Get Demo Try for Free
Solutions
Resources
Company
Pricing
Partners
Try for Free Get Demo

The ICO is Cracking Down on Cookie Compliance — Is Your Website Ready?

Blog
October 2, 2025
Cookie icon in black over a yellow background

Table of Contents

Tags

In January, the UK’s Information Commissioner’s Office (ICO) launched an aggressive enforcement initiative targeting cookie compliance across the top 1,000 websites in the country. This move is the clearest signal yet that regulators are no longer content with warning letters or passive education. They’re actively investigating and naming brands that fail to comply.

The age of “we’ll fix it later” is over.

For digital teams, this shift means one thing: your website’s data practices are no longer just a marketing or analytics issue — they’re a compliance liability.

At ObservePoint, we’ve been preparing customers for moments like these.

Cookie Compliance Isn’t Just a Banner Anymore

Too often, companies treat cookie consent like a front-end checkbox — design the banner, slap on a script, and assume the job is done.

But the real challenge lies under the hood.

Cookies, especially third-party marketing and analytics ones, are often loaded dynamically across different site environments, sometimes piggybacking on other tags without anyone realizing it. While Consent Management Platforms have built-in cookie scanners, they usually can’t detect rogue tags or cookies that sneak through before consent is granted.

That’s where ObservePoint comes in.

ObservePoint provides the double-check you need to confirm your CMP is asking users for consent and delivering the right cookies based on their preferences. Not only that, ObservePoint’s cookie origin story provides the most detailed contextual and historical cookie information of any scanner: where the cookie is, how many times it shows up on your site, what changes were made to it, and what tech is loading it.

Read on to find out what the ICO is looking for and get a compliance checklist and an ICO audit plan you can use on your journey to attestation.

 

What Is the ICO Looking For?

The ICO wants to give people meaningful control of how they are tracked online. They’ve identified 4 main problem areas that don’t seem to offer website visitors the type of data protection they are entitled to.

1. Deceptive or Absent Choice: 

When website visitors are not presented with an option to opt out of non-essential data processing or are given a choice but are deceived when, for example, cookies that do not match their stated preferences are set.

2. Uninformed Choice

Simple, clear information about the purposes for which visitors are agreeing to share their information is necessary for them to make informed choices.

3. Undermined Choice

Even with clear statements on how websites will process users’ information and a functioning consent banner, collected information isn’t always processed in the stated manner. More transparency, simpler controls, and assurances that their personal information is being used responsibly is necessary, especially regarding information shared with third-party advertisers.

4. Irrevocable Choice

When people change their mind about how they want to share their data, it shouldn’t be difficult to change their preferences or revoke consent.

 

Cookie Problems in Action

So in practical terms, what are the website behaviors that would fall under these 4 problem areas?  The ICO is looking for things like:

  • No “reject all” option when there’s an “accept all,” or putting the “reject all” in a smaller font or other obscure manner
  • Leading the user to “accept all” with pre-selections
  • Dropping cookies before consent or despite rejection
  • Implying consent instead of clearly receiving it
  • Using vague or misleading wording in privacy compliance notices and policies
  • Not providing a way for users to withdraw consent
  • Making acceptance of cookies a prerequisite to using the website

Many of these issues are not because website managers are trying to collect data on the sly. It’s often an issue of implementation errors with Tag Management Systems (TMS), Consent Management Platforms (CMP), and the lack of time and resources to consistently monitor for problems.

 

Cookie Compliance Checklist

ObservePoint’s automated web audits help teams detect and document exactly which cookies are firing across every page and whether they’re aligned with your consent logic.

The functionality of the platform’s cookie and privacy features serves as the perfect checklist for your ICO compliance process:

  1. Run sitewide scans automatically to get a picture of what cookies you have, when they’re being set, and what technology is loading them
  2. Find cookies and trackers that are not under your TMS, and therefore unseen by your CMP
  3. Set up alerts to be notified of new or unauthorized cookies and trackers
  4. Test your site as a user with a GPC signal turned on or with a “reject all” preference to validate that your CMP is functioning correctly
  5. Automatically sync your cookie categories with your CMP, so you can test the most up-to-date version
  6. Check your privacy policy and consent banner presence on every page of your website
  7. Look at the actual text of these policies and make sure your cookies are categorized correctly: does a social media cookie belong in strictly necessary?
  8. Monitor for changes and regressions with automatic audits and real-time alerts

Scan. Monitor. Fix. Repeat. That’s the key to ongoing privacy compliance, avoiding the regulatory spotlight now aimed at some of the UK’s most high-traffic websites, and most importantly, building trust with your users.

 

Don’t Wait for the Regulator to Show Up

The ICO has already started issuing notices and opening investigations. If they’re scanning the top 1,000 sites today, they’ll be moving on to the next 10,000 tomorrow.

But the real question is: do you know what’s happening across your digital properties?

With ObservePoint, you don’t have to guess.

We help you move from reactive to proactive, scanning your site like a regulator would, flagging issues before they cost you public trust, legal fees, or brand damage.

 

Ready to See What We See?

We invite you to try a sample scan or book a guided demo. You’ll get an instant window into how your site’s cookies, tags, and trackers are behaving and whether they’re putting you at risk.

Recent Posts

Yellow and black monitor, bar graph, and piggy bank
December 1, 2025

Budget Planning for 2026: Why Privacy Compliance Deserves a Line Item
Blog title and icons
November 17, 2025

Fall Product Drops
Clay-like 3D illustration of cookie with chart and magnifying glass
October 28, 2025

Meet the New Cookie Report in the ObservePoint Debugger
State of California with legal and signal icons
October 17, 2025

How California’s New Browser Opt Out Law (AB 566) Will Change Privacy Compliance in 2027
View All