Beyond the banner: The shifting UK and EU cookie regimes

ICO consultations on cookies

The ICO’s two consultations in July 2025 sit at the centre of this evolving picture, setting the tone for how flexibility and enforcement will be balanced. These consultations mark a pivotal moment in the UK’s cookie regime. They are not simply housekeeping updates: together they set out the ICO’s vision for a more balanced, risk-based regulatory model, albeit with sharper enforcement tools behind it.

1. Risk-based advertising models

The first consultation explores whether certain low-risk online advertising practices could proceed without prior consent under PECR. This represents a significant shift in tone: the ICO is openly questioning whether the current “all-or-nothing” consent regime is sustainable in a digital economy where consent fatigue is undermining both user trust and compliance quality.

• In its consultation the ICO focusses on the utility of cookies versus their intrusiveness, in particular whether aggregated measurement, fraud prevention, or contextual ads may actually present limited privacy risks if implemented transparently.
• Crucially, the ICO is not drawing the boundaries itself at this stage; it is asking industry to make the case. This places the onus on businesses to evidence which models are genuinely “low risk” and what safeguards they can offer.
• The subtext is clear: if industry does not provide credible proposals, the ICO is unlikely to relax the current consent baseline.

2. Updated storage and access guidance

The second consultation introduces a new chapter to the ICO’s updated guidance on storage and access technologies, aligning it with the changes made under the Data (Use and Access) Act 2025 (DUAA). While framed as guidance, its function is more strategic:

• It will provide the ICO’s enforcement roadmap for how exceptions under DUAA will be interpreted in practice
• It signals greater focus on accountability, requiring organisations to be able to show their reasoning for classifying cookies as exempt
• It also raises questions about liability of adtech intermediaries ('instigators'), widening the scope of organisations that must prepare for scrutiny, something that aligns with changes under the DUAA

These consultations should not be read as an “open door” to more permissive tracking. Rather, they are an invitation to co-design a more proportionate framework. Businesses that engage constructively now, by presenting evidence, proposing safeguards, and piloting privacy-preserving approaches, will be better placed to influence the standards that the ICO adopts. Conversely, those who wait risk finding themselves boxed into a regime shaped by others, with little flexibility left.

The bottom line: these consultations are the closest the UK has come in years to recalibrating the cookie regime. The next six months will define not only how consent works in practice, but also how “acceptable” online tracking is framed in the UK for the next five years.

Impact of DUAA and PECR changes

While the consultations look ahead, the DUAA has already brought the most significant reshaping of the UK’s cookie rules since PECR’s inception. It simultaneously creates modest breathing room for businesses in low-risk scenarios while raising the stakes on enforcement and accountability.

1. Narrow exceptions

The DUAA amends Regulation 6 of PECR to permit certain categories of cookies without prior consent, notably:

• First-party analytics cookies used solely for statistical insights
• Functional cookies that enhance user experience (e.g. remembering settings), and
• Strictly necessary cookies that enable core site functionality

These exceptions are deliberately tight. They require:

• Full transparency (users must still be clearly informed)
• Genuine opt-out mechanisms, and
• Strict purpose limitation (no secondary use for profiling or advertising)

This is less a “relaxation” than a recalibration. Businesses that use these exceptions responsibly may reduce friction for users, but any attempt to stretch definitions risks enforcement.

2. Tougher enforcement

The DUAA also upgrades PECR’s enforcement muscle:

• Penalty alignment with UK GDPR: fines of up to £17.5m or 4% of global turnover
• Expanded investigative powers: the ICO can compel interviews, demand audits, and issue stop orders
• Accountability requirements: organisations must evidence how and why they rely on exceptions, with documentation expected to stand up to audit

This is a clear signal that the ICO wants to move from reactive complaint-driven enforcement to proactive, systemic oversight.

3. Wider liability

Perhaps the most underappreciated change is the extension of responsibility to those who “instigate” storage or access - adtech intermediaries, affiliates, and other ecosystem players who trigger cookie deployment. This significantly broadens the compliance perimeter:

• Vendors and intermediaries can no longer assume liability rests solely with the website operator
• Contractual allocation of responsibility (e.g. in DSP/SSP or publisher agreements) will need to be revisited
• Multinational players will need to ensure group-wide policies reflect this wider scope

The DUAA is a double-edged sword: modest flexibility on one side, and materially higher enforcement ceilings on the other. For businesses, the strategic opportunity lies in:

• Simplifying user journeys by responsibly deploying low-risk cookies without consent
• Demonstrating governance maturity by documenting risk assessments, updating records of processing, and revisiting vendor contracts, and
• Proactively managing enforcement risk by building an auditable compliance trail

Put simply: the DUAA offers the possibility of a lighter touch for well-governed organisations, but significantly raises the cost of getting it wrong. The businesses that will benefit most are those that use the exceptions sparingly and transparently, while preparing for scrutiny of their broader adtech ecosystem.

ICO’s online tracking strategy update

If the DUAA represents the legislative framework, the ICO’s 2025 online tracking strategy shows how that framework will be enforced in practice, making it clear that cookies and tracking remain at the heart of its regulatory agenda. The strategy is not just about banners and notices, it reflects the regulator’s ambition to reshape the digital advertising ecosystem itself, centred on “a fair and transparent online world” where users exercise meaningful control over tracking.

1. Expanded compliance monitoring

The ICO will now will extend its monitoring to target the top 1,000 UK websites to ensure non-essential cookies only load after clear consent, with easy reject options. This is following improvements seen in monitoring the top 200 websites. It is a scale-up that signals a shift from symbolic enforcement to systemic oversight. The key expectations are:

• Consent must be genuinely informed, simple to give or refuse, and granular by purpose
• “Reject all” options must be as prominent as “accept all”, and
• Cookies should not load before consent is obtained, except where strictly necessary

This creates a much higher baseline of compliance, particularly for publishers who may have relied on less prominent reject options or complex layered banners.

2. Endorsement of privacy-preserving models

The ICO continues to encourage industry to move away from surveillance-based profiling toward:

• Contextual advertising, where ads are aligned to content rather than user history, and
• On-device or aggregated measurement, which minimises personal data use

This reflects the regulator’s willingness to support innovation, but only where it can be shown to reduce risks to individuals. Businesses that pivot early to such models may find regulators more supportive and enforcement risks reduced.

3. Clarification on consent-or-pay

The ICO is scrutinising models where users choose between consenting to tracking or paying for ad-free services. Its position:

• Choice must be genuine, not manipulative or coercive
• Paid alternatives must be realistic and fairly priced, and
• Consent must remain as valid and revocable as in other contexts

This effectively sets boundaries for publishers considering these models, while leaving space for compliant, user-friendly implementations.

4. Engagement with consent management platforms (CMPs)

By working directly with CMP providers, the ICO is targeting the infrastructure that underpins consent collection at scale. The message is clear: defaults must embed compliance, not nudge users toward acceptance. This raises the compliance bar across the market, and may create competitive advantage for CMPs that deliver genuinely user-friendly solutions.

The ICO’s strategy is about moving the market, not just issuing fines. By scaling monitoring, shaping CMP behaviour, and setting expectations on ad models, the ICO is signalling that it wants to influence the architecture of online advertising itself.

For businesses, the implications are significant:

• Publishers and advertisers should prepare for closer scrutiny of banners, consent flows and defaults
• Adtech vendors and CMPs must anticipate regulatory expectations and design compliance into their systems
• Those who adopt contextual and privacy-first models early may gain regulatory goodwill, and possibly a competitive edge in user trust

The ICO is no longer focused on fixing the symptoms of non-compliance, it is trying to rewire the system. Businesses that treat this as an opportunity to innovate within a privacy-preserving framework will be better positioned than those who merely aim to stay on the right side of enforcement.

Contrasting with the EU’s Approach

While the UK is moving toward a more measured, innovation-friendly model underpinned by tougher enforcement, the EU’s position is notably different. The formal withdrawal of the ePrivacy Regulation in February 2025 leaves Europe with the 2003 ePrivacy Directive as its foundation, a regime often criticised as outdated, fragmented and poorly aligned with today’s digital economy. Against this backdrop, the UK’s DUAA-driven reforms stand out, creating a growing divergence in approach.

Why does this matter?

• The UK is positioning itself as more pragmatic, offering businesses a chance to design user journeys with less friction where risks are low. This could make UK-based services feel more seamless for users, provided organisations can demonstrate compliance.
• The EU’s reliance on the Directive entrenches strict consent for all non-essential cookies, even in scenarios that the UK now treats as low-risk. That means multinational organisations face dual compliance obligations, with the EU remaining the stricter jurisdiction.
• Divergence also increases operational complexity: businesses may need geolocation-based consent tools, dual compliance frameworks, or risk adopting the EU’s stricter standards globally for simplicity.

The withdrawal of the ePrivacy regulation is more than a missed reform opportunity, it signals regulatory inertia at the EU level, in contrast to the UK’s willingness to recalibrate. For organisations, this creates both risk and opportunity:

• Risk, because compliance teams must maintain parallel regimes, raising cost and complexity
• Opportunity, because the UK’s more balanced approach may allow businesses to innovate with analytics, user experience and contextual advertising in ways that remain off-limits in the EU

The strategic challenge will be deciding whether to optimise separately for the UK and EU, leveraging UK flexibility to improve user experience, or to default to the EU’s stricter model globally for efficiency. Each path has implications for risk appetite, customer trust and commercial design.

However, the overarching message is clear, divergence is no longer theoretical, it is here. Businesses that treat the UK as a regulatory “sandbox” for proportionate, privacy-preserving models may gain a competitive edge, but only if they manage the operational burden of EU compliance in parallel.

This burden was brought into sharp focus by the recent fines issued by the CNIL to Google of EUR325 million and SHEIN of EUR150 million, for failure to collect appropriate consent for placement of cookies¹.

What you should do now

Against this backdrop, what should businesses be doing now to balance opportunity with compliance?

• Engage with the consultations: Industry voices will shape the ICO’s final position; silence risks stricter default rules
• Audit your cookies and vendors: Classify which uses might qualify under DUAA’s new exceptions, and document risk assessments
• Revisit banners and CMPs: Ensure reject options are as clear as accept, and that default settings reflect current ICO expectations
• Plan for divergence: Build strategies for dual compliance across UK and EU markets, rather than chasing a one-size-fits-all model
• Align with ICO priorities: Anticipate heightened scrutiny of large platforms, advertising networks, and consent-or-pay models

Final thoughts

The message from 2025’s developments is clear: the era of “tick-box” cookie compliance is over. Regulators are testing new models that reward proportionate, transparent practices, but with tougher penalties for those who fall short. Organisations that lean into this shift, by embedding privacy-preserving technologies and shaping policy through engagement, will not only reduce compliance risk but also strengthen user trust at a time when it is increasingly a commercial differentiator.

[1] Cookie regulation: the CNIL is continuing the action plan initiated in 2019 and has imposed two fines on SHEIN and GOOGLE | CNIL