Study Finds Many Major UK Websites May Be Setting Cookies Before User Consent

The UK’s privacy framework, anchored by the Privacy and Electronic Communications Regulations, obliges firms to obtain clear consent before dropping non‑essential cookies. While the ICO has historically focused on overt breaches, the rise of sophisticated tag‑management solutions has blurred the line between compliance and technical oversight. As regulators sharpen scrutiny, businesses that rely on third‑party analytics or advertising scripts must treat consent mechanisms as more than a visual banner; they need enforceable technical blocks that prevent any data collection until a user opts in.

ALT Agency’s methodology—clean‑browser testing across 200 sites—uncovered 1,731 cookies set before consent, with 670 falling into analytics or marketing categories. The sector‑specific results are striking: telecoms and news outlets exhibited near‑total non‑compliance, whereas banking, government portals and supermarkets showed comparatively disciplined practices. This disparity often reflects differing levels of investment in privacy engineering and the complexity of legacy systems. Companies with extensive third‑party integrations are especially vulnerable, as misconfigured tag managers can silently fire scripts despite a visible banner, undermining the very purpose of consent.

For organisations seeking to close the compliance gap, the path forward is both technical and procedural. Audits should map every cookie‑setting script, enforce conditional loading via consent‑management platforms, and regularly test in cookie‑free environments. Parallel legal reviews ensure that classifications align with the latest ICO guidance, which is itself evolving toward greater transparency expectations. Proactive remediation not only mitigates enforcement risk but also reinforces brand trust in an era where privacy is a competitive differentiator.