ICO cookie compliance crackdown
Earlier this year, the ICO (Information Commissioner’s Office) announced its intention to tackle cookie compliance across the UK’s top 1,000 websites.
We were subsequently contacted by a company that operates one of those websites and which the ICO had contacted about its cookie compliance.
The ICO gave the company two weeks’ notice to rectify its cookie compliance before reviewing the site and, if necessary, taking action. So, we performed a cookie compliance assessment on the website to help the company ensure its compliance ahead of the ICO’s review.
Our recent webinar Cookie Law in 2025: What enforcement means for your organisation looked deeper into recent enforcement trends and provided tips for assessing and managing cookie compliance. The webinar received many thoughtful questions, which you’ll find below, along with our experts’ answers.
Just click the triangle next to each question to show the answers.
Does GDPR consent also need to be equally prominent?
The laws governing cookies and similar technologies are the PECR (Privacy and Electronic Communications (EC Directive) 2003) in the UK and the ePrivacy Directive in the EU. Both laws currently require consent for all non-strictly necessary cookies but neither legislation defines “consent”. We therefore need to look to the UK GDPR and EU GDPR for that definition and associated requirements. While the UK GDPR and EU GDPR are important in helping us to understand the full extent of ePrivacy legislation, the primary legislation on this issue is the PECR and the ePrivacy Directive.
Does an AI agent acting on my behalf get the same GDPR protections as if I was the one performing the function? Said another way, do I have to provide a cookie consent for upcoming agentic interactions?
Subject to the exemption applicable to strictly necessary cookies and the changes that the DUAA (Data (Use and Access)) Act 2025 introduces in the UK, the ePrivacy laws require that organisations shall not store or gain access to information stored in a user’s device. The law does not prescriptively list all technical mechanisms that might store or gain access to information stored on a user’s device; the legislation was intended to be fluid such that it could cover future technological developments. This means the law goes beyond cookies and includes things like tracking pixels, web beacons and tags as well.
Whether or not the law will cover an AI agent will depend upon how that agent is deployed and whether it stores or gains access to information stored on a user’s device. Some regulatory authorities have expressed privacy concerns surrounding agentic AI, so staying abreast of developments is important. One area that will always be encouraged is the need for transparency. Therefore, understanding how the AI tools function, the data that is being processed and the obligation to inform individuals how their data is used will prove beneficial to demonstrate compliance. Popular AI agents in use today are unlikely to be caught by ePrivacy law, but that position may change, so staying abreast of developments is important.
Are we expected to review the platforms we use as a business to ensure they have the correct cookies in place – as you would as part of a DPIA before buying a product?
Yes, if that business is storing or gaining access to information on user’s devices (whether that be your clients, members of the public or your staff). Put another way, if a third party is helping your organisation with your products or services and it is doing that by placing cookies etc. on users’ devices on your behalf, yes, you need to conduct due diligence on that third party to ensure it is deploying cookies and similar technologies correctly.
In general, what expertise and internal collaboration do you believe are essential for ensuring that an organisation’s cookie notice and cookie management practices are fully compliant with applicable regulations?
It is essential that IT, compliance and marketing work together to ensure compliance with ePrivacy law. Ideally, legal should also be involved but we appreciate not all organisations have that internal resource.
All individuals should be properly trained on the legal requirements and together they should create processes that enable compliance to be achieved in practice. For example, if marketing wants to introduce new cookies, the process should trigger a review by IT and compliance. The process should be underpinned by a policy that sets out the organisation’s position on compliance. We would expect that policy to dictate that non-strictly necessary cookies require consent and confirm the requirements for consent.
How do you predict the recent COPPA law change will affect cookie banners for the US? Will they need more of an IAB TCF 2.2 style 2nd layer with the separate categories listed?
The Children’s Online Privacy Protection Act was amended to enhance the requirements on the collection, use and disclosure of children’s personal information. The changes are focused on creating greater protection for children online. One change is that organisations will be required to obtain separate, opt-in, verifiable consent from parents before disclosures of children’s personal information can be made to third parties. This is ostensibly to control the use of children’s personal information for targeted advertising purposes.
Cookie banners have been in use in Europe since the early 2000s when ePrivacy law came into effect and they’ve proven, if used properly, to be an effective way to obtain consent. The IAB’s transparency and consent framework is a mechanism that can be used to manage cookie compliance so yes, it could be that the changes might result in the increased use of this framework. It should be noted, however that a strong uptake on the use of frameworks like this by organisations doesn’t necessarily mean that they’re compliant: organisations should always do their due diligence to make sure any such framework is fit for purpose in the relevant jurisdictions. The IAB’s framework has also been subject to regulatory scrutiny in Europe.
For a business operating internationally – including within the EEA, UK and other jurisdictions – would you recommend adopting differentiated approaches to cookie compliance in light of varying regulatory frameworks, such as the GDPR versus the DUAA (Data (Use and Access) Act)? While my personal approach is to maintain alignment with the GDPR as the ‘gold standard’ of compliance to ensure robust data protection and minimise regulatory risk, I do appreciate that there may be commercial or marketing benefits to tailoring strategies regionally – particularly in jurisdictions that offer more flexibility. I’d be interested in your perspective on how best to balance these considerations.
Great question! It is worth noting that the EU confirmed earlier this year, via the Commission’s work programme for 2025, that it will not be pursuing amendments to the ePrivacy regulation at the present time. The DUAA aside, we therefore probably have a period of stability to come in respect of UK/EU ePrivacy regulations.
From a compliance perspective, whether you apply the ePrivacy Directive/EU GDPR as the standard approach across all the jurisdictions comes down to the following two things:
First, what is your organisation’s appetite for multiple compliance systems? Clearly, altering practices on your website per jurisdiction will involve more admin and requires a stringent compliance programme to ensure all aspects are kept up to date. That goes with the territory for organisations operating globally, but we need to recognise it likely has a cost/resource implication. The cost/resource implication is reduced if you apply the highest standard for all audiences.
Second, what is your organisation’s risk appetite here? If you opt to adapt your cookie compliance for each audience you service, we need to accept there will always be a risk that you don’t get it right sometimes, especially because there are likely to be more moving parts. Your organisation will need to accept that any benefits that may arise from following less stringent requirements in other jurisdictions may increase the risk of potentially getting it wrong in a jurisdiction where the risk of regulatory scrutiny and the associated potential repercussions are higher. But perhaps that risk might be mitigated by insurance.
Taking a one-size-fits-all approach by applying the highest standard is probably a risky practice because there is still going to be nuance in each jurisdiction that may have a higher standard than ePrivacy/the EU GDPR or even something they don’t cover. Our advice here would be to understand (a) what cookies are in use by category, (b) what the law in each jurisdiction requires for each category, (c) where there is overlap or continuity between the different jurisdictions and if there are any jurisdictional nuances (for example, the right to opt out of the sale of your personal data is in the CCPA/CPRA but not the ePrivacy Directive/the PECR) and (d) the practical benefits that each jurisdiction has from an organisational perspective (i.e. what, if any, benefits might you be losing out on). If you then consider the answers to these points against the possible implications of getting it wrong, you might have a clearer understanding of where your compliance should sit.
Having said all of that, and while we appreciate organisations will take risk-based decisions, we would always recommend that the appropriate legislation in each jurisdiction is adhered to.
Is it OK to use a free cookie management solution to manage our cookies and display it via their plugin?
Yes, provided the free solution is configured appropriately. By this we mean the solution collects consent where it is required, presents a compliant cookie banner and users can withdraw consent as easily as they provided it (i.e. there is an easily accessible consent management platform).
I am interested in the panel’s view on news outlet websites using cookie walls to, in a way, coerce consent.
Cookie banners that do not enable a user to navigate a website unless they have interacted with it (i.e. accepted or rejected cookies) are not compliant. This is because any consent collected by such a cookie banner would not meet the EU/UK GDPR’s consent requirements. Consent must be freely given.
I have noticed that newspaper websites in particular are only allowing you to reject cookies if you pay for a subscription – to access the full article you have to allow all cookies. Is this really allowed?
This sounds like a consent or pay option whereby you consent to the use of cookies for online tracking and personalised advertising to access the website or your reject the use of these cookies and pay a fee. The EU and UK are broadly aligned that “consent or pay” is possible but individuals should be properly informed and they must be presented with a genuine choice. There are other requirements to consider too, such as the amount charged. We think that, generally speaking, the current models in use for consent or pay are unlikely to be compliant but we don’t see them going away anytime soon unless there is robust regulatory action. This is quite a complex topic so if you want to know more, we recommend reading the EU and the UK guidance.
When is the UK DUAA (Data (Use and Access) Act) coming into effect?
There will be a phased approach, as some of the requirements require secondary legislation. The ICO confirmed the changes will be phased in between June 2025 and June 2026. We suggest you keep an eye on the ICO’s website for future updates. We also recommend you follow this page: it confirms when revised ICO guidance will be available.
Can you ask data subjects to manage their cookie settings through enabling or disabling the cookie categories on the popup in their internet?
The onus for compliance is on the organisation, not the individual.
You could ask individuals to set their browser according to their wishes but how could you be certain they’ve done so? What evidence could you collect to be certain they’ve configured their browser? Logistically and technically, we think that is going to be hard to achieve.
While individuals can configure their browser to allow or block storage and access technologies, unless you have solid evidence they’ve done so, organisations cannot rely on those individual settings. We consider that with the technology currently in use, there is no way for you to be sure that the individual has set their browser according to their wishes, so relying on users’ browser settings would be very risky.
I have recently received a request from our web team regarding Consent Mode for Google Ads (a user logged a ticket stating that they received an email from Google to set this up). Is this an emerging requirement? How can I navigate this request? The user sent through the email received from Google, but one would actually think it’s spam or phishing. So, how legitimate is this request and are there any penalties for not having this setup? Our business setup is that each business unit handles their websites and their cookies. We are a multi-jurisdictional organisation and I was wondering about this.
We have seen Consent Mode come up with a few clients. Google will often (try to) force organisations to make changes like this.
Consent Mode isn’t a substitute for a consent management platform or a cookie banner, but it does purport to meet the requirements of ePrivacy and data protection legislation (and version 2 is reported to align with the Digital Markets Act) by adjusting tags in response to users’ consent choices.
However, Advanced Consent Mode does load Google tags immediately and they send “cookieless pings” until such time as a user has interacted with the cookie banner: if consent is provided, the tags are then said to become “active”. From a UK/EU perspective, it is our view that this is contrary to ePrivacy regulations. As we know from our webinar, ePrivacy laws cover storage and access technologies, and there isn’t a prescriptive definition here, so “cookieless pings” are likely to be covered by the law and if they’re dropped in relation to non-strictly necessary cookies, consent will be required. Also, although Google asserts that tags remain inactive until a user has made their choice via the cookie banner, they appear to still be loaded to a user’s device and therefore would require consent if they’re not strictly necessary. (Note that under the DUAA (Data (Use and Access) Act) 2025, if the Google tags are for statistical (i.e. analytics and performance) purposes, consent will not be required).
In contrast, with Basic Consent Mode, Google tags are not fired until a user has interacted with the cookie banner.
In terms of more general advice here, it is important to understand what tags/cookies/pixels etc. are in use and what category they fall into to fully understand the implications of Google Consent Mode for your organisation. The same applies for the law in each jurisdiction you operate in. It is also important to check the settings and test them regularly to ensure they’re working as expected. We also recommend reviewing Google’s terms and conditions of service and privacy policy.
Can cookie policy be embedded in privacy policy?
The ePrivacy legislation doesn’t prevent this but we usually advise against it. While there is overlap between ePrivacy and data protection law, they are separate topics, so we think it’s better to have separate policies because it’s clearer and more transparent for readers.
Isn’t pre-ticked consent now allowed for certain analytic and informational cookies as a result of the DUAA (Data (Use and Access) Act) 2025?
Statistical cookies – including analytics and performance cookies – will no longer require consent under the DUAA. Users will still need to be informed about the use of such cookies and provided with an option to opt out. The ICO has confirmed the changes brought in by the Act will be phased in between June 2025 and June 2026.
Don’t let a lack of expertise compromise cookie compliance
Our GDPR Cookie Compliance Service takes the guesswork and conflicting priorities out of website compliance. Our experienced consultants can help ensure your website complies with the GDPR, PECR and/or other jurisdictions’ cookie laws:
- We’ll review your website to establish what cookies are firing and when, including which are strictly necessary and which need consent to be dropped.
- We’ll highlight any non-compliant cookies, such as those with known risks or that are not included in your cookie policy/notice.
- We’ll review your cookie banner and opt-in rates to ensure your banner complies with the law and is neither encouraging nor discouraging consent (the former is unlawful, the latter is a waste). This review can be done for international laws that affect cookies in addition to the UK GDPR and PECR.
- We’ll provide you with a clear, straightforward report that explains your obligations and how well you currently address them, and provides an action plan to help you improve. We also recommend reassessing your cookie compliance annually to keep up to date with changes to your website and case law.
