Is your website up to scratch or will the ICO come knocking?

Last November the ICO wrote to 53 of the UK’s top 100 websites, warning that they faced enforcement action if they didn’t make their use of advertising cookies comply with data protection law. 

On 31 January 2024 the ICO released a statement on such action, noting that 38 of the 53 organisations they contacted changed their cookies banners in response and four committed to be compliant by the end of February. 

Several others are working on alternative solutions such as contextual advertising and subscription models.  The ICO has said it will provide advice in February on how these models can be implemented in compliance with data protection law. 

With this latest action, the ICO is making clear that it expects all websites using advertising cookies or similar technologies to give people a fair choice over whether they consent to the use of such technologies, and if organisations continue to ignore the law, they can expect to face consequences. 

The ICO’s statement says:

We will not stop with the top 100 websites.  We are already preparing to write to the next 100 – and the 100 after that.”

To assist this activity, the ICO is developing an AI solution to help identify websites using non-compliant cookie banners and is planning a ‘hackathon’ event early in 2024 to explore this. 

The ICO advises all organisations to take action now to become compliant and claims:

We can already see the ripple effect of our intervention with many organisations making changes to cookie banners without receiving a letter from us. … And as we’ll be steadily working our way through the list of websites offering services to UK users to give them all the same message, it makes sense to be compliant before the regulator comes knocking.”

What do businesses need to do?

So, is your website’s use of advertising cookies already compliant with data protection or are you likely to receive a letter from the ICO in the next few months? 

Now would be a good time to look at the cookies used on your website and the tools it provides to enable visitors to choose what cookies are applied to them. 

You’ll need to know: 

  • What advertising cookies are used on your website – you’ll need to consult your web developers and/or use a cookie scanning tool to find this out.
  • Whether you provide a cookie consent tool for visitors.
  • How easy it is for visitors to find and use the cookie consent tool.
  • What the cookie consent tool says and how the options are presented – e.g. is it easier to accept all cookies than to reject advertising and other cookies?
  • Whether the cookie consent tool is pre-set to accept non-essential cookies such as advertising cookies (it shouldn’t be!).

Have a look at the ICO’s blog It’s time to end damaging website design practices that may harm your users | ICO and the ICO-CMA joint position paper Harmful Design in Digital Markets to help you understand what practices the ICO views as problematic and what it views as compliant good practice. 

Also keep a look out for the ICO’s advice on using contextual advertising and subscription models, which it says will be published in February, if that is an avenue you want to pursue. 

Here at ClaydenLaw we frequently help businesses ensure that their websites are compliant with data protection law. If you would like us to help you as well, please contact us here to arrange a complimentary 30-minute website privacy consultation.

This consultation will help you to identify any gaps in data protection law compliance that your website might have and work out the best way to plug those gaps for your business.

For more information on the relevant areas mentioned in this article please click below:


We will use this information to respond to your enquiry.  Please see our Privacy Notice for further information about our use of personal data.