As discussed in our previous blog 'Cookie Compliance - ICO takes a bite', the ICO issued a statement in November 2023 revealing that it had written to 53 of the companies operating the UK's top 100 most visited websites warning them that they risked facing enforcement action if they failed to offer website visitors fair choices regarding personalised advertising tracking within 30-day from the notification.

The ICO highlighted concerns that many websites lacked mechanisms for users to make informed decisions about being tracked for personalised advertising. Previously, the ICO had issued clear guidance, emphasising the necessity for organisations to make it as easy for users to “Reject All” advertising cookies as it is to “Accept All”.

In its statement, the ICO drew attention to the emotional toll of cookie tracking and targeted advertising. Examples included scenarios where gambling addicts might receive betting offers based on their browsing history, women could be subjected to distressing baby adverts shortly after experiencing a miscarriage, and individuals exploring their sexuality might encounter ads disclosing their sexual orientation.

Subsequently, the ICO has reported that most contacted companies responded positively to the warning. Of the 53 companies contacted, 38 of the companies have since adjusted their cookie banners and taken measures to ensure compliance with data protection regulations and a further four committed to be compliant before the end of February 2024.

Nevertheless, the ICO has announced plans to pursue action against the next top 100 websites regarding their use of advertising cookies stating that the ICO "will not stop with the top 100 websites. We are already preparing to write to the next 100 – and the 100 after that." The ICO has also stated that they intend to develop an AI solution to identify websites using non-compliant cookie banners.

Cookie Requirements

As a reminder, the use of cookies is governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 2018. Website providers using cookies must:

  • inform users cookies are being used and specify the individual cookies being used;
  • clearly and comprehensively explain the purposes relating to the cookies storage and access to the information;
  • the duration of the operation of the cookies and if any third parties have access to the cookies;
  • request in plain language the user's active and specific consent to the use of the cookies;
  • distinguish cookie consent from consent to any other terms of use or terms and conditions;
  • be able to demonstrate the valid and informed consent provided by users; and
  • include mechanisms that allows users to withdraw consent.

Our colleagues at Brodies have extensive experience advising on cookie policies, website pop-ups, and data protection issues more generally. If you would like to discuss anything raised in this blog, particularly cookie requirements under the relevant legislation, please get in touch.


Alison Bryce


Rebecca Ronney


Amelia Wilson