Cookie Banner Rules in the UK: What the ICO Requires in 2026

<div className="my-6 rounded-lg border border-slate-200 bg-slate-50 p-5"> <div className="mb-2 flex items-center gap-2 text-slate-700 font-semibold"> <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <circle cx="10" cy="10" r="9" stroke="currentColor" strokeWidth="2" /> <path d="M10 6v5M10 13.5v.5" stroke="currentColor" strokeWidth="2" strokeLinecap="round" /> </svg> <span>Quick summary</span> </div> <ul className="list-disc space-y-1 pl-5 text-sm text-slate-800"> <li><strong>Legal basis:</strong> PECR Regulation 6 plus UK GDPR. Both enforced by the ICO.</li> <li><strong>Reject button:</strong> must be on the first layer of the banner. The ICO has called sites without one "breaking the law".</li> <li><strong>No pre-ticked boxes.</strong> No cookie walls. Scripts must not fire before the visitor chooses.</li> <li><strong>Enforcement:</strong> top-100 letter campaign in 2023. Top-1,000 sweep using AI detection announced in January 2025.</li> </ul> </div>

The ICO's approach to cookie enforcement shifted noticeably between 2023 and 2025. A sector sweep of the UK's top 100 websites produced compliance letters. A public follow-up named non-compliant patterns. The ICO then set out positions on specific banner designs that are now the practical compliance standard. For any UK website, the question is no longer whether to have a cookie banner. The question is whether the banner you have meets the ICO's current requirements.

To check whether your site loads tracking scripts before consent is given, run a free technical scan at /uk/en/scan.

The legal framework: PECR and UK GDPR working together

Cookie compliance in the UK operates under two overlapping legal instruments. PECR Regulation 6 creates the consent requirement for placing cookies on a user's device. UK GDPR then applies to the personal data those cookies collect. Both are enforced by the ICO.

PECR Regulation 6 requires that a person must have been given clear information about the purpose of any cookie. The person must have consented before the cookie is placed. Consent must be prior. Scripts cannot fire before the user has made a choice. Consent must also be a genuine choice. Rejection must be as accessible as acceptance.

UK GDPR adds validity requirements for consent. It must be specific, informed, freely given and unambiguous. A pre-ticked box fails the freely-given test. A banner that makes rejection harder than acceptance fails it. A cookie wall that withholds service pending acceptance fails it too.

The ICO can act under either statute. Cookie-banner non-compliance with inadequate consent capture is primarily a PECR matter. Where the underlying processing involves additional UK GDPR failings, such as missing data processor agreements with analytics providers or unlawful international transfers, the ICO can apply its UK GDPR powers as well.

What the ICO's enforcement record says about banner requirements

The clearest recent statement of the ICO's position came from the November 2023 sector sweep. The ICO wrote to 53 of the UK's top 100 websites identifying specific banner failures. The follow-up action across the UK's top 1,000 websites in January 2025 confirmed the same patterns and extended the scrutiny. The letter campaign named concrete patterns as non-compliant. It did not stop at abstract principles.

The patterns the ICO cited included three recurring failures. First, reject-all was buried behind a "Manage preferences" link that needed multiple clicks. Accept-all was one click on the first layer. Second, some banners had no reject option at all. They only offered a dismiss button. Third, some sites had consent pre-selected for certain cookie categories.

Deputy Commissioner Stephen Bonner stated publicly in 2023 and 2024 that sites without a clear reject option are "breaking the law". Commissioner John Edwards has described the ICO's approach as focusing on organisations that show persistent unwillingness to comply rather than those making a genuine effort.

The January 2024 follow-up found that 38 of the 53 contacted organisations had made their banners compliant. Four had committed to changes. The rest faced further regulatory engagement. The follow-up established a template. The ICO gives organisations the chance to fix issues. The ICO monitors compliance. The ICO escalates for those that do not act.

In January 2025 the ICO announced a wider sweep of the top 1,000 UK websites using AI-assisted detection. This shifted the enforcement model from manual review to automated screening at scale. The ICO's enforcement register lists current actions across all sectors.

The compliance checklist: what a UK banner must do

The following requirements come from ICO guidance on storage and access technologies, PECR Regulation 6 and the 2023 to 2025 enforcement record.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100"> <th className="border border-slate-300 p-2 text-left">Requirement</th> <th className="border border-slate-300 p-2 text-left">ICO source</th> <th className="border border-slate-300 p-2 text-left">Pass / fail test</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 p-2"><strong>Prior consent</strong>. No non-essential script may fire before a choice.</td> <td className="border border-slate-300 p-2">PECR reg. 6(1)</td> <td className="border border-slate-300 p-2">Open DevTools Network tab. Reload. No analytics or ad requests before click.</td> </tr> <tr> <td className="border border-slate-300 p-2"><strong>Reject button on first layer</strong>. Equal prominence with accept.</td> <td className="border border-slate-300 p-2">ICO storage guidance, top-100 letter</td> <td className="border border-slate-300 p-2">First banner screen has a visible "Reject all" of comparable size and contrast.</td> </tr> <tr> <td className="border border-slate-300 p-2"><strong>No pre-ticked boxes</strong>. Analytics and ads unchecked by default.</td> <td className="border border-slate-300 p-2">CJEU Planet49 (C-673/17), ICO guidance</td> <td className="border border-slate-300 p-2">Open the preferences panel. Non-essential categories are unticked.</td> </tr> <tr> <td className="border border-slate-300 p-2"><strong>No cookie wall</strong>. Site usable without accepting tracking.</td> <td className="border border-slate-300 p-2">ICO position (aligned with EDPB Guidelines 05/2020)</td> <td className="border border-slate-300 p-2">After clicking reject, the site loads with at least core functionality intact.</td> </tr> <tr> <td className="border border-slate-300 p-2"><strong>Granular categories</strong>. Each category named with a brief description.</td> <td className="border border-slate-300 p-2">PECR reg. 6(2), ICO storage guidance</td> <td className="border border-slate-300 p-2">"Analytics", "Advertising" or similar are listed with one or two lines of context.</td> </tr> <tr> <td className="border border-slate-300 p-2"><strong>Easy withdrawal</strong>. As easy to revoke as to grant.</td> <td className="border border-slate-300 p-2">UK GDPR art. 7(3), ICO storage guidance</td> <td className="border border-slate-300 p-2">A persistent footer link or icon re-opens the consent panel from any page.</td> </tr> </tbody> </table> </div>

Compliant versus non-compliant banner: what the ICO sees

Two examples make the difference obvious. The first follows the ICO's published expectations. The second is the pattern most often called out in the 2023 letters.

The left example mirrors what the ICO has stated should be standard practice. Equal buttons. First-layer reject. No script loading before the visitor clicks. The right example is the pattern the ICO specifically called out across the top-100 letter campaign. A prominent accept button next to a small grey "manage cookies" link counts as asymmetric design.

Common failure patterns in UK websites

The 2023 letter campaign and ongoing monitoring have identified recurring failures. These are the issues most likely to appear in a complaint or investigation.

Scripts loading before consent is the most technically significant failure. Many implementations show a banner visually but do not block script execution at the network level. Google Analytics, the Meta Pixel, Microsoft Clarity and similar tools must be gated by the consent management platform at the technical level. Visual suppression alone is not enough.

Asymmetric rejection is the most common design failure. Rejection is harder than acceptance. It needs more clicks. The text is smaller. The button is hidden behind a second screen. The ICO has been explicit that this asymmetry makes consent non-free.

Missing reject on the first layer affects sites that only show "Accept" and "Manage preferences" on the initial banner. "Manage preferences" is not equivalent to "Reject all". It requires additional action from the user.

Pre-ticked analytics categories remain common on older implementations using consent tools that were not updated to reflect current guidance.

Implementation: what a working banner looks like technically

A banner that meets the ICO's requirements has three technical components beyond its visual design.

First, script blocking at the network level. The consent platform must prevent non-essential scripts from loading until consent is given. This is typically done via a tag manager integration or by wrapping script tags with consent-conditional logic. Inspect the Network tab on a fresh page load to verify no tracking requests fire before interaction.

Second, consent state storage. The platform must record when consent was given. It must record what was consented to. It must record through which mechanism. This record needs to be available if the ICO requests evidence of consent practices. Most commercial consent platforms produce this log automatically.

Third, post-rejection verification. After a user rejects non-essential cookies, the tracking scripts must not continue to run. Some implementations block initial loading but fail to prevent scripts already in memory from continuing to operate. Click reject. Watch network activity for 30 seconds. That covers this.

What the ICO does when a complaint arrives

ICO cookie investigations begin most commonly with a data subject complaint. The ICO sends a formal information notice under Article 58(1)(a) UK GDPR requesting information within a stated deadline. The deadline is typically 30 days. Respond promptly. Fix the banner before or during the response. Document the changes you made. This consistently produces the most favourable outcome.

For first-time SMB failings where the organisation co-operates and remediates, the outcome is typically a reprimand. That is a public written finding of breach with no financial penalty. Fines for cookie-banner failures specifically, as opposed to broader data-protection failings, have been rare at the SME level.

For how the ICO's full investigation process works, see ICO investigation process explained.

Sector-specific considerations

The ICO's cookie enforcement priorities have shifted over time. Before 2023, enforcement was largely reactive and followed individual complaints. From 2023 the ICO began targeted sector sweeps that focused on high-traffic websites first. Organisations with large UK audiences face higher scrutiny than low-traffic SME sites. That does not mean smaller sites are exempt. Data subject complaints, which any visitor can file, are the more typical trigger for SMB investigations.

Certain sectors attract additional scrutiny. Sites targeting children face the ICO's Age Appropriate Design Code on top of PECR. Health and medical sites handle sensitive data categories that attract higher penalty consideration under UK GDPR. Financial services sites may face parallel FCA scrutiny that can trigger an ICO referral. These do not change the underlying banner requirements. They do raise the consequences of non-compliance.

UK and EU divergence since 2024

UK and EU positions on cookie banners overlap heavily but have diverged at the edges. The ICO has taken a stronger public line than the European majority on the need for a first-layer reject-all button. The EDPB Cookie Banner Taskforce report of January 2023 treated this as a majority position, not unanimous. The ICO has treated it as a settled requirement. On consent or pay models the ICO has been more cautious than the EDPB Opinion 8/2024. The ICO's updated guidance on storage and access technologies is the reference point for the current UK position.

For EU customers visiting a UK site, the national ePrivacy implementations of the country they are in may also apply alongside PECR. A French visitor to a UK-registered site is arguably subject to France's ePrivacy rules as well as PECR. In practice, a PECR-compliant banner satisfies most EU national implementations because the substantive consent standard is identical. For the underlying statute in detail, see PECR cookie rules in the UK.

---

This is technical analysis, not legal advice. Consult a solicitor for specific guidance on your cookie compliance position.