Articles

ICO’s cookies enforcement strategy: what businesses need to know in 2025

By Kristina Holt

16 Sep 2025 | 4 minute read

The Information Commissioner’s Office (ICO) launched a new cookies enforcement strategy in the UK (January 2025). With significantly higher DUAA fines now in force and landmark fines being imposed across Europe, now would be a good time for businesses to review their website compliance to avoid costly penalties.

European enforcement

The CNIL has recently fined Shein €150 million for cookie breaches.

The French regulator carried out an inspection of the website "shein.com" and found that there had been a failure to comply with obligations regarding cookies under Article 82 of the French Data Protection Act. Article 82 is an implementation of e-privacy rather than GDPR and gave the French regulator jurisdiction over the matter in relation to activity in France, even though the controller of the website is Irish.

Key findings

  • Failure to obtain user consent before placing cookies: several cookies, particularly with advertising purposes, were placed on the devices of users visiting "shein.com" as soon as they arrived on the website.
  • Incomplete information banners: two interfaces related to the management of cookies were displayed on "shein.com", but both were incomplete.
  • Insufficient second-level information: no information on the identity of third parties likely to place cookies was provided at this 2nd level of information, accessible by clicking on the "Cookie settings" button.
  • Inadequate mechanisms for refusing and withdrawing consent: when a user visiting "shein.com" clicked on the "Refuse all" button in the banner, or when they decided to withdraw their consent to the registration of cookies on their device, new cookies were still placed and others, already present, continued to be read.

UK cookie compliance

Cookie compliance has often been overlooked in the UK, but the landscape has changed. The ICO’s renewed focus, combined with its ability to spot non-compliance simply by visiting a website, means PECR enforcement is now a genuine risk. Importantly, the recent increase in penalties under the Data Use & Access Act (DUAA) makes non-compliance potentially far more costly.

Key developments

1. ICO Enforcement 2025: Focus on Top UK Websites

The ICO has begun reviewing the top 1,000 UK websites for cookie compliance. Its first sweep of 200 sites revealed widespread issues, with 134 companies warned and given around 30 days to fix problems. Because tracking technologies are visible without investigation, this is one of the most straightforward areas for the regulator to enforce.

2. DUAA Fines Now Aligned with UK GDPR

Under previous rules, the maximum PECR fine was capped at £500,000. The DUAA has raised this ceiling dramatically: fines can now reach up to 4% of global annual turnover, the same level as UK GDPR sanctions. For larger organisations, this represents a major compliance risk.

3. Following CNIL’s Example

The ICO’s stance resembles the approach taken by CNIL in France, which has imposed significant sanctions for cookie non-compliance. The most recent case saw Shein fined €150 million (~$176 million) for placing cookies on devices even after users had opted out (Reuters, September 2025). This sets a strong precedent and signals that UK enforcement could follow suit.

4. Common Compliance Failures

The ICO has highlighted frequent issues, including:

  • Loading non-essential cookies before consent.
  • No clear “Reject All” option.
  • Pre-ticked boxes or implied consent.
  • Making it difficult (or impossible) for users to withdraw consent.

What this means for businesses

Cookie compliance in the UK is now high-risk – both financially and reputationally.

Enforcement is straightforward – if your website is not compliant, the ICO can detect this easily.

European precedent matters – with Shein fined in France, the risk of high-profile sanctions is real, and standards are converging internationally.

DUAA is reshaping UK data law – cookies are just the beginning; wider areas of data access and use will also attract scrutiny.

Practical steps to strengthen cookie compliance

  1. Conduct a cookies compliance audit – review all cookies, tracking scripts, and third-party integrations on your site.
  2. Update cookie banners – ensure users can clearly “accept” or “reject” cookies in line with UK best practice.
  3. Review privacy and cookie policies – make sure they are transparent, accurate, and easy to understand.
  4. Keep compliance records – document your approach to cookie management and data processing.
  5. Monitor ICO enforcement updates – stay informed on ICO enforcement 2025 activity and guidance.

Looking ahead

Cookies enforcement is just one strand of the ICO’s broader DUAA enforcement strategy. Given the ease with which the regulator can spot non-compliance, and the scale of recent fines in Europe, we expect cookie compliance in the UK to remain a priority throughout 2025 and beyond.

How we can help

We can advise on compliance with the relevant legislation and practical steps to ensure you are staying on the right side of the ICO, including advising on cookie use, consent mechanisms and cookie policies.

More broadly we have launched BreachReddi with our partners Integrity360 (cyber security) and THREESIXTY (communications) - giving businesses an integrated solution to audit compliance with data privacy legislation and proactively assess internal governance frameworks with a focus on incident response.

Cyberattacks are on the rise - nearly 50% of businesses experienced a breach in the past year. The legal, reputational, and financial fallout can be catastrophic. A breach is no longer if, but when.

Is your organisation prepared? With BreachReddi it can be! Find out more.

Get in touch

Related

View all