The ICO has written to a number of UK businesses warning them that they need to update their websites to ensure that the way they use cookies on their websites is compliant with data protection law.

Under UK data protection law, websites must allow users a choice as to whether or not advertising cookies (allowing the website to track the user’s choices and show advertisements which have been personalised to that user’s choices) can be set. It must be just as easy for a user to reject all non- essential cookies (e.g. advertising cookies) as it is for a user to accept such cookies.

The ICO has given the businesses they have written to 30 days to update their websites so that they are compliant with data protection law. According to the ICO, we can expect an update on their actions in this area in January, which may include providing details of businesses which do not have compliant websites.

What does this mean for businesses?

Whilst the ICO action here seems to be targeted towards websites which receive a lot of traffic, the warning also serves as a useful reminder to businesses to check their websites to make sure that they are compliant with data protection law.

The ICO’s warning does not mean that businesses cannot have advertisements on their websites. For those users who reject the use of advertising cookies, websites can still display adverts but those adverts must not be personalised to the user. Some website users prefer to see adverts which have been tailored to them when browsing and, for them, the use of advertising cookies will improve their browsing experience.

However, others find such targeted advertising annoying or even distressing. By ensuring that all website users can easily accept or reject advertising cookies, website owners can improve the browsing experience for everyone.

The ICO has commented that businesses should design their websites in a way that ensures that:

  • The language used does not suggest that there is a right or wrong answer when it comes to users making privacy choices.
  • Privacy choices are framed in a way that does not prioritise one choice over another and makes all options equally easy to choose.
  • The privacy choices that website users make are informed ones.

The above are just some of the points that you will need to consider when assessing your website to check if it is compliant with current data protection law. It is important to ensure that you make such an assessment on a regular basis to avoid exposing your business to action from data protection regulators.

Here at ClaydenLaw we frequently help businesses ensure that their websites are compliant with data protection law. If you would like us to help you as well, please contact us here to arrange a complimentary 30-minute website privacy consultation.

This consultation will help you to identify any gaps in data protection law compliance that your website might have and work out the best way to plug those gaps for your business.

For more information on the relevant areas mentioned in this article please click below:


We will use this information to respond to your enquiry.  Please see our Privacy Notice for further information about our use of personal data.