achieving compliance with cookie consent regulations. This initiative granted about 40 million users—approximately 80% of UK internet users aged 14 and older—better control over how their data is collected and used for targeted advertising.
Compliance Achievements
As of the latest reports, only 21 websites remain non-compliant. The ICO plans to continue its enforcement actions against these residual holdouts. The campaign’s primary focuses included assessing whether non-essential advertising cookies were stored on users’ devices before they had the opportunity to consent, ensuring the ease of rejecting cookies was equal to that of accepting them, and determining if any cookies were placed despite the absence of user consent.
Behavioral Changes Through Enforcement
Among the compliant websites, a noteworthy 415 passed the ICO’s tests without any need for intervention. Meanwhile, the other 564 sites improved their practices after an initial failure, driven by direct dialogue with the regulator. The ICO delivered letters detailing compliance shortcomings, initiated investigations where necessary, and issued warnings in 17 particular cases.
Tim Capel, the Interim Executive Director of Regulatory Supervision, remarked on the campaign’s success, stating, “We set ourselves the goal of giving people more meaningful control over how they were tracked online by the end of 2025. I can confidently say that we have delivered on that promise.”
The enforcement campaign kicked off in January 2025, starting with an assessment of the top 200 UK websites. The ICO raised concerns directly with 134 organizations, highlighting the risks associated with unchecked tracking. Examples included harmful targeting practices, such as delivering betting advertisements to individuals struggling with gambling issues and compromising the privacy of LGBTQ+ users who felt compelled to modify their online behavior.
Industry-Wide Improvements
To facilitate broader compliance, the ICO collaborated with trade associations encompassing most industries represented among the top 1,000 websites and consent management platforms that support nearly 80% of the top 500 sites. These platforms dramatically improved their cookie banner offerings to ensure built-in compliance by default.
As a result, users found it easier to reject cookies on banners, and there was a noticeable decrease in the placement of cookies before consent was obtained or following a rejection. During its compliance reviews, the ICO pinpointed four main challenges: misleading or absent choices where options were pre-selected, lack of clarity around user options, failure to respect user decisions on preferred choices, and difficulty in withdrawing consent.
Exploring Privacy-Respectful Advertising
The ICO is committed to continuous oversight, stressing that websites achieving compliance should not return to previous non-compliant behaviors under the assumption that violations will go unnoticed. Capel affirmed, “We will continue to monitor compliance and engage with the industry to ensure they uphold their legal obligations while also supporting innovation that respects people’s privacy.”
In early 2025, after consulting with stakeholders, the regulator began exploring whether publishers could offer privacy-respecting online advertising to users who had not granted consent, particularly in low-risk privacy scenarios. Furthermore, the ICO is collaborating with the government to consider legislative amendments that would bolster this approach, with a new update scheduled for 2026.
Violations of current regulations can lead to hefty fines, reaching up to £500,000 under the Privacy and Electronic Communications Regulations or as much as £17.5 million or 4% of global revenue under the UK General Data Protection Regulation (GDPR). Beyond the financial implications, companies that fail to comply face reputational risks and potential erosion of consumer trust as users become more vigilant about data usage practices.
