Your Cookie Banner Is Probably Illegal (And That's a Product Problem)

In November 2023, the UK's Information Commissioner's Office wrote to the operators of the country's 100 most-visited websites with a warning: fix your cookie banners or face enforcement. Eighteen months on, the banners that prompted those letters are mostly unchanged. "Reject All" is still buried, "Accept All" is still the loudest option, and the dark-pattern playbook the regulator explicitly called out is still the default across UK retail, news and advertising sites.

This isn't a story about lawyers. It's about who owns the cookie banner inside a company. In most organisations, the answer is: nobody.

The law is simpler than the consultancy decks make it look

UK cookie law sits in Regulation 6 of the Privacy and Electronic Communications Regulations (PECR). The rule is short. Before you store information on a user's device, or read information already there, you need to do two things: tell the user what you're doing and why, and obtain their consent. There are exactly two exemptions, and they're narrow.

The first is the communication exemption: cookies whose only purpose is to carry a message between user and server. Load balancing. Session routing. The technical plumbing that makes the request work.

The second is the strictly necessary exemption: cookies needed to deliver the service the user has explicitly asked for. The shopping cart that remembers what they're buying. The login that keeps them signed in. The fraud check that stops their order being hijacked.

Everything else, analytics, tracking, advertising, A/B testing tooling, "essential" cookies that turn out to be optional, social media pixels: all need consent. And consent under UK GDPR has a precise definition. It must be freely given, specific, informed and unambiguous, indicated by a clear affirmative action.

That last clause is doing more work than most product teams realise. Run your cookies through the questions below before you assume you're covered.

If you don't know what cookies your site sets, that's its own problem, and a clue about why your banner isn't working.

What the ICO actually said

The 2023 letters were not ambiguous. The ICO's published position is plain: rejecting cookies must be as easy as accepting them. A banner with a prominent "Accept All" button and a "Manage Preferences" link that takes three clicks to find a "Reject All" toggle does not meet the bar. In 2024 the regulator went further, consulting publicly on so-called "consent or pay" models, the pattern where users either accept tracking or pay a subscription fee for access. The consultation itself is telling. The ICO is treating banner design as a UX surface, not just a legal artefact.

The European picture is harsher. The Court of Justice of the EU ruled in Planet49 (2019) that pre-ticked consent boxes are invalid, and the EDPB has reinforced that position repeatedly. Austrian privacy non-profit noyb has filed thousands of complaints across Europe specifically targeting cookie banners. The direction of travel is one-way.

Why most banners are still wrong

Because nobody on the product team owns them.

Cookie banners typically arrive in one of three ways. Legal hands a brief to engineering, who picks an off-the-shelf consent management platform (CMP) and configures it according to default templates. Marketing tweaks the visuals to match the brand. Or a third-party CMP, OneTrust, Cookiebot, Didomi, drops in a default that nobody fully reads. None of these workflows include a product manager asking the question that matters: what experience do we want a returning user to have, and what proportion of them genuinely want their data tracked?

The result is a UX surface designed entirely by lawyers and vendors, optimised for nothing except minimising the time legal spends in review. That is how you end up with a banner whose default state breaks the law in four different ways at once.

Four rules a compliant banner has to follow

The ICO's expectations reduce to four design rules. They aren't suggestions.

1. Equal prominence

"Accept All" and "Reject All" must appear on the same screen, in the same visual weight. Different colours are fine. Different sizes, hierarchies or burying one behind a "Manage" menu are not.

2. No pre-ticked boxes

If the banner offers granular choices, every non-essential category must default to off. Pre-ticked checkboxes have not been valid consent under UK GDPR for years, and the ICO has been explicit about this since at least 2019.

3. Easy withdrawal

Withdrawing consent must be as simple as giving it. A persistent "Cookie Settings" link in the footer is the minimum bar. Forcing users to clear cookies manually is non-compliant.

4. Block before consent

Tracking scripts must not fire until the user has accepted. This is the rule most often broken. Many sites display a banner while Google Analytics, Meta Pixel and Hotjar have already loaded. The banner is, in that case, theatre.

You'll know within a minute whether you have a problem.

What enforcement looks like now

The ICO's maximum fine under PECR is £500,000. Under UK GDPR it's the higher of £17.5 million or 4% of global turnover. To date, the ICO has not issued blockbuster fines for banner non-compliance. Most enforcement has been warning letters and quiet remediation. But the picture is shifting. Complaints are increasing, the regulator has been explicit about cookie design as an enforcement area, and the political climate around online tracking has hardened.

The bigger near-term risk for most companies isn't a fine. It's a reputational story. A journalist runs a piece on the UK's worst banners. Your site is on the list. The cookie banner becomes a board agenda item. The work to fix it before that happens costs maybe a sprint. The work to fix it after a public callout costs ten times that, plus trust.

Cookie consent is one of those areas where the legal and product worlds overlap awkwardly, and neither side fully owns the outcome. The fix is not more legal review. It's a product manager looking at the banner as a piece of the user experience and asking: what's the goal, who's the user, what happens if they say no and is the path to "no" actually available? Once you ask those questions, the compliant answer and the user-respectful answer turn out to be the same thing.