Cookie Banner Rules in the UK: What the ICO Requires in 2026

The ICO's approach to cookie enforcement shifted noticeably between 2023 and 2025. A sector sweep of the UK's top 100 websites produced compliance letters, a public follow-up naming non-compliant organisations, and a set of stated positions on specific banner patterns that are now the practical compliance standard. For any UK website, the question is no longer whether to have a cookie banner but whether the banner you have meets the ICO's current requirements.

To check whether your site loads tracking scripts before consent is given, run a free technical scan at /uk/en/scan.

The legal framework: PECR and UK GDPR working together

Cookie compliance in the UK operates under two overlapping legal instruments. PECR Regulation 6 creates the consent requirement for placing cookies on a user's device. UK GDPR then applies to the personal data those cookies collect. Both are enforced by the ICO.

PECR Regulation 6 requires that a person must have been given clear information about the purpose of any cookie and must have consented before it is placed. The consent must be prior, meaning scripts cannot fire before the user has made a choice. The consent must be a genuine choice, meaning rejection must be as accessible as acceptance.

UK GDPR adds validity requirements for consent: it must be specific, informed, freely given and unambiguous. A pre-ticked box, a banner that makes rejection harder than acceptance, or a cookie wall that withholds service pending acceptance all fail the freely-given test under UK GDPR even if they nominally comply with the minimum PECR reading.

The ICO can act under either statute. Cookie-banner non-compliance that involves inadequate consent capture is primarily a PECR matter. Where the underlying data processing involves additional UK GDPR failings, such as missing data processor agreements with analytics providers or unlawful international transfers, the ICO can apply its UK GDPR powers as well.

What the ICO's enforcement record says about banner requirements

The clearest recent statement of the ICO's position on cookie banners came from the November 2023 sector sweep. The ICO wrote to 53 of the UK's top 100 websites identifying specific banner failures. The letter campaign named concrete patterns as non-compliant, not just abstract principles.

The patterns the ICO cited included three recurring failures. First, reject-all was buried behind a Manage preferences link requiring multiple additional clicks while accept-all was one click on the first layer. Second, some banners had no reject option at all, only a dismiss button. Third, some sites had consent pre-selected for certain cookie categories.

Deputy Commissioner Stephen Bonner stated publicly in 2023 and 2024 that sites without a clear reject option are "breaking the law". Commissioner John Edwards has described the ICO's approach as focusing on organisations that show a persistent unwillingness to comply rather than those making a genuine effort.

The 2024 follow-up found that 38 of the 53 contacted organisations had made their banners compliant, 4 had committed to changes, and the rest faced further regulatory engagement. This follow-up established a template: the ICO gives organisations the opportunity to fix issues, monitors compliance, and escalates for those that do not act.

The specific requirements: what a compliant banner must do

Based on the ICO's published guidance at ico.org.uk/for-organisations/advice-and-services/cookies-and-similar-technologies/ and the enforcement record, the following requirements apply.

Consent must be prior. Non-essential scripts must not load until the user has made a choice. The banner must appear before tracking starts, not after. Testing this is simple: open the browser's Network tab, reload the page without clicking anything, and check whether analytics or advertising scripts have fired.

Accept and reject must be equally accessible. The reject option must be on the first layer of the banner (the screen the user sees first), not buried in a preferences panel. The buttons must have comparable visual prominence. Placing a large green "Accept all" button alongside a small grey "Manage cookies" link that leads to a second screen where rejection is possible does not satisfy this requirement.

No pre-ticked boxes. If you show categories with checkboxes, analytics and advertising must be unchecked by default. The user must actively select them to consent. This follows from both the ICO's guidance and the CJEU's ruling in Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände (C-673/17), which UK courts treat as persuasive.

No cookie walls. Blocking access to content unless the user accepts non-essential cookies is not considered freely given consent. The ICO's position aligns with the European Data Protection Board's Guidelines 05/2020 on consent. Users must be able to use the service, even at a reduced functionality, without accepting tracking.

Consent must be informed. The banner must describe what categories of cookie are being used and their general purpose. "We use cookies" with an accept button does not satisfy the information requirement. Categories such as analytics, advertising and personalisation must be named with a brief description.

Withdrawal must be available. Users who consent initially must be able to withdraw that consent easily. A footer link on every page that opens the consent management panel satisfies this. Withdrawal must take effect immediately for any future script loading.

Common failure patterns in UK websites

The ICO's 2023 letter campaign and ongoing monitoring have identified recurring failure patterns across UK websites. These are the issues most likely to appear in a complaint or investigation.

Scripts loading before consent is given is the most technically significant failure. Many implementations display a banner visually but do not block script execution at the network level. Google Analytics, the Meta Pixel, Microsoft Clarity and similar tools must be gated by the consent management platform at the technical level, not just visually suppressed.

Asymmetric rejection is the most common design failure. Rejection is harder than acceptance, requiring more clicks, smaller text or navigation to a second screen. The ICO has been explicit that this asymmetry makes consent non-free.

Missing reject option on the first layer affects sites that provide only "Accept" and "Manage preferences" on the initial banner. "Manage preferences" is not equivalent to "Reject all" because it requires additional action from the user.

Pre-ticked analytics categories remain common on older implementations using consent management tools not updated to reflect current guidance.

Implementation: what a working banner looks like technically

A banner that meets the ICO's requirements has three technical components beyond its visual design.

First, script blocking at the network level. The consent management platform (CMP) must prevent non-essential scripts from loading until consent is given. This is typically done via a tag manager integration or by wrapping script tags with consent-conditional logic. Inspect the Network tab on a fresh page load to verify no tracking requests fire before interaction.

Second, consent state storage. The CMP must record when consent was given, what was consented to, and through which mechanism. This record needs to be available if the ICO requests evidence of consent practices. Most commercial CMPs produce this log automatically.

Third, post-rejection verification. After a user rejects non-essential cookies, the tracking scripts must not continue to run. Some implementations block initial loading but fail to prevent scripts already in memory from continuing to operate. Testing by clicking reject and then monitoring network activity for 30 seconds covers this.

What the ICO does when a complaint arrives

ICO cookie investigations begin most commonly with a data subject complaint. The ICO sends a formal information notice under Article 58(1)(a) UK GDPR requesting information within a stated deadline, typically 30 days. Responding promptly, fixing the banner before or during the response and documenting the changes made consistently produces the most favourable outcome.

For first-time SMB failings where the organisation co-operates and remediates, the outcome is typically a reprimand, a public written finding of breach with no financial penalty. Fines for cookie-banner failures specifically, as opposed to broader data-protection failings, have been rare at the SME level.

For how the ICO's full investigation process works, see ICO investigation process explained.

Sector-specific considerations

The ICO's cookie enforcement priorities have shifted over time. Before 2023, enforcement was largely reactive, following individual complaints. From 2023 the ICO began targeted sector sweeps, targeting high-traffic websites first. The pattern suggests that organisations with large UK audiences face higher scrutiny than low-traffic SME sites, but that does not mean smaller sites are exempt. Data subject complaints, which any visitor can file, are the more typical trigger for SMB investigations.

Certain sectors attract additional scrutiny. Sites targeting children face the ICO's Age Appropriate Design Code requirements on top of PECR. Health and medical sites handle sensitive data categories that attract higher penalty consideration under UK GDPR. Financial services sites may face parallel FCA scrutiny that can trigger an ICO referral. These do not change the underlying banner requirements but do raise the consequences of non-compliance.

For EU customers visiting a UK site, the national ePrivacy implementations of the country they are in may also apply alongside PECR. A French visitor to a UK-registered site is arguably subject to France's ePrivacy rules as well as PECR. In practice, a PECR-compliant banner satisfies most EU national implementations because the substantive consent standard is identical. For the underlying statute in detail, see PECR cookie rules in the UK.

---

This is technical analysis, not legal advice. Consult a solicitor for specific guidance on your cookie compliance position.