Data Protection & Commercial

Website cookies crumble as they fail to meet legislation

Over a year after the Information Commissioner’s Office introduced new guidelines on website cookies, a large proportion of UK websites are failing to meet the new regulations, leaving website visitors’ data open to abuse and website owners open to significant fines.




Collyer Bristow warns that, following the closure of businesses during the current and past lockdowns and increasing reliance on online operations, the Information Commissioner’s Office (ICO) is placing a greater focus on website cookies and their compliance.

Cookies are small files that are downloaded onto the devices of website visitors. They enable a website to remember information regarding visitor activity on the site, such as the contents of shopping baskets. They are also commonly used to target advertising at website visitors depending on browsing history or other preferences.

Raj Shah, an Associate in the Data Protection team, said: “Website owners have been vigilant in meeting GDPR requirements but, in our experience, often overlook cookie policies and practice. Good cookie practice is crumbling leaving website owners open to sanctions.

“UK websites may only automatically place onto users’ devices cookies that are strictly necessary,  that is those essential for a website’s core functionality. Any other cookies can only be set if a website user gives consent, which must be freely given and easy to withdraw.

“In practice, cookies commonly set by websites, such as analytics cookies, social media plug-ins, adtech cookies, and cookies tracking interactions with marketing emails that link to webpages will need consent before they can be set. Once consent to those cookies has been obtained, website visitors must be able at any time to withdraw that consent as easily as they gave it.

“This means that pre-ticked boxes or sliders defaulted to ‘on’ in respect to non-essential cookies, pop-up banners that imply consent is given if visitors continue to browse, or ‘cookie walls’ requiring visitors to agree certain cookie settings before they can access content will be problematic for website owners.

“The ICO also takes a dim view of nudging techniques where, for example, an ‘accept all cookies’ button is much larger or brighter than one that allows visitors to reject certain cookies.”

With CNIL, the French privacy watchdog, having recently fined the supermarket chain Carrefour and its banking division over €3 million for failing to obtain users’ consent before setting advertising cookies, it is clear that cookie compliance is moving up the enforcement agenda for regulators.



You are contacting

Raj Shah

Senior Associate


    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor


    Subscribe now
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.