ICO to review top 1,000 websites in the UK for cookie compliance

The Information Commissioner’s Office (ICO) has expanded its review of cookie compliance online to the top 1,000 websites in the UK as it looks to clamp down on poor practice in the industry.

The regulator assessed the compliance of the top 200 websites in the UK last year and issued concerns to 134 organisations that they were contravening data protection laws. From that review 52 websites introduced changes.

Stephen Almond, executive director of regulatory risk at the ICO, praised the “significant improvements” in compliance that followed its review of the top 200 websites in what he described as a “promising step forward” for the industry.

Its decision to expand its review – and taking it beyond websites to apps and connected TVs for the first time – is an indication that the regulator is serious about enforcing privacy laws.

Sky Bet was one business that fell foul of the ICO last year when it was reprimanded by the regulator for unlawfully processing consumer data without asking for consent. Its deputy commissioner Stephen Bonner said at the time the ruling was a “warning” that there will be consequences if organisations breach the law.

This action is part of the ICO’s online tracking strategy for 2025 which seeks to put greater control over personal information back in the hands of the public.

“Uncontrolled tracking intrudes on the most private parts of our lives and can lead to harm,” says Almond. “For example, gambling addicts being targeted with more betting ads due to their browsing history or LGBTQ+ people altering their online behaviour for fear of unintended disclosure of their sexuality.”

Sky Bet rapped for unlawfully processing consumer data via cookies without consentIt is the ICO’s “ambition” to ensure everybody has meaningful choice over how they are tracked online – but that doesn’t mean they intend to hold publishers out to dry. Almond stresses the ICO will “continue to hold organisations to account” but is also looking to help businesses adopt “compliant, privacy-friendly business models” at the same time.

“By combining advice, guidance, and targeted enforcement, we aim to create an environment where businesses can succeed, and people can have trust and control over their online experiences,” he adds.

The regulator wants to make it easier for publishers to adopt more privacy-friendly forms of online advertising – this being advertising that does not involve extensive profiling of people based on their online activity, habits and behaviour.

With this in mind, it is exploring existing PECR (Privacy and Electronic Communications Regulations) requirements to see if obtaining consent for “non-essential storage” and access technologies has been preventing an industry-wide shift towards more privacy-friendly forms of online advertising. It says it will work with government to explore how to amend legislation around this.

The ICO is also looking to confirm how publishers can deploy ‘consent or pay’ models – where the user is given a choice between agreeing to personalised adverts to access a service or paying to access a service and avoid personalised ads – by offering fresh guidance for organisations to assess their models against.

“Tracking should work for everyone – giving people clear choices and confidence in how their information is used, while enabling businesses to operate fairly and responsibly. Our strategy ensures both,” concludes Almond.