Britain’s data protection regulator issued 17 preliminary enforcement notices and sent warning letters to hundreds of website operators throughout 2025, a pressure campaign that brought 979 of the UK’s top 1,000 websites into compliance with cookie consent rules and gave an estimated 40 million people—roughly 80% of UK internet users over age 14—greater control over how they are tracked for personalized advertising.
The Information Commissioner’s Office announced Thursday that only 21 websites remain non-compliant, with enforcement action continuing against holdouts.
The campaign focused on three key compliance areas: whether non-essential advertising cookies were stored on users’ devices before users could exercise choice to accept or reject them, whether rejecting cookies was as easy as accepting them, and whether any non-essential cookies were placed despite users not consenting.
Enforcement Threats Drive Behavioral Change
Of the 979 compliant sites, 415 passed testing without any intervention. The remaining 564 improved practices after initially failing, following direct engagement from the ICO. The regulator sent letters that underlined their compliance shortcomings, opened investigations when letters failed to produce changes, and issued preliminary enforcement notices in 17 cases.
“We set ourselves the goal of giving people more meaningful control over how they were tracked online by the end of 2025. I can confidently say that we have delivered on that promise,” stated Tim Capel, Interim Executive Director of Regulatory Supervision.
The enforcement campaign began in January 2025 when the ICO assessed the top 200 UK websites and communicated concerns to 134 organizations. The regulator warned that uncontrolled tracking intrudes on private lives and can lead to harm, citing examples including gambling addicts targeted with betting ads due to browsing history or LGBTQ+ individuals altering online behavior for fear of unintended disclosure.
Also read: UK Data Regulator Cracks Down on Sky Betting and Gaming’s Unlawful Cookie Practices
Industry-Wide Infrastructure Changes
The ICO engaged with trade bodies representing the majority of industries appearing in the top 1,000 websites and consent management platforms providing solutions to nearly 80% of the top 500 websites. These platforms made significant changes to ensure cookie banner options they provide to customers are compliant by default.
The action secured significant improvements to user experiences online, including greater prevalence of “reject” options on cookie banners and lower prevalence of cookies being placed before consent was given or after it was refused.
The regulator identified four main problem areas during its review: deceptive or missing choice where selection is preset, uninformed choice through unclear options, undermined choice where sites fail to adhere to user preferences, and irrevocable choice where users cannot withdraw consent.
Privacy-Friendly Advertising Exploration
The ICO committed to ongoing monitoring, stating that websites brought into compliance should not revert to previously unlawful practices believing violations will go undetected. We will continue to monitor compliance and engage with industry to ensure they uphold their legal obligations, while also supporting innovation that respects people’s privacy,” Capel said.
Following consultation earlier in 2025, the regulator continues working with stakeholders to understand whether publishers could deliver privacy-friendly online advertising to users who have not granted consent where privacy risk remains low. The ICO works with government to explore how legislation could be amended to reinforce this approach, with the next update scheduled for 2026.
Under current regulations, violations can result in fines up to £500,000 under Privacy and Electronic Communications Regulations or up to £17.5 million or 4% of global turnover under UK GDPR. Beyond financial penalties, non-compliance risks reputational damage and loss of consumer trust as privacy-conscious users increasingly scrutinize data practices.