July 2025
Is your cookie banner compliant?
As privacy concerns grow and regulations tighten, many UK businesses are rethinking how they handle cookies.
This post explains what cookies actually do, why the rules around them exist, and how your site can stay on the right side of the UK’s privacy laws. We’ll also look at what the ICO expects, along with some real examples of how well known brands are putting these rules into practice.
This is based on the guidance available at the time of writing this post in July 2025. If you’re reading this at a later date, it’s worth checking the latest ICO updates to make sure you’re still compliant.
Why cookies matter
Cookies are small files downloaded to your browser when you visit a website. They do things like help a site remember your preferences, keep you logged in, or track what’s in your shopping basket.
From a business point of view, they’re essential for understanding how people use a site and for making improvements. Tools like Google Analytics depend on cookies to show where visitors came from, what pages they look at, and how long they stay.
For marketing teams, cookies enable targeted advertising. By tracking browsing habits, they let businesses show ads that match your interests, making ads more relevant for users and more effective for advertisers.
Who regulates cookies?
In the UK, it’s the Information Commissioner’s Office (commony known as the ICO) that makes sure companies follow the rules. The laws themselves come mainly the Privacy and Electronic Communications Regulations, along with the UK’s version of GDPR.
In recent years privacy laws have been getting stricter, and major browsers like Safari and Firefox have started blocking certain cookies by default. This has all meant that using cookies to collect data has become more challenging. As a result, many companies are looking for other ways to understand and reach customers, such as gathering more first-party data.
But for most businesses, cookies are still a key tool, so it’s more important than ever to handle consent properly.
What the ICO expects
The ICO is clear that users must give informed, active consent for any cookies that aren’t strictly necessary. Necessary cookies, like those that keep a site running (for example cookies that remember what’s in your basket or keep you logged in) don’t need consent. But cookies used for things like analytics, advertising or personalisation do.
Consent has to be actively given. That means no pre-ticked boxes, no banners that say ‘by continuing you agree…’ and no designs that make it hard to say no. The options to accept or reject cookies should be equally easy to find and use. Your cookie banner should also link clearly to a policy that explains what cookies do, who gets the data, and how long they last.
So, what does this look like in practice? Let’s look at how some well known UK brands handle cookie consent, and the different approaches they take to stay compliant - or, in some cases, where they fall short.
Taking no chances
BT follow the ICO guidance to the letter, with clear ‘Accept all’ and ‘Reject all’ buttons that are equally visible, leaving no doubt about the user’s options. There’s also a clear link to their cookie policy, explaining exactly what cookies they use and how, along with a ‘Manage cookie settings’ option so users can adjust their preferences at any time. Their approach is simple and firmly aligned with ICO guidance, keeping them fully compliant.
The gentle nudge
Some sites give users a gentle nudge towards the accept button, by making it stand out with a high-contrast colour. Sainsbury’s does this. It’s a fairly common approach for businesses that rely on cookies for operational or marketing reasons, and it’s generally seen as fine, as long as there’s also a visible, easy-to-access reject option. If you take this approach, just be careful the design doesn’t push things too far, or it could risk falling short of the ICO’s standards.
Keeping it on-brand
Some websites use their cookie banners to showcase their brand voice. This works especially well for brands with a fun or playful side, adding personality and humour while still staying fully compliant. Nando’s is a great example of this. Their messaging makes the consent request feel less formal and more approachable, helping users feel at ease while still giving clear choices and information about their use of cookies. They even highlight the positives cookies bring to the user, like making their experience on the website even better.
What not to do…
What definitely isn’t acceptable anymore is only giving users the option to accept cookies, without a clear and obvious way to reject them. This forces people to dig around elsewhere just to exercise their choice. Surprisingly, despite the ICO’s clear requirements, many websites still don’t comply, including some from major brands. The international advertising agency McCann, for example, currently uses an outdated approach that fails to offer a clear, informed choice, falling short of what the ICO expects nowadays.
Staying compliant
The simplest way to stay compliant, and show users you value their privacy, is to be upfront. Give people a genuine, clear choice between accepting and rejecting cookies, avoid hidden options or design tricks, and explain exactly what’s happening with their data. The approaches used by BT and Nando’s are great examples: they’re transparent, easy to understand, and aligned with each brand’s voice.
Respecting privacy isn’t just about following the rules or steering clear of fines. It signals that you care about your customers and take data protection seriously… something that can build loyalty and strengthen your brand reputation.
More from the blog
Thanks for reading this post. If you’re interested, why not take look at some of the other things I’ve written? I cover a mix of digital topics - from AI, SEO and content strategy, to user experience, data and analytics.
Whether you’re after practical tips or just a bit of inspiration, there’s plenty more to dive into.