The ICO has launched its online tracking strategy for 2025, available here. As part of this strategy, the ICO has announced plans to ensure that the UK's top 1,000 websites comply with data protection law, with an aim to "ensure that people see a noticeable improvement in their online experiences with clearer choices and fewer intrusive practices". 

What types of issues has the ICO identified with cookie compliance?

Some of the problems that the ICO has identified with cookies compliance include:

  1. The inability for users to opt-out of non-essential cookies (e.g. advertising cookies)
  2. If there is the ability for users to opt-out of non-essential cookies, whether a user can reject those cookies as easily as they can accept them (e.g. is there a prominent "reject all" button on a cookies consent banner?)
  3. Cookies being used regardless of a user's wishes (e.g. even if a user has rejected non-essential cookies, such cookies are still being used)
  4. Users not being provided with simple information about the purposes for which they are agreeing to share their information.

The ICO has set out a plan of action to give people more control and confidence over how they are tracked online. This includes automated monitoring of website compliance and engagement with major consent management platforms, to ensure their platforms support compliance by default.

If you require assistance in ensuring your use of cookies and other online tracking tools are compliant with data protection law, please don't hesitate to contact our team of data protection experts who are available to help.

'Consent or pay' guidance published

The ICO has also published guidance for organisations implementing, or considering implementing a 'consent or pay' model to access online products and services, which is available here. A 'consent or pay' model involves an organisation giving people the choice to:

  • Consent to an organisation using their personal data for personalised advertising, in order to access the organisation's online products or services
  • Pay a fee to access those online products and services without their personal data being used for personalised advertising
  • Not to use the online products or services at all.

The ICO's guidance notes that 'consent or pay' models can be compliant with data protection law, provided that an organisation can demonstrate that people have freely given their consent to the use of personal data for personalised advertising. Organisations must document their assessment and justify why their 'consent or pay' model complies with data protection laws, including ensuring that people have freely consented to personalised advertising and are fully informed as to what they are consenting to.

If you are considering adopting a 'consent or pay' model (or have already adopted one) and require assistance in ensuring that your model complies with data protection requirements, please contact our team of data protection experts who are available to support.

How does this affect me?

The use of cookies and other online tracking tools is a key area of focus for the ICO and you should therefore be reviewing your use of these online tracking technologies. Failure to ensure compliance could lead to the ICO taking enforcement action which may include a monetary penalty being imposed.

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.