Cookie compliance has become a renewed focus for regulators in 2025. In the UK, the Information Commissioner's Office (ICO) has begun fresh inspections into the use of cookies across major websites, while in the U.S., state privacy laws continue to define requirements through an opt-out approach. Organisations are at risk of both legal and reputational damage if their cookie management practices fall short of the latest requirements. In this blog, we look at recent enforcement activitiesand set out what privacy teams should prioritise to remain compliant.
UK cookie compliance enforcement
The ICO started a fresh round of cookie compliance inspections earlier this summer, focusing on the top 1,000 websites in the UK, which is a major step forward. This comes after it said in January 2025 that it was concerned about widespread non-compliance with thePrivacy and Electronic Communications Regulations(PECR) cookie guidelines and the UK GDPR. The ICOis reviewing whether non-essential cookies are placed before legitimate user permission is gained; if rejecting non-essential cookies is a legitimate and equitable option provided by cookie banners, whether cookie banners offer a genuine option to reject, and whether businesses can demonstrate clarity and responsiveness in their cookie policies.
Consent must be explicit, informed and freely given. Pre-ticked boxes or implied consent statements are invalid. One of the main areas of complaint is when non-essential cookies are being fired without obtaining consent or when the purpose of the cookies is not clearly disclosed, especially when tracking or profiling is occurring.Since June 2025, the UK Data (Use and Access) Act (DUAA) has added further nuance. Under Schedule 12, low-risk cookies such as analytics or functionality cookies no longer require prior consent, provided users are clearly notified and given a right to object.
U.S. cookie compliance enforcement
In the United States, there is no federal law that specifically regulates the use of cookies on websites. However, several state-level privacy laws have been enacted, imposing specific requirements on businesses regarding cookie consent and the handling of personal data. Key among these is the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), as well as laws in Virginia, Colorado, Connecticut and Utah. These laws typically apply where companies meet thresholds relating to revenue, data volumes or reliance on data sales.
In the U.S., all current data privacy laws follow an opt-out consentmodel. Businesses do not have to obtain prior user consent to use cookies on their websites to collect personal data, but consumers retain the right to opt out of processing for targeted advertising, profiling or data sales.The CCPA requires “symmetry of choice,” ensuring that privacy-protective options are no more difficult to select than less protective ones.
What privacy teams should do
Privacy teams should not wait to be part of a regulatory inspection. Key actions include:
-
Reviewing cookie banners and mobile app consent mechanisms to ensure equal choice and transparency
-
Revising privacy notices to reflect DUAA changes in the UK and state-level opt-out rights in the U.S.
-
Documenting decisions around low-risk cookies and maintaining records that demonstrate compliance with both regimes
Beyond these steps, privacy teams should also prepare evidence that concerns raised by users are being acted upon. This includes tracking complaints, updating cookie policies when practices change, and keeping records of how cookie settings are tested for accessibility. For organisations with operations across both the UK and the U.S., it is especially important to coordinate approaches and avoid fragmented compliance. Ultimately, taking a proactive, well-documented stance will help demonstrate accountability and reduce exposure to regulatory or reputational risk.
Why cookie compliance matters beyond the legal risk
While legal and reputational risks are key drivers for compliance, there is a more fundamental reason to get it right: data dignity. This is the principle that individuals have an inherent right to control their personal information. When companies use non-compliant cookie practices, such as placing non-essential cookies without explicit consent or making it difficult to reject them, they are not just violating relevant regulations; they are also undermining trust. By adopting a user-centric approach to cookies, organisationsdemonstrate respect for their users' data dignity, building a foundation of trust that is essential for long-term success.
Looking ahead
Cookie compliance will continue to attract attention on both sides of the Atlantic, with regulators expecting organisations to embed transparency and user control. Businesses that address these requirements early will reduce the risk of enforcement and strengthen trust with their users.
HewardMillsoffers support to organisations navigating these developments by providing guidance on evolving regulatory requirements, helping privacy teams update cookie practices, and preparing for inspections or enforcement actions.
