Does the ICO actually visit your website during an investigation?

Yes. ICO case officers routinely open the website that is the subject of a complaint, view it in an incognito browser to bypass any cached consent, open the developer tools and check the network requests. They also check the privacy notice, the cookie banner behaviour, the contact and legal pages, and any data-collection forms. This is documented in the ICO's investigation methodology and in the reasoning sections of published monetary penalty notices.

What is the first thing the ICO looks at when a complaint arrives?

The first thing is whether the complaint matches a known pattern. The ICO triages complaints against its existing case database. If the same organisation has previous complaints, or the complaint matches a current sector-wide focus area such as the November 2023 top-100 cookie campaign, the case is prioritised. The second check is whether the website has a findable privacy notice and contact route. A site that responds quickly and engages constructively is treated very differently from one that does not respond at all.

Can the ICO check my cookie banner without telling me?

Yes. The ICO can perform compliance checks on any public website without prior notice. The January 2025 enforcement campaign across the top 1,000 UK websites started with automated and manual checks of cookie banners on those sites; the businesses were notified only after the checks identified issues. This is consistent with the ICO's powers under Section 146 of the Data Protection Act 2018.

What evidence does the ICO request first?

Typically the first information notice asks for the organisation's account of the underlying complaint, the privacy notice in effect at the relevant time, any consent records held, the cookie consent implementation details and a copy of any data processor agreements with third parties named in the privacy notice. Responses are normally required within 30 days. Failure to respond is itself a breach under Article 31 UK GDPR.

GDPR & Privacy

What the ICO Actually Checks on Your Website in 2026

Steven | TrustYourWebsite · 15 May 2026 · Last updated: June 2026

ICO website investigations are not random. When a complaint or breach notification lands at the ICO, a structured technical and documentary review follows. Understanding what the ICO actually checks lets you pre-empt the gaps before a complaint arrives. This guide covers the concrete checks the ICO performs, drawn from published monetary penalty notices, reprimands and the ICO's own investigation methodology.

To find the same gaps the ICO would find, run a free scan at /uk/en/scan. The scan replicates many of the technical checks below.

Find the same gaps the ICO would find.

Our scanner runs the technical checks the ICO performs after a complaint lands.

I understand this is a technical scan, not legal advice, and I accept the Terms.

Scan for:

How an ICO investigation actually starts

Most ICO matters begin with a data subject complaint filed at ico.org.uk/concerns, a breach notification under Article 33 UK GDPR or an ICO-initiated sweep. The investigation methodology is similar across all three entry points. The ICO opens the website, reviews the public pages and requests targeted evidence from the controller. See the ICO investigation process for the four-stage procedural framework.

The checks below are what the ICO does at the technical-review step. They sit between the complaint arriving and the formal information notice being issued.

The cookie banner is the single most frequently examined element on any UK website. The ICO checks it whether or not the complaint mentions cookies, because the banner reveals whether the controller respects user-control requirements generally.

What the ICO checks	How they check it	Pass criterion
Does the banner appear before scripts load?	Incognito browser, DevTools Network tab on first load	No third-party tracker domains in the first request batch.
Is Reject all as prominent as Accept all?	Visual review of first banner layer	Equal size, weight, colour. Single click to reject.
Does Reject all actually stop trackers?	Click Reject all, reload, watch Network requests	No third-party tracker calls after rejection.
Is the consent withdrawal mechanism findable?	Footer review on every page	Persistent link to reopen the preferences panel.
Are cookie categories described clearly?	Preferences-panel review	Plain-language category labels with purpose description.
Are pre-ticked boxes absent?	Preferences-panel review	All non-essential category toggles off by default.

The November 2023 ICO letter campaign to 53 of the UK's top 100 websites specifically cited banners that buried the reject option or required multiple clicks. The January 2025 follow-up across the top 1,000 sites expanded the same methodology to SME territory. For specifics, see PECR cookie rules in the UK.

The privacy notice check

A complete and accurate privacy notice under Article 13 UK GDPR is the second most-examined element. The ICO checks both the presence of the notice and whether it actually describes what the site does.

Disclosure	UK GDPR source	Common failing
Identity of the controller plus contact details	Art 13(1)(a)	Generic "we" or "the company" without naming the legal entity.
Purposes and lawful basis for each	Art 13(1)(c)	A blanket "we process data lawfully" without naming bases.
Recipients or categories of recipients	Art 13(1)(e)	Vague "trusted partners" without naming actual third parties.
Retention periods or the criteria for them	Art 13(2)(a)	Missing entirely or "as long as necessary" with no detail.
Data subject rights	Art 13(2)(b)	Rights listed but no contact route to exercise them.
Right to lodge a complaint with the ICO	Art 13(2)(d)	Not mentioned or no link to ico.org.uk/concerns.
International transfers and safeguards	Art 13(1)(f)	Use of US-based analytics without mentioning the UK-US Data Bridge or SCCs.
Existence of automated decision-making	Art 13(2)(f)	Profiling or automated pricing not mentioned.

The ICO has issued reprimands where the privacy notice describes processing that does not match what the site actually does, for example a privacy notice that does not mention Google Analytics on a site that runs GA4. For the full template, see privacy policy requirements under UK GDPR.

The data subject rights check

When a complaint specifically alleges that the controller did not respond to a subject access request or other data subject right, the ICO examines the response handling. The framework is structured around UK GDPR Articles 15-22.

The case officer typically requests:

The original request received from the data subject, the controller's full response, the dates of receipt and response, evidence that the one-month deadline was met (or grounds for a documented extension), the lawful-basis reasoning where the controller relied on a Schedule 2 DPA 2018 exemption to redact or refuse and the controller's process documentation showing how SARs are handled generally.

Missed deadlines are the single most common SAR-related reprimand category. The 2024 ICO enforcement record contains multiple SAR-related reprimands against SMEs that simply forgot or did not have a process. The DUAA 2025 "stop the clock" provision lets the controller pause the one-month deadline while waiting for clarification from the data subject, but only if specific conditions are met.

The technical security check

Article 32 UK GDPR requires appropriate technical and organisational measures. The ICO does not run a penetration test on the controller's systems, but it does check the public-facing surface.

Security signal	What it tells the ICO	Failure consequence
HTTPS coverage and certificate validity	Basic encryption in transit. Expected baseline.	Missing HTTPS on a form is a clear Art 32 failing.
HTTP security headers	Whether the controller follows NCSC guidance.	Not fatal alone. Aggravates other findings.
CMS or platform versions visible in headers	Whether known-vulnerable software is in use.	Aggravating where it correlates with the underlying breach.
Third-party scripts on form pages	Risk of unintended data leak via DOM injection.	Considered where the underlying breach involves a script.

The British Airways monetary penalty notice (£20 million, 2020) included detailed reasoning about the technical security measures BA had and had not implemented. Reading the BA, Marriott and TikTok penalty notices, all published on the ICO enforcement action page, gives a precise picture of what the ICO considers material.

The contact and accountability check

The ICO checks that a data subject can actually reach the controller without navigating a maze. A working contact path with at least one of an email, phone or postal address must be findable in under two clicks from the homepage. The controller's legal name and registered office details must be present where the law requires them (see Companies House website disclosures).

If the controller is required to appoint a Data Protection Officer under Article 37 UK GDPR or is a non-UK controller that needs an Article 27 UK representative, the privacy notice must name them. Public sector controllers and large-scale processors of special category data routinely need both.

Where the complaint involves an unsolicited email or SMS, the ICO checks PECR Regulation 22 compliance. The case officer asks the controller for:

The signup mechanism used to capture consent, the wording of any consent statement at signup, screenshots of the form as it appeared at the date of collection, dated logs of the data subject's consent and the unsubscribe records.

A controller that cannot produce a dated consent log for the complaining individual is in significant difficulty regardless of the underlying intent. PECR Reg 22 consent failures are the most common source of monetary penalty notices against SMEs and the fines start at £10,000. For the lawful-basis framework that sits underneath, see legitimate interests for UK marketing.

The breach notification check (when relevant)

If the complaint or breach notification involves a personal-data breach, the ICO checks whether the controller complied with Article 33 UK GDPR. The 72-hour notification clock starts when the controller becomes aware of the breach, not when the breach is fully investigated.

The case officer reviews the notification submission itself, the controller's internal record of when awareness occurred, the steps taken in the first 72 hours, the assessment of risk to data subjects (which determines whether the controller also had to notify individuals under Article 34) and the post-breach remediation. Late or missing notifications are themselves a breach and have triggered fines in their own right.

What this means in practice

The dominant pattern in published ICO outcomes is that controllers who engage promptly and demonstrate a working compliance baseline almost always avoid fines, regardless of the underlying breach. The reverse is also true: controllers who ignore the ICO, dispute jurisdiction without basis or cannot produce basic records (privacy notice, consent logs, breach response logs) fare significantly worse.

The realistic SME compliance posture is not perfection. It is the ability to demonstrate at any moment that:

The cookie banner does what it says, the privacy notice describes what the site actually does, marketing consent is logged with dates and source, subject access requests are handled within 30 days and breaches would be notified within 72 hours of awareness.

If those five things are in place, the ICO's technical checks will close most complaints at reprimand level or with no further action. For how the published fine bands actually break down, see UK GDPR fines under the ICO.

This is technical analysis based on the ICO's published methodology and enforcement record. It is not legal advice. If the ICO contacts your business, take legal advice from a data-protection specialist before responding to any formal notice.

Sources

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

ICO investigation process: what UK firms can expect

ICO investigation: information notices, 30-day deadlines, formal investigations, fine decisions and appeal routes.

UK GDPR fines under the ICO: what penalties look like

ICO fine bands under UK GDPR: up to £17.5M or 4% of global turnover. Marriott, BA and TikTok cases explained. What SMBs realistically face.

PECR Cookie Rules UK: What the ICO Actually Enforces

PECR cookie rules UK: what Regulation 6 requires, how it differs from UK GDPR and what the ICO actually enforces on non-essential cookies.

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.