UK Information Commissioner’s Office Announces Cookies Compliance Review of the UK’s Top 1,000 Websites

On January 23, 2025, the UK Information Commissioner’s Office (ICO) announced its plan to bring the UK’s top 1,000 websites into compliance with applicable data protection law. The ICO confirmed that it had already assessed the compliance of the top 200 websites, and that it had communicated its concerns regarding the compliance of 134 of those sites to their operators. Any UK business that has a website is likely to use cookies, and they would be well advised to ensure these are compliant with applicable data protection law, or risk being next on the ICO’s list.

Stephen Almond, ICO Executive Director of Regulatory Risk, stated:

Uncontrolled tracking intrudes on the most private parts of our lives and can lead to harm. For example, gambling addicts being targeted with more betting ads due to their browsing history or LGBTQ+ people altering their online behavior for fear of unintended disclosure of their sexuality.

Our ambition is to ensure everybody has meaningful choice over how they are tracked online and what we’re publishing today sets out how we intend to achieve that.

Last year, we saw significant improvements in compliance among the top 200 websites in what was a promising step forward for the industry. Now, we are expanding our focus to the top 1,000 websites — and beyond that to apps and connected TVs.

We’ll continue to hold organizations to account but we’re also here to make it easier for publishers to adopt compliant, privacy-friendly business models. By combining advice, guidance, and targeted enforcement, we aim to create an environment where businesses can succeed, and people can have trust and control over their online experiences.

The initiative forms part of the ICO’s 2025 online tracking strategy, which is intended to ensure that individuals have control over how they are tracked online. It aims to address the risks of harm that arise from the misuse of people’s personal data online. Along with the online tracking strategy, the ICO has delivered a number of measures aimed to support businesses in adopting more privacy-friendly models that give individuals choice and control.

These measures include publishing guidance for organizations implementing or considering implementing “consent or pay” models. “Consent or pay” models offer individuals a choice between agreeing to personalized advertisements in return for free access to a service, or paying a fee in order to access an ad-free version.

ICO “Consent or Pay” Guidance

The ICO takes the view that “consent or pay” models can be lawful if users have a genuine choice, and the other requirements of applicable data protection law are met. The ICO guidance sets out a number of factors for businesses to consider in their assessment of whether or not consent is freely given, and requires that web operators must document their assessment and demonstrate how their “consent or pay” model complies with the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). In particular, the ICO guidance requires a consideration of the following factors:

1.         Power imbalance: A clear imbalance of power between a website operator and the user, where people do not have a realistic choice as to whether or not to use the service, means that any purported consent is unlikely to be freely given. The ICO guidance provides examples of a clear power imbalance, which include circumstances where:

• People rely on the service and will suffer an unfair penalty if they refuse consent.
• The organization is a public authority.
• There is an employee/employer relationship.
• Affected users are vulnerable, for instance, due to age, disability or financial circumstances.
• A service is aimed at children who may not have the financial independence to make a free choice.

In addition, an organization’s position in the market may influence the balance of power with users if it has a “dominant position” for the purposes of competition law.

Businesses that intend to introduce a “consent or pay” model should also consider its effect on existing users. For example, taking into account “switching costs,” which occur where individuals face significant barriers to leaving a service, such as where a person uses social media to identify and connect with clients and would find it difficult to rebuild the network on another site.

2.         Appropriate fee: If the fee for accessing the advertisement-free version of a service is excessive, then users are less likely to be able to freely give their consent to the free service with advertisements. If the fee for the advertisement-free version is prohibitively high, then there would not be a genuine choice and any purported consent would be invalid. The ICO guidance recognizes that setting an appropriate fee may be complex, and concludes that the appropriate measure is “the value that people that use or could use your product or service associate with not sharing their personal information for the purposes of personalized advertising.” The ICO guidance provides a number of suggestions that organizations could use in assessing the consumer valuation. These include calculating the revenue that an organization might lose as a result of a reduction in personalized advertising; the costs borne by the organization in providing its products or services; and the consumer valuation of the core services.

3.         Equivalence: The paid service should be broadly equivalent to the free service with advertisements, to ensure a free choice to users. For instance, perks and additional features should be available in both the paid and unpaid versions. The guidance provides that a person’s consent to receive personalized advertisements is unlikely to be valid if:

• The paid service is a lower quality version of the free service with advertisements.
• The paid service consists of the same core product or service as the free service, but includes differences beyond the core service which result in a materially worse service quality overall.
• The paid version is a completely different service altogether.

These examples would not offer a genuine free choice, as users would effectively be forced to consent to personalized advertising in order to access the core service they require. The guidance provides that if organizations cannot meet the ICO’s expectations of equivalence, they must be able to demonstrate that people can still freely give their consent, taking all the other factors into account.

4.         Privacy by design: Choices must be presented equally to users, with clear, comprehensive information about what each choice involves. In particular, users must be given clear, understandable and neutral information about the options available to them, with an explanation of the processing activities that will take place in relation to each choice, and they must be shown how they can exercise their rights. The ICO takes the view that personalized advertising in a “consent or pay” model is likely to constitute “high risk processing,” so a Data Protection Impact Assessment (DPIA) will generally be necessary. This will require organizations to either revisit any existing DPIA that covers personalized advertising technologies, or conduct a new one. The DPIA should include a consideration of whether or not people have a meaningful choice over the use of their personal data, which should take into account the target audience.

Practical Tips for Website Operators

Not all website operators will be implementing or planning to implement “consent or pay” models, however operators of all but the simplest websites are likely to be using website cookies (or similar storage and access technologies, such as tracking pixels, link decoration and navigational tracking, web storage, fingerprinting techniques, scripts, and tags). The use of these technologies must comply with applicable law.

In addition to the ICO’s specific “consent or pay” guidance, organizations must continue to comply with the rules on cookies set out in PECR. Briefly, PECR requires that website operators must inform subscribers as to what the cookies or equivalent technologies are, what they do, and obtain subscribers’ prior consent to the UK GDPR standard before setting non-essential cookies on visitors’ browsers. In light of the ICO’s announcement of its cookie review, businesses should be aware that there is a real possibility of their website coming under scrutiny, and can reasonably expect the ICO to intervene where it is not.

As well as ICO action, non-compliant website operators should be aware that privacy rights group None of Your Business (NOYB) was recently approved as a qualified entity to bring collective redress actions on behalf of data subjects (which we reported on in December 2024). NOYB has specifically identified non-compliant cookie banners as a cause of concern, and has developed an automated mass-scanning system to detect unlawful cookie banners and automatically generate complaints to send to offending companies, following up with a complaint to the supervisory authority where the operator fails to bring their site into compliance. Businesses that use websites would be prudent to review their use of cookies against current guidance, as there is a very real possibility that the non-compliant use of website cookies or similar technologies will result in regulatory or, through NOYB, private actions.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.