The Information Commissioner’s Office issued updated guidance on cookies and similar tracking technologies in 2024, and it represents a significant escalation in the clarity - and the teeth - of the regulator’s position. For UK publishers who have been operating on the assumption that broadly worded privacy policies and technically-certified consent banners are sufficient, the new guidance should prompt a careful review.

The core position

The ICO’s updated guidance is built around a few clear principles that leave relatively little room for interpretation.

Consent must be freely given. This means that making access to content conditional on accepting tracking cookies - the so-called “consent or content” wall - is only acceptable if there is a genuine free alternative available. A site that says “accept cookies or pay” may be compliant if the paid option is a reasonable alternative; one that simply refuses access to users who decline is not.

Consent must be specific. Broad consent for “advertising and analytics purposes” is not sufficient. Users need to be able to understand, and make separate choices about, the different purposes for which their data is being processed.

Rejection must be as easy as acceptance. This is stated explicitly in the guidance and is the clearest indicator that the ICO considers most current consent banner implementations to be non-compliant. If accepting all cookies takes one click and rejecting them takes three, the consent mechanism is not meeting the standard.

Pre-ticked boxes are not consent. Any consent mechanism that defaults to acceptance, in whole or in part, does not meet the GDPR standard regardless of how it is presented.

What the ICO is actually doing

Beyond the guidance document, the ICO has taken a number of enforcement actions and issued public statements that indicate how seriously it is treating cookie compliance. In 2024, it issued a set of “improvement notices” to major UK websites that it found to be using non-compliant consent mechanisms, requiring them to make specific changes within defined timeframes.

The ICO’s Cookie Compliance Programme - its systematic review of how major UK sites implement cookie consent - has been ongoing since 2022 and has identified non-compliance on the majority of sites it has reviewed, including well-known media brands and major publishers. The ICO has been transparent about the fact that enforcement will follow improvement notices where sites fail to make required changes.

For independent publishers, the enforcement risk is lower in absolute terms than for large platforms - the ICO’s resources are finite and it prioritises cases with the highest potential impact. But the compliance requirement is the same, and regulatory attention to the sector is increasing rather than decreasing.

Legitimate interests: the narrowing window

One area where the ICO’s updated position has sharpened is on the use of legitimate interests as a legal basis for advertising-related processing. The ICO’s previous guidance was somewhat equivocal on this, leaving room for publishers to argue that some advertising data processing could be justified on legitimate interests grounds. The updated guidance is considerably less generous.

The ICO now takes the position that tracking-based advertising - meaning advertising that involves the use of cookies or similar technologies to track user behaviour - requires consent rather than legitimate interests as a legal basis. The argument that tracking users to serve them relevant advertising is in their legitimate interest is specifically addressed and rejected.

This has practical implications for many publishers whose advertising setups include some tracking components that have been justified on legitimate interests in their privacy documentation. Those justifications need to be reviewed.

Technical implementation checklist

For UK publishers who want to assess their current compliance position, the following are the key areas to check:

Consent banner design: Is the reject option as prominent as the accept option? Does it require the same number of clicks? Is the language clear about what users are consenting to?

Default states: Are any cookies or tracking technologies active before consent is given? Are any pre-ticked in detailed consent views?

Consent signal propagation: When a user declines consent, do all third-party scripts and tags actually stop firing? This is frequently not the case in sites using client-side tag managers without proper consent integration.

Withdrawal of consent: Can users withdraw consent they have previously given, and is this as easy as providing it? The consent preferences must be accessible from every page, not just the initial banner.

Records of consent: Do you have an auditable record of when and how each user provided consent? The ICO expects publishers to be able to demonstrate that consent was properly obtained.

Legal basis documentation: Is your privacy policy accurate about the legal basis for every processing activity? Are legitimate interests claims supported by documented legitimate interests assessments?

None of this is insurmountable. A publisher who hasn’t addressed these issues has a meaningful piece of work ahead of them, but it is work that can be completed systematically with the right technical and legal support. The alternative - continuing to operate a non-compliant setup in the hope that enforcement attention remains focused elsewhere - is a risk that is decreasing in acceptability with every month that passes.