Every day, millions of British internet users encounter a cookie banner. Most click through it in under three seconds. That speed — that friction-induced compliance — is not accidental. It is, in many cases, precisely what the website's designers intended.
The uncomfortable truth about the UK's online consent landscape is this: a substantial number of websites are not asking for your permission to track you. They are manufacturing the appearance of permission while ensuring that genuine refusal is as difficult, confusing, or invisible as possible. This is not a grey area. It is, in most cases, unlawful.
What the Law Actually Requires
The legal framework governing cookie consent in the United Kingdom rests on two instruments: the Privacy and Electronic Communications Regulations 2003 (PECR), which specifically govern the use of cookies and similar tracking technologies, and the UK General Data Protection Regulation (UK GDPR), which governs the broader use of personal data.
PECR requires that, before setting any non-essential cookie — including analytics cookies, advertising cookies, and social media tracking pixels — a website must obtain the user's prior, informed consent. The Information Commissioner's Office (ICO), which enforces both PECR and UK GDPR in the United Kingdom, has been unambiguous about what this means in practice.
Photo: Information Commissioner's Office, via www.apu.apus.edu
Consent must be:
- Freely given — meaning refusal must be as easy as acceptance, with no penalty for declining
- Specific — users must understand what they are consenting to
- Informed — sufficient information must be provided before consent is sought
- Unambiguous — consent cannot be inferred from silence, pre-ticked boxes, or continued browsing
The ICO published detailed guidance on this in 2019 and has updated it subsequently. The position is not ambiguous. Yet non-compliance remains endemic.
The Dark Patterns Deployed Against You
The term 'dark pattern' refers to a user interface design choice that manipulates users into taking actions they would not freely choose if presented with a genuinely neutral interface. In the context of cookie consent, several specific techniques are in widespread use across UK websites.
Pre-ticked boxes remain common despite being explicitly prohibited. If you arrive at a consent tool and certain categories of tracking are already selected as active, you are looking at an unlawful consent mechanism. Consent that is not actively given is not consent.
Asymmetric button design is perhaps the most pervasive technique. The 'Accept All' button is prominently displayed in a bright, inviting colour. The option to reject non-essential cookies, where it exists at all, is rendered in grey text, placed in a less prominent position, or buried within a 'Manage Preferences' sub-menu that requires multiple additional clicks. The ICO has stated clearly that the ease of accepting and refusing must be equivalent.
The missing reject option takes asymmetry to its logical conclusion. Some consent banners offer only 'Accept All' and 'Manage Preferences' at the top level — with no immediate 'Reject All' option. Users who do not know to navigate into the preferences panel, adjust each category individually, and save their choices will, by default, accept everything. This is not lawful consent.
Consent by scrolling or continued use — banners that state 'by continuing to use this site you agree to our use of cookies' — have been unlawful since the ICO's guidance was published. Continued use of a website does not constitute unambiguous consent.
Vague or misleading category descriptions obscure what users are actually agreeing to. Labels such as 'personalised content' or 'measurement' may sound benign but can encompass extensive cross-site behavioural profiling. Lawful consent requires that users understand, in plain language, what each category of tracking involves.
Identifying a Lawful Consent Request
A genuinely compliant cookie consent mechanism is, in practice, straightforward to recognise. It presents all options at the same level of prominence. It includes a clearly labelled 'Reject All' or equivalent option alongside 'Accept All' — not hidden behind additional menus. It does not pre-select any non-essential categories. It provides clear, accessible information about what each category of cookie does before asking for consent. And it does not penalise refusal by degrading the user experience in ways that are disproportionate or retaliatory.
Some of the UK's largest and most reputable organisations have invested in genuinely compliant consent management platforms. The BBC, for example, provides a prominent and clearly structured consent tool. When you encounter one that meets this standard, the difference is immediately apparent.
How to Report Non-Compliant Websites to the ICO
The ICO accepts reports of suspected PECR and UK GDPR violations through its online reporting tool at ico.org.uk/make-a-complaint. When reporting a non-compliant cookie consent mechanism, the following information strengthens your submission considerably:
- The URL of the website concerned
- A description of the specific dark pattern observed (pre-ticked boxes, no reject option, asymmetric design, etc.)
- Screenshots, if you are able to capture them, documenting the consent interface at the time of your visit
- The date and approximate time of your visit
The ICO does not investigate every individual complaint, but patterns of complaint against specific organisations do influence its enforcement priorities. In 2023, the ICO issued formal reprimands to several organisations over non-compliant cookie practices and has indicated that enforcement action against the most egregious offenders will continue.
You may also report concerns about specific consent management platform providers — the third-party tools that many websites use to manage their consent banners — as these providers bear their own responsibilities under UK GDPR.
Your Right to Withdraw Consent
If you have previously accepted cookies on a website — whether knowingly or through a manipulative interface — you have the right to withdraw that consent at any time. UK GDPR requires that withdrawal be as easy as the original grant of consent. Most compliant websites provide a mechanism to revisit your cookie preferences, typically accessible via a link in the site footer.
You can also clear existing cookies from your browser at any time through your browser settings, and configure your browser to block third-party cookies by default — though this does not resolve the underlying unlawful practices of non-compliant websites.
Doing It Right Online
The right to control your personal data is not a technicality. It is a substantive legal right, enshrined in UK law, that reflects a genuine societal interest in individual privacy. The fact that so many websites continue to undermine it through deliberate design choices is a governance failure — one that the ICO has the tools to address more aggressively than it has done to date.
As a consumer, understanding what lawful consent looks like is your most effective defence. When you encounter a banner that is designed to manipulate rather than inform, you are not obliged to accept it. You are entitled to report it. And doing so is, in the most literal sense, the right thing to do.
