Ivan - stock.adobe.com

News

ICO launches major review of cookies on UK websites

ICO sets out 2025 goals, including a review of cookie compliance across the UK’s top 1,000 websites, as it seeks to achieve its ultimate goal of giving the public meaningful control over how their data is used

Alex Scroxton
By
Published: 23 Jan 2025 14:13

The Information Commissioner’s Office (ICO) has embarked on a major review of cookie usage and compliance across some of the UK’s 1,000 most-frequented websites as it prioritises giving consumers more choice and confidence in how their data is collected, stored and used.

The regulator has already investigated the top 200 UK websites and said it has found concerns with 134, or 67%, of them – which have been communicated to their owners.

The ICO said it wanted to set out clearly the expectation that website operators must comply with data protection law by giving users meaningful choices and control as to how their data is used.

“Uncontrolled tracking intrudes on the most private parts of our lives and can lead to harm. For example, gambling addicts being targeted with more betting ads due to their browsing history or LGBTQ+ people altering their online behaviour for fear of unintended disclosure of their sexuality,” said ICO executive director of regulatory risk, Stephen Almond.

“Our ambition is to ensure everybody has meaningful choice over how they are tracked online and what we’re publishing today sets out how we intend to achieve that.

“Last year, we saw significant improvements in compliance among the top 200 websites in what was a promising step forward for the industry. Now, we are expanding our focus to the top 1,000 websites – and beyond that to apps and connected TVs. 

“We’ll continue to hold organisations to account, but we’re also here to make it easier for publishers to adopt compliant, privacy-friendly business models. By combining advice, guidance and targeted enforcement, we aim to create an environment where businesses can succeed and people can have trust and control over their online experiences,” said Almond.

Meaningful control

The concept of giving end-users meaningful control is one to which the ICO is cleaving in its 2025 strategy, through which it hopes to address the “significant harm” that can occur to ordinary people when online tracking practices are abused or misused.

Complementing this strategy are a number of new measures to support businesses in adopting privacy-friendly practices and business models. These include the publication of draft guidance on tracking people using storage and access technologies such as cookies and fingerprinting; final guidance on the use of so-called consent-or-pay business models to help businesses balance tech innovation and revenue with data protection law; and potential reforms to support the use of new, privacy-preserving adtech, such as contextual models.

Consent-or-pay models

The final guidance on consent-or-pay models – which is now available for organisations to review via the ICO’s website – covers the practice of offering a choice between agreeing to receive personalised, targeted advertising to access a service for free, or paying for the service to avoid these adverts.

In essence, it clarifies how organisations can use these models to give website visitors meaningful control while still supporting their own economic viability. It includes a set of best practices against which organisations should be prepared to assess their models to demonstrate their users have freedom of choice and consent.

“Tracking should work for everyone,” said Almond. “Giving people clear choices and confidence in how their information is used, while enabling businesses to operate fairly and responsibly. Our strategy ensures both.”

Read more about the ICO’s work

  • The Open Rights Group is urging the Information Commissioner’s Office to revise its light touch approach to public sector data protection issues.
  • ICO tool designed to make it easier for small businesses and sole traders operating online to create bespoke data privacy notices for compliance purposes.
  • UK data protection watchdog joins forces with law enforcement agency to provide more support for organisations that fall victim to cyber crime and ransomware attacks.

Read more on Privacy and data protection