Explainer: What are Cookies? And why this matters
Unless you’ve been living under a digital rock for the past decade, you’ve probably encountered those annoying pop-ups asking you to “accept cookies” on virtually every website you visit.
But here’s the thing: most people have absolutely no idea what they’re actually agreeing to.
They just click “Accept All” to make the bloody thing disappear so they can get on with reading their article or buying their shopping.
That casual clicking is exactly why the ICO has just come down like a tonne of bricks on 134 major UK websites. So let’s sort this out once and for all – what are cookies, why should you care, and why is everyone suddenly making such a fuss about them?
Cookies: The Non-Edible Kind
First things first – we’re not talking about chocolate chip cookies (though those would make the internet a much more pleasant place). Web cookies are tiny text files that websites store on your device. Think of them as digital Post-it notes that websites stick to your browser to remember things about you.
The Pub Analogy: Imagine you walk into your local pub, and the barman immediately remembers your name, your usual drink, and the fact that you support Arsenal (poor you). That’s essentially what cookies do – they help websites recognise you and remember your preferences when you return.
When you visit a website, it can create these little files and store them on your computer, phone, or tablet. The next time you visit that same site, it reads these files to “remember” who you are and what you were up to last time.
The Different Flavours of Digital Cookies
Not all cookies are created equal, your website designer will be able to explain this to you. Understanding the different types is crucial because this is where the whole privacy debate gets interesting (and where many websites are getting it spectacularly wrong).
First-Party vs Third-Party: The Plot Thickens
Here’s where things get a bit more complicated (and where the privacy concerns really kick in):
First-party cookies are created by the website you’re actually visiting. If you’re on the BBC website, first-party cookies come from the BBC. Fair enough.
Third-party cookies are created by other companies whose code is embedded in the website you’re visiting. So you might be reading a news article, but cookies from Google, Facebook, Amazon, and a dozen advertising companies you’ve never heard of are all being dropped onto your device.
Real-world example: You visit a recipe website to find out how to make a decent Victoria sponge. The website itself might set a cookie to remember you visited. But embedded in that page might be Google Analytics (tracking your behaviour), Facebook Like buttons (tracking your social activity), and advertising networks from companies you’ve never heard of (building a profile for targeted ads). Before you know it, you’ve got cookies from half a dozen different companies, all because you wanted a cake recipe.
Why This Matters
(Spoiler: It’s About Control)
The reason the ICO is getting its knickers in a twist about cookie compliance isn’t because they hate technology. It’s because many websites have been taking the piss with people’s personal data for years.
Here’s what’s been happening:
- Sneaky tracking: Websites dropping tracking cookies before you’ve even seen a consent banner, let alone agreed to anything
- False choices: Cookie banners designed to trick you into accepting everything, with “reject” options hidden or made deliberately difficult to find
- All-or-nothing nonsense: Being forced to accept all cookies or nothing, with no option to pick and choose
- Vanishing consent: No easy way to change your mind once you’ve agreed to cookies
The privacy concern: When dozens of companies are tracking your every move across the internet, they can build incredibly detailed profiles of your behaviour, interests, financial situation, health concerns, political views, and personal relationships. That’s not paranoia – that’s exactly what data brokers do for a living.
What Good Cookie Compliance Actually Looks Like
A properly compliant website should:
- Only set essential cookies before getting your consent
- Give you clear, equal choices to accept or reject non-essential cookies
- Let you choose different categories of cookies separately
- Explain clearly what each type of cookie does and who gets your data
- Make it easy to change your preferences later
- Not punish you for rejecting non-essential cookies (the “consent or pay” issue)
Bottom line: You should have meaningful control over what data is collected about you and who gets access to it. It’s not rocket science, but apparently, it’s been too much to ask from 67% of major UK websites.
Why Website Owners Are Finally Paying Attention
For years, many businesses treated cookie compliance as a nice-to-have rather than a legal requirement. The attitude was often “set up a basic cookie banner and job done.” That casual approach has just collided head-first with regulatory reality.
The ICO’s latest action sends a clear message: get your house in order, or face the consequences. And those consequences aren’t just regulatory slaps on the wrist – they can include:
- Substantial fines (up to 4% of annual turnover under GDPR)
- Public reprimands that damage your brand reputation
- Formal investigations that cost time and money
- Loss of customer trust when your privacy failures make the news
The Sky Betting case: Just recently, the ICO reprimanded Sky Betting and Gaming for dropping advertising cookies before users consented. The investigation found that third-party tracking technologies were collecting personal data and sharing it with AdTech vendors without visitors’ knowledge. That’s exactly the kind of behaviour that’s now firmly in the ICO’s crosshairs.
What This Means for You (Whether You’re a Website Owner or Just Someone Who Uses the Internet)
If you run a website: Stop thinking of cookie compliance as a box-ticking exercise. It’s about respecting your users’ privacy and giving them genuine control over their data. Get it right, and you build trust. Get it wrong, and you might find yourself on the receiving end of an ICO investigation.
If you’re just trying to browse the internet in peace: You now have much clearer rights about what websites can and can’t do with your data. Those cookie banners should give you real choices, not trick you into accepting everything. If a website is making it difficult to reject tracking cookies, that’s exactly the kind of behaviour the ICO is cracking down on.
The bottom line: Cookies aren’t inherently evil – they’re just tools. The problem has been how some companies have used them to hoover up personal data without proper consent. The ICO’s recent actions are about restoring the balance and giving people back control over their digital privacy.
Whether you’re running a website or just using one, understanding cookies and your rights around them isn’t optional anymore – it’s essential knowledge for anyone operating in the digital world.
What does an ICO compliant cookie notice look like?
We’ve gathered several several examples for you take a look at, the verdict as to whether it’s compliant or not is underneath:
Why Website Owners Are Finally Paying Attention
For years, many businesses treated cookie compliance as a nice-to-have rather than a legal requirement. The attitude was often “set up a basic cookie banner and job done.” That casual approach has just collided head-first with regulatory reality.
The ICO’s latest action sends a clear message: get your house in order, or face the consequences. And those consequences aren’t just regulatory slaps on the wrist – they can include:
- Substantial fines (up to 4% of annual turnover under GDPR)
- Public reprimands that damage your brand reputation
- Formal investigations that cost time and money
- Loss of customer trust when your privacy failures make the news
The Sky Betting case: Just recently, the ICO reprimanded Sky Betting and Gaming for dropping advertising cookies before users consented. The investigation found that third-party tracking technologies were collecting personal data and sharing it with AdTech vendors without visitors’ knowledge. That’s exactly the kind of behaviour that’s now firmly in the ICO’s crosshairs.
What This Means for You (Whether You’re a Website Owner or Just Someone Who Uses the Internet)
If you run a website: Stop thinking of cookie compliance as a box-ticking exercise. It’s about respecting your users’ privacy and giving them genuine control over their data. Get it right, and you build trust. Get it wrong, and you might find yourself on the receiving end of an ICO investigation.
If you’re just trying to browse the internet in peace: You now have much clearer rights about what websites can and can’t do with your data. Those cookie banners should give you real choices, not trick you into accepting everything. If a website is making it difficult to reject tracking cookies, that’s exactly the kind of behaviour the ICO is cracking down on.
The bottom line: Cookies aren’t inherently evil – they’re just tools. The problem has been how some companies have used them to hoover up personal data without proper consent. The ICO’s recent actions are about restoring the balance and giving people back control over their digital privacy.
Whether you’re running a website or just using one, understanding cookies and your rights around them isn’t optional anymore – it’s essential knowledge for anyone operating in the digital world.
