ICO takes action to tackle cookie compliance across the UK’s top 1,000 websites

• ICO reviewing cookie usage on biggest UK sites 
• 2025 strategy launched to ensure online tracking gives people “clear choices and confidence in how their information is used” 
• New guidance on ‘consent or pay’ models published 

The Information Commissioner’s Office (ICO) has today announced plans to bring the UK’s top 1,000 websites into compliance with data protection law.  

The ICO has already assessed the compliance of the top 200 UK websites and communicated concerns to 134 of those organisations, setting out clear regulatory expectations that organisations must comply with the law by giving people meaningful choice on how their personal information is used online.  

Stephen Almond, Executive Director of Regulatory Risk at the ICO, said: 

“Uncontrolled tracking intrudes on the most private parts of our lives and can lead to harm. For example, gambling addicts being targeted with more betting ads due to their browsing history or LGBTQ+ people altering their online behaviour for fear of unintended disclosure of their sexuality. 

“Our ambition is to ensure everybody has meaningful choice over how they are tracked online and what we’re publishing today sets out how we intend to achieve that. 

“Last year, we saw significant improvements in compliance among the top 200 websites in what was a promising step forward for the industry. Now, we are expanding our focus to the top 1,000 websites – and beyond that to apps and connected TVs.  

“We’ll continue to hold organisations to account but we’re also here to make it easier for publishers to adopt compliant, privacy-friendly business models.  By combining advice, guidance, and targeted enforcement, we aim to create an environment where businesses can succeed, and people can have trust and control over their online experiences.” 

This action forms part of the ICO’s online tracking strategy for 2025, which seeks to ensure that people have meaningful control over how their personal information is tracked and used online. The strategy plans to address the significant harm that can occur when online tracking practices are misused.  

The strategy’s release is complemented by new measures to support businesses to adopt more privacy-friendly business models that give users the lawful choice and control they expect, including: 

• Draft guidance on tracking people online using storage and access technologies like cookies and fingerprinting; 
• Final guidance on ‘consent or pay’ business models, helping businesses balance innovation and revenue with data protection law; and 
• Exploring reforms to enable more privacy-preserving advertising such as contextual models to be deployed more easily in future.

Following a consultation last year on ‘consent or pay’ models - where organisations give people a choice between agreeing to personalised adverts to access a service or paying to access a service and avoid personalised adverts - the ICO has now published guidance for organisations implementing or considering implementing ‘consent or pay’ models.  

The guidance clarifies how organisations can deploy ‘consent or pay’ models to give users meaningful control while supporting their economic viability and includes a set of factors for organisations to assess their models against to demonstrate people can freely give their consent.   

The strategy also includes plans to further engage with consent management platforms (CMPs), which are often central to how organisations manage online consent. 

Public-facing guidance is coming this year to help people navigate online tracking, their lawful rights to meaningful choice over their personal information and what to do if they have concerns about a website's model.    

Speaking in a blog today, Stephen Almond added: 

“Tracking should work for everyone – giving people clear choices and confidence in how their information is used, while enabling businesses to operate fairly and responsibly. Our strategy ensures both.” 

Further details on the ICO’s online tracking strategy can be read in Stephen Almond’s blog here.