“You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.”
– Information Commissioner’s Office
If you use the internet, you’ll be familiar with cookie banners, where you have to accept or decline various bits of tracking in order to find what you were looking for. There are plenty of providers and styles to choose from, but the option has to be there.
The ICO (Information Commissioner’s Office) is the UK body charged with enforcing the rules round data privacy, which includes cookies. As part of their 2025 strategy, they surveyed 200 of the UK’s top websites by traffic volume. Of these, 134 had cookie policies which did not meet the legal requirements of PECR (the Privacy & Electronic Communications Regulations).
Which websites were surveyed?
The ICO didn’t say publicly which websites it looked at, but the top 20 by traffic are pretty consistent across a number of sources.
Four kind of issues
The problems the ICO uncovered fall into 4 categories:
1. Lack of Clarity
For the next 24 hours, count how many banners you see that say something like “Accept/Reject all cookies”.
This doesn’t meet the “clearly explain what the cookies do and why” part of the guidance.
2. No actual choice
One step worse than “Accept/Reject All” is the cookie control that doesn’t give you a choice at all.
3. Pre-ticked consent
“Consent must be actively… given.”
Pre-ticking a box means that agreeing to cookies is no longer an active choice, so don’t do this.
4. Hard to withdraw
This one hadn’t even occurred to me until I read the ICO’s comments!
Do you know how to retract your consent to cookies from any website you’ve visited? If you don’t, you’re not alone. As in the example above, the process is explained briefly when you agree to cookies, then tucked away in the footer of the page where most people wouldn’t really look. This “meets the legal requirements but isn’t really transparent” way of doing things is in the ICO’s firing line.
What does Spotler use cookies for?
The 2 main Spotler platforms which need cookies are Spotler Leads, our website visitor tracking tool, and Spotler Activate, which uses first-party data to personalise website pages to each visitor.
So what do I need to do?
If you haven’t reviewed your cookie consent set-up recently, take this opportunity to do so. It doesn’t seem like the ICO have taken any enforcement actions around cookie consent at the time of writing, so we should read this announcement as a warning shot to get our houses in order.
For a full guide to the ICO’s 2025 strategy, visit their website.
For Spotler’s own cookie policy, see here.
