What Are Cookies? And Why This ICO Action Matters

What exactly are cookies?

Cookies are small text files that websites place on your device so they can recognise you when you return. They behave like digital notes that store things the site needs to remember, such as your login status, your shopping basket, or how you moved through the page.

Think of a pub remembering your usual order. That is essentially how cookies help websites function. They store harmless bits of information that allow a site to behave consistently when you come back.

The trouble starts when websites use cookies to track people without their clear consent, or share that tracking data with advertising companies and analytics platforms. This is what the ICO is now firmly cracking down on.

If you are concerned about unwanted tracking scripts, you may also find our guide on harmful SEO crawlers helpful.

Why do cookies matter for UK users and businesses?

Cookies might seem trivial, but they are tied directly to data protection law in the UK. The Privacy and Electronic Communications Regulations (PECR), together with the UK GDPR, control how websites collect information from visitors. They require websites to gain meaningful consent before placing anything non essential on a device.

The ICO recently reviewed over 500 of the most visited UK websites and found widespread non compliance. As a result, 134 major sites were contacted and warned that they must fix their cookie practices or face enforcement.

This included sites that dropped analytics or advertising cookies before users had a chance to consent, banners that nudged people into acceptance, and incomplete explanations of what data was being shared.

The message was clear. This is not optional housekeeping, it is a legal requirement.

The different types of cookies and why they matter

Essential cookies, the ones that keep the site working

These handle core functions such as security, login sessions, and a shopping basket. Without them, the website would break. They do not require consent because they are genuinely necessary.

Analytics cookies, the ones that measure behaviour

Analytics cookies track page views, clicks, time on site, and general behaviour. They are useful for improving a website, but they are not essential. Under UK law, they require user consent before being set, even if the data collected is anonymised. We explored similar measurement challenges in our explanation of GA4 ChatGPT referral data.

Marketing and advertising cookies, the ones that follow you

These build profiles of your interests so advertising networks can target you more effectively. If you look at a product once and it follows you across the internet, this is the reason. These cookies always require explicit consent.

You can see how this behaviour links to wider online privacy concerns, which we covered in our guide to password managers.

Functional cookies, the optional helpers

Functional cookies remember preferences such as language, video settings, or display options. They improve the experience, but the site can operate without them. They need consent, although most users are comfortable accepting them.

First party versus third party cookies

What are first-party cookies?

These come from the website you are visiting. They usually support basic functions or preferences.

What are third-party cookies?

These are placed by companies you have never interacted with directly, such as Meta, Google, or advertising networks. If a website loads tracking scripts from several providers, each one may set its own cookies on your device.

A simple example is a recipe website that embeds analytics, social media buttons, and ads. You may get cookies from half a dozen companies without ever clicking anything. This is why transparency and consent matter.

Why cookie compliance is a major issue in the UK

The privacy problem

Many websites have been dropping cookies before users see a banner, or presenting banners designed to steer people into accepting everything. Some banners hide the reject option, some phrase acceptance as the default, and others place essential and marketing cookies together to make refusal difficult.

These patterns remove user choice and breach UK law. This shift mirrors wider regulatory trends we discussed in our in depth look at the Online Safety Act, where user protection is becoming a core legislative priority.

The ICO response: action taken against 134 UK websites

The ICO is now actively enforcing cookie rules. Their recent action involved contacting 134 of the largest UK websites with formal warnings.

The issues included:

• Advertising cookies being set without consent
• Analytics cookies firing immediately on page load
• Misleading banners with no clear reject option
• Lack of detail about data sharing with third parties
• No way for users to revisit or change consent later

The ICO said that businesses must fix these issues promptly or face enforcement notices, audits, or fines.

The Sky Betting and Gaming case

As a recent example, the ICO reprimanded Sky Betting and Gaming after their site dropped advertising cookies before users had a chance to consent. The tracking technologies collected data that was then shared with AdTech partners. This is precisely the type of behaviour the ICO is targeting.

What does proper ICO compliant cookie practice look like?

Clear choices without tricks

A compliant banner should provide:

• Equal options to accept or reject
• Granular control over categories
• A simple explanation of what each cookie does
• No pre-ticked boxes
• No trick design that pushes acceptance

The ICO has been explicit. Users must have real control. They cannot be forced or manipulated into acceptance.

Only essential cookies before consent

No analytics or marketing technologies should load until the user has made a choice. Websites must wait for consent and act on it.

Easy ways to revise consent

People must be able to change their mind. A footer link to cookie settings is enough as long as it is visible.

Examples of compliant and non compliant cookie notices

These examples reflect what the ICO expects, and why many sites are currently under scrutiny.

Compliant examples

• Clear Accept All and Reject All buttons of equal prominence
• Simple wording that explains essential versus non essential cookies
• Straightforward access to Cookie Settings for finer control

Non compliant examples

• Only showing an Accept button with no visible reject option
• Implied consent wording such as, “By continuing to use this site you agree”
• Colour schemes or button sizes designed to push acceptance
• Hiding rejection behind multiple steps or small text

This is exactly the type of behaviour the ICO is cracking down on after its review of major UK websites.

Why website owners cannot ignore this anymore

For years, cookie compliance was treated as a tick box exercise. That approach is no longer viable. The ICO has made it clear that inaction will lead to consequences, including substantial fines, public reprimands, and loss of trust.

Businesses that comply gain credibility. Those that do not risk serious reputational and financial harm.

What this means for everyday users

You now have clearer rights:

• Websites cannot drop non essential cookies until you consent
• You must be able to reject as easily as you accept
• Your choice must be respected
• You can change your preferences at any time

If a website makes rejection difficult, that behaviour is unlikely to comply with UK law.

What this means for website owners

Compliance is no longer a luxury. It is a requirement. A well configured cookie system shows users that you respect their privacy and understand your legal duties.

If you run a site, you should:

• Audit your existing cookies
• Confirm nothing fires before consent
• Replace any dark pattern banners
• Explain each category clearly
• Keep records of consent
• Check third party scripts regularly

In many cases, the biggest issue is scripts that load extra cookies you did not expect. Regular reviews keep you compliant.

Case study: a practical example of fixing cookie compliance

A business using standard analytics and several advertising networks found that their banner appeared compliant, but the scripts still fired before consent. After a review, they discovered that the cookie tool was misconfigured and that two marketing scripts needed manual blocking. Fixing this brought the site into compliance and avoided potential enforcement.

This mirrors the ICO findings that many websites thought they were compliant but were still dropping cookies early.

Conclusion: What are Cookies?

Cookies are not inherently bad. They are small bits of text that help websites remember who you are and what you were doing. Problems arise when businesses use them to track people without clear permission. The ICO’s recent action against 134 leading UK websites shows that the regulator is taking this seriously.

If you run a website, you should treat cookie compliance as part of respecting your users and protecting your business. If you are a user, you should expect real choice and clear explanations every time you visit a website.

Understanding what cookies are is now essential knowledge for anyone online. If you are reviewing your wider digital setup, our sustainable website design approach outlines how to build sites that are clean, fast, accessible, and compliant.

Sources

• Information Commissioner’s Office: guidance on cookies and similar technologies
• UK GDPR and PECR regulations
• ICO reprimand: Sky Betting and Gaming, November 2023