Does the ICO actually visit your website during an investigation?

Yes. ICO case officers routinely open the website that is the subject of a complaint, view it in an incognito browser to bypass any cached consent, open the developer tools and check the network requests. They also check the privacy notice, the cookie banner behaviour, the contact and legal pages, and any data-collection forms. This is documented in the ICO's investigation methodology and in the reasoning sections of published monetary penalty notices.

What is the first thing the ICO looks at when a complaint arrives?

The first thing is whether the complaint matches a known pattern. The ICO triages complaints against its existing case database. If the same organisation has previous complaints, or the complaint matches a current sector-wide focus area such as the November 2023 top-100 cookie campaign, the case is prioritised. The second check is whether the website has a findable privacy notice and contact route. A site that responds quickly and engages constructively is treated very differently from one that does not respond at all.

Can the ICO check my cookie banner without telling me?

Yes. The ICO can perform compliance checks on any public website without prior notice. The January 2025 enforcement campaign across the top 1,000 UK websites started with automated and manual checks of cookie banners on those sites; the businesses were notified only after the checks identified issues. This is consistent with the ICO's powers under Section 146 of the Data Protection Act 2018.

What evidence does the ICO request first?

Typically the first information notice asks for the organisation's account of the underlying complaint, the privacy notice in effect at the relevant time, any consent records held, the cookie consent implementation details and a copy of any data processor agreements with third parties named in the privacy notice. Responses are normally required within 30 days. Failure to respond is itself a breach under Article 31 UK GDPR.

GDPR & Privacy

What the ICO Actually Checks on Your Website in 2026

Steven | TrustYourWebsite · 15 May 2026 · Last updated: May 2026

ICO website investigations are not random. When a complaint or breach notification lands at the ICO, a structured technical and documentary review follows. Understanding what the ICO actually checks lets you pre-empt the gaps before a complaint arrives. This guide covers the concrete checks the ICO performs, drawn from published monetary penalty notices, reprimands and the ICO's own investigation methodology.

To find the same gaps the ICO would find, run a free scan at /uk/en/scan. The scan replicates many of the technical checks below.

Find the same gaps the ICO would find.

Our scanner runs the technical checks the ICO performs after a complaint lands.

I understand this is a technical scan, not legal advice, and I accept the Terms.

Scan for:

How an ICO investigation actually starts

Most ICO matters begin with a data subject complaint filed at ico.org.uk/concerns, a breach notification under Article 33 UK GDPR or an ICO-initiated sweep. The investigation methodology is similar across all three entry points. The ICO opens the website, reviews the public pages and requests targeted evidence from the controller. See the ICO investigation process for the four-stage procedural framework.

The checks below are what the ICO does at the technical-review step. They sit between the complaint arriving and the formal information notice being issued.

The cookie banner is the single most frequently examined element on any UK website. The ICO checks it whether or not the complaint mentions cookies, because the banner reveals whether the controller respects user-control requirements generally.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">What the ICO checks</th> <th className="border border-slate-300 px-3 py-2 font-semibold">How they check it</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Pass criterion</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Does the banner appear before scripts load?</td> <td className="border border-slate-300 px-3 py-2">Incognito browser, DevTools Network tab on first load</td> <td className="border border-slate-300 px-3 py-2">No third-party tracker domains in the first request batch.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Is Reject all as prominent as Accept all?</td> <td className="border border-slate-300 px-3 py-2">Visual review of first banner layer</td> <td className="border border-slate-300 px-3 py-2">Equal size, weight, colour. Single click to reject.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Does Reject all actually stop trackers?</td> <td className="border border-slate-300 px-3 py-2">Click Reject all, reload, watch Network requests</td> <td className="border border-slate-300 px-3 py-2">No third-party tracker calls after rejection.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Is the consent withdrawal mechanism findable?</td> <td className="border border-slate-300 px-3 py-2">Footer review on every page</td> <td className="border border-slate-300 px-3 py-2">Persistent link to reopen the preferences panel.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Are cookie categories described clearly?</td> <td className="border border-slate-300 px-3 py-2">Preferences-panel review</td> <td className="border border-slate-300 px-3 py-2">Plain-language category labels with purpose description.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Are pre-ticked boxes absent?</td> <td className="border border-slate-300 px-3 py-2">Preferences-panel review</td> <td className="border border-slate-300 px-3 py-2">All non-essential category toggles off by default.</td> </tr> </tbody> </table> </div>

The November 2023 ICO letter campaign to 53 of the UK's top 100 websites specifically cited banners that buried the reject option or required multiple clicks. The January 2025 follow-up across the top 1,000 sites expanded the same methodology to SME territory. For specifics, see PECR cookie rules in the UK.

The privacy notice check

A complete and accurate privacy notice under Article 13 UK GDPR is the second most-examined element. The ICO checks both the presence of the notice and whether it actually describes what the site does.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Disclosure</th> <th className="border border-slate-300 px-3 py-2 font-semibold">UK GDPR source</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Common failing</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Identity of the controller plus contact details</td> <td className="border border-slate-300 px-3 py-2">Art 13(1)(a)</td> <td className="border border-slate-300 px-3 py-2">Generic "we" or "the company" without naming the legal entity.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Purposes and lawful basis for each</td> <td className="border border-slate-300 px-3 py-2">Art 13(1)(c)</td> <td className="border border-slate-300 px-3 py-2">A blanket "we process data lawfully" without naming bases.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Recipients or categories of recipients</td> <td className="border border-slate-300 px-3 py-2">Art 13(1)(e)</td> <td className="border border-slate-300 px-3 py-2">Vague "trusted partners" without naming actual third parties.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Retention periods or the criteria for them</td> <td className="border border-slate-300 px-3 py-2">Art 13(2)(a)</td> <td className="border border-slate-300 px-3 py-2">Missing entirely or "as long as necessary" with no detail.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Data subject rights</td> <td className="border border-slate-300 px-3 py-2">Art 13(2)(b)</td> <td className="border border-slate-300 px-3 py-2">Rights listed but no contact route to exercise them.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Right to lodge a complaint with the ICO</td> <td className="border border-slate-300 px-3 py-2">Art 13(2)(d)</td> <td className="border border-slate-300 px-3 py-2">Not mentioned or no link to ico.org.uk/concerns.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">International transfers and safeguards</td> <td className="border border-slate-300 px-3 py-2">Art 13(1)(f)</td> <td className="border border-slate-300 px-3 py-2">Use of US-based analytics without mentioning the UK-US Data Bridge or SCCs.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Existence of automated decision-making</td> <td className="border border-slate-300 px-3 py-2">Art 13(2)(f)</td> <td className="border border-slate-300 px-3 py-2">Profiling or automated pricing not mentioned.</td> </tr> </tbody> </table> </div>

The ICO has issued reprimands where the privacy notice describes processing that does not match what the site actually does, for example a privacy notice that does not mention Google Analytics on a site that runs GA4. For the full template, see privacy policy requirements under UK GDPR.

The data subject rights check

When a complaint specifically alleges that the controller did not respond to a subject access request or other data subject right, the ICO examines the response handling. The framework is structured around UK GDPR Articles 15-22.

The case officer typically requests:

The original request received from the data subject, the controller's full response, the dates of receipt and response, evidence that the one-month deadline was met (or grounds for a documented extension), the lawful-basis reasoning where the controller relied on a Schedule 2 DPA 2018 exemption to redact or refuse and the controller's process documentation showing how SARs are handled generally.

Missed deadlines are the single most common SAR-related reprimand category. The 2024 ICO enforcement record contains multiple SAR-related reprimands against SMEs that simply forgot or did not have a process. The DUAA 2025 "stop the clock" provision lets the controller pause the one-month deadline while waiting for clarification from the data subject, but only if specific conditions are met.

The technical security check

Article 32 UK GDPR requires appropriate technical and organisational measures. The ICO does not run a penetration test on the controller's systems, but it does check the public-facing surface.

The British Airways monetary penalty notice (£20 million, 2020) included detailed reasoning about the technical security measures BA had and had not implemented. Reading the BA, Marriott and TikTok penalty notices, all published on the ICO enforcement action page, gives a precise picture of what the ICO considers material.

The contact and accountability check

The ICO checks that a data subject can actually reach the controller without navigating a maze. A working contact path with at least one of an email, phone or postal address must be findable in under two clicks from the homepage. The controller's legal name and registered office details must be present where the law requires them (see Companies House website disclosures).

If the controller is required to appoint a Data Protection Officer under Article 37 UK GDPR or is a non-UK controller that needs an Article 27 UK representative, the privacy notice must name them. Public sector controllers and large-scale processors of special category data routinely need both.

Where the complaint involves an unsolicited email or SMS, the ICO checks PECR Regulation 22 compliance. The case officer asks the controller for:

The signup mechanism used to capture consent, the wording of any consent statement at signup, screenshots of the form as it appeared at the date of collection, dated logs of the data subject's consent and the unsubscribe records.

A controller that cannot produce a dated consent log for the complaining individual is in significant difficulty regardless of the underlying intent. PECR Reg 22 consent failures are the most common source of monetary penalty notices against SMEs and the fines start at £10,000. For the lawful-basis framework that sits underneath, see legitimate interests for UK marketing.

The breach notification check (when relevant)

If the complaint or breach notification involves a personal-data breach, the ICO checks whether the controller complied with Article 33 UK GDPR. The 72-hour notification clock starts when the controller becomes aware of the breach, not when the breach is fully investigated.

The case officer reviews the notification submission itself, the controller's internal record of when awareness occurred, the steps taken in the first 72 hours, the assessment of risk to data subjects (which determines whether the controller also had to notify individuals under Article 34) and the post-breach remediation. Late or missing notifications are themselves a breach and have triggered fines in their own right.

What this means in practice

The dominant pattern in published ICO outcomes is that controllers who engage promptly and demonstrate a working compliance baseline almost always avoid fines, regardless of the underlying breach. The reverse is also true: controllers who ignore the ICO, dispute jurisdiction without basis or cannot produce basic records (privacy notice, consent logs, breach response logs) fare significantly worse.

The realistic SME compliance posture is not perfection. It is the ability to demonstrate at any moment that:

The cookie banner does what it says, the privacy notice describes what the site actually does, marketing consent is logged with dates and source, subject access requests are handled within 30 days and breaches would be notified within 72 hours of awareness.

If those five things are in place, the ICO's technical checks will close most complaints at reprimand level or with no further action. For how the published fine bands actually break down, see UK GDPR fines under the ICO.

This is technical analysis based on the ICO's published methodology and enforcement record. It is not legal advice. If the ICO contacts your business, take legal advice from a data-protection specialist before responding to any formal notice.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

Website Guides

ICO Investigation Process: What to Expect When the ICO Contacts Your Business

What happens when the ICO investigates your business. Information notices, 30-day response deadlines, formal investigations, fine decisions and appeal routes explained.

UK GDPR Fines Under the ICO: What Penalties Look Like in 2026

ICO fine bands under UK GDPR: up to £17.5M or 4% of global turnover. Marriott, BA and TikTok cases explained. What SMBs realistically face.

PECR Cookie Rules UK: What the ICO Actually Enforces

PECR cookie rules UK: what Regulation 6 requires, how it differs from UK GDPR and what the ICO actually enforces on non-essential cookies.