ICO threatens enforcement action against websites with 'harmful' cookie banners

ICO: Cookie banner displayed on a website
(Image credit: Getty Images)

The UK’s Information Commissioner’s Office (ICO) has called for an end to website design practices that it claims could harm users.

The regulator has singled out cookie consent banners as an example of where it will take action if it believes that consumers are being affected by harmful design. It went on to state that it would take enforcement action where it felt design choices would leak to risk or harm.

It said: “The ICO will be assessing cookie banners of the most frequently used websites in the UK and taking action where harmful design is affecting consumers”.

Cookie consent banners made an appearance in response to GDPR requirements. Their purpose is to give users a choice regarding the usage of cookies on a website.

A joint paper, set out in conjunction with the Competition Markets Authority (CMA), has documented how design practices can affect choice and control over personal information.

The design practices worrying the authorities include default settings - where a user must take active steps to change a predefined choice - and bundled consent - where a user is asked for consent for multiple purposes via a single option.

Defaults are among the strongest practices influencing user behavior, according to the ICO and CMA. This is due to the fact that they require less effort from the user compared to making an active choice and implies a recommendation by the company or an indication that most users would choose them.

The ICOs’ concerns relate to Article 25 of the UK GDPR, which requires a ‘data protection by design’ approach to the processing of personal data. Although a ‘default off’ approach is not mandated, not requiring the user to actively consent to more intrusive behavior will likely attract attention.


The 5 pillars of personalization at scale is a whitepaper from IBM which covers coordinating all aspects of your operations to curate customer interaction

(Image credit: IBM)

The five pillars of personalization at scale

Personalization can lead to higher revenue. Start delivering experiences that will delight and entice your customers.


Similarly, the CMA worries that the use of defaults could lead to users making choices not in their best interests, for example, inadvertently enrolling into auto-renewing subscription plans.

Other practices causing concern include “harmful nudges,” where it is made easy for a user to make a poor choice, alongside “sludge,” where sites make it difficult for a user to select the option they wish. 

The ICO warned that the practice infringed fairness and transparency regulations, although accepted that “nudges” could also be beneficial to users in steering them through to good decisions, with friction or “sludge” also being useful if implemented to ensure a user understands the consequences of their action - for example, validating a bank transfer.

Finally, ‘confirmshaming’ and ‘biased framing’ were also singled out for criticism.

Confirmshaming is where 'good' and 'bad' choices are presented, and the user is therefore made to feel guilty or embarrassed for not choosing the company’s preferred option. Biased framing is where choices are presented in a manner that emphasizes the supposedly positive outcome of a given selection.

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.