UK cookie consent and online tracking statistics — how many websites pass the ICO's cookie checks, how many businesses set cookies, how UK adults respond to "consent or pay", and how the Data (Use and Access) Act 2025 has rewritten the PECR cookie rules, all sourced from official data.
Cookie banners are the most visible piece of data protection law that ordinary internet users meet every day, yet reliable numbers on them are scattered. This page pulls the key figures together from four official sources: the Information Commissioner's Office (ICO) cookie-compliance sweep of the UK's top 1,000 websites, the ICO's Public Attitudes to Information Rights (PAIR) Survey 2025, the government's UK Business Data Survey 2026, and the Data (Use and Access) Act 2025, whose PECR cookie provisions came into force on 5 February 2026.
Key facts and figures
- Over 95% of the UK's top 1,000 websites had passed the ICO's cookie-compliance checks by the time of testing (December 2025).
- 979 of 1,000 top websites passed the ICO's most recent checks — leaving only 21 still failing.
- c.40 million UK internet users aged 14+ — around 80% — were given more control over tracking as a result of the action (December 2025).
- 60% of cookie-related concerns received by the ICO in 2024 were about the lack of any way to reject non-essential tracking.
- 12% of UK businesses that handle personal data and run a website acquired personal data via cookies in 2025–26.
- 37% of UK adults typically accept free access with personalised ads when shown a "consent or pay" choice; just 7% pay to opt out (2025).
- £17.5m or 4% of global turnover — the new maximum PECR fine from 5 February 2026, up 35-fold from £500,000.
- 3 new categories of cookie became exempt from prior consent on 5 February 2026 under the DUAA 2025.
Figures are the latest available as of July 2026. This page is refreshed on each ICO cookie-programme update (promised roughly twice a year, with the next update due in 2026), each annual UK Business Data Survey and ICO PAIR release, and as the first post-DUAA enforcement figures land.
How many UK websites comply with the ICO's cookie rules?
Over 95% of the UK's top 1,000 websites had met the ICO's cookie-compliance checks at the time of testing, the regulator confirmed in December 2025 — a dramatic improvement on where the programme began a year earlier. In precise terms, 979 of the top 1,000 sites passed the ICO's most recent assessment, leaving only 21 still failing.
The route to that headline number matters as much as the number itself. Of the compliant sites, 415 passed without any ICO intervention, while 564 improved only after direct ICO engagement — meaning well over half of the top 1,000 needed a nudge from the regulator to get their banners right. The ICO issued 17 preliminary enforcement notices during the sweep and says it is continuing action against the 21 sites that remain non-compliant.
| Outcome of the top-1,000 sweep | Number of sites | Period |
|---|---|---|
| Passed compliance checks | 979 | December 2025 |
| — of which, passed with no ICO intervention | 415 | December 2025 |
| — of which, improved after ICO engagement | 564 | December 2025 |
| Still failing / under continued action | 21 | December 2025 |
| Preliminary enforcement notices issued | 17 | During the sweep |
This top-1,000 exercise is unusual: no other UK regulator publishes a site-by-site pass rate for a specific data protection requirement, which is exactly why the figure is so widely cited. It began as a top-200 review and was scaled up to 1,000 over 2025.
How did the ICO's cookie sweep scale up?
134 is the number to remember from the start of the campaign. Before expanding to the top 1,000, the ICO had already assessed the top 200 UK websites and communicated concerns to 134 of those organisations — evidence that non-compliance was the norm, not the exception, when the work began in January 2025.
The programme was efficient by design because the market is concentrated. The ICO engaged the consent-management platforms (CMPs) that supply consent banners to nearly 80% of the top 500 UK websites, so fixing a handful of vendor defaults cascaded across hundreds of sites at once. The single biggest outcome the ICO claims from the whole campaign is a human one: the action gave an estimated 80% of UK internet users aged 14 and over — around 40 million people — greater control over how they are tracked for personalised advertising.
What were users actually complaining about?
60% of the cookie-related concerns the ICO received during 2024 referred to the same problem: the lack of any straightforward way to reject non-essential tracking. In other words, the dominant complaint was not that sites used cookies at all, but that "Accept all" was easy while "Reject all" was hidden, buried in sub-menus, or simply absent.
The ICO's own testing bore that out. When it examined the top 100 UK websites as part of its 2025 online-tracking strategy, around 30% were found setting advertising cookies without consent, or after consent had been refused — a direct breach of PECR. Those two figures, the 60% complaint theme and the 30% of top-100 sites, are what turned a policy concern into an enforcement campaign.
How many UK businesses use cookies to collect data?
12% of UK businesses that both handle personal data and run a website said they had acquired personal data using cookies in 2025–26, according to the government's UK Business Data Survey 2026 (fieldwork with 4,450 businesses, October 2025 to January 2026). Cookies are, in other words, a minority data-collection method across the economy as a whole — but that headline hides a steep gradient by size and sector.
Cookie and app-based tracking usage rises sharply with business size. Just 10% of sole traders and 13% of micro-businesses use it, against 40% of large businesses. By sector, the heaviest users are in information and communication, at 35% — unsurprising, given how much of that sector's revenue depends on advertising and analytics.
| Business group | Use cookies / app-based tracking | Period |
|---|---|---|
| Sole traders | 10% | 2025–26 |
| Micro businesses | 13% | 2025–26 |
| Small businesses | 16% | 2025–26 |
| Medium businesses | 21% | 2025–26 |
| Large businesses | 40% | 2025–26 |
| Information & communication sector (heaviest) | 35% | 2025–26 |
The practical takeaway for compliance teams: the businesses most exposed to PECR cookie rules are the largest and the most tech-focused — precisely the organisations the ICO's top-1,000 sweep was built to reach.
How do UK adults respond to "consent or pay"?
37% of UK adults say they typically accept free access with personalised ads and cookies when shown a "consent or pay" choice, according to the ICO's Public Attitudes to Information Rights Survey 2025 (n=8,019, fieldwork January–February 2025). By contrast, 19% leave the site rather than choose, and just 7% pay to remove personalised cookies. "Consent or pay" models — where a site offers a tracking-funded free tier alongside a paid, tracking-free tier — have become one of the most contested questions in UK and EU cookie policy, so how the public actually behaves is important evidence.
Understanding is thin. 42% of UK adults say that although they have some understanding of "consent or pay" options, they are not entirely sure what they mean. Only 19% feel genuinely informed and the same 19% feel in control, while 24% feel sceptical about the model. Those numbers frame a clear regulatory tension: a mechanism that most people do not fully understand is nonetheless steering the majority towards accepting tracking.
| UK adult response to "consent or pay" | Share | Period |
|---|---|---|
| Accept free access with personalised ads & cookies | 37% | 2025 |
| Leave the site | 19% | 2025 |
| Pay to remove personalised cookies | 7% | 2025 |
| Have some understanding but are unsure what it means | 42% | 2025 |
| Feel informed / feel in control | 19% / 19% | 2025 |
| Feel sceptical | 24% | 2025 |
What did the DUAA 2025 change for cookies?
Three new categories of cookie became exempt from prior consent on 5 February 2026, when the cookie provisions of the Data (Use and Access) Act 2025 came into force. The exempt categories are: aggregate first-party analytics; appearance and functionality preferences (such as remembering a chosen language or layout); and emergency-assistance or location cookies used to keep someone safe. Each still requires clear information to be given and a straightforward, free way to opt out — the change removes the up-front consent step, not the transparency obligation.
The other headline change is the penalty. The DUAA raised the maximum PECR fine for cookie and e-marketing breaches from £500,000 to £17.5 million or 4% of global annual turnover, whichever is higher — a roughly 35-fold increase that aligns PECR penalties with those under the UK GDPR. We keep the detailed penalty league tables on our GDPR fines statistics page; here it matters only as the rules-change data point that gives the cookie regime real teeth for the first time. For the practical banner and consent mechanics behind these numbers, see our UK cookie consent guide.
One boundary worth stating plainly: PECR also governs nuisance calls, spam texts and marketing emails, but those enforcement volumes are covered separately and are not part of this cookies-and-tracking page.
Frequently asked questions
How many UK websites comply with ICO cookie rules?
Over 95% of the UK's top 1,000 websites had passed the ICO's cookie-compliance checks by December 2025 — 979 of 1,000, with only 21 still failing. Of the sites that passed, 415 did so without any ICO intervention and 564 improved after direct engagement from the regulator.
What percentage of UK businesses use cookies to collect personal data?
According to the UK Business Data Survey 2026, 12% of businesses that handle personal data and run a website acquired personal data using cookies in 2025–26. Usage rises with size, from 10% of sole traders and 13% of micro-businesses to 40% of large businesses, and reaches 35% in the information and communication sector.
What are the new UK cookie rules under the Data (Use and Access) Act 2025?
From 5 February 2026, three new cookie categories are exempt from prior consent: aggregate first-party analytics, appearance and functionality preferences, and emergency-assistance or location cookies. Each still requires clear information and a free, easy opt-out. The Act also raised the maximum PECR fine to £17.5 million or 4% of global turnover.
What is the maximum fine for breaching UK cookie (PECR) rules?
Since 5 February 2026 the maximum PECR fine is £17.5 million or 4% of worldwide annual turnover, whichever is higher — up from the previous £500,000 cap, a roughly 35-fold increase introduced by the Data (Use and Access) Act 2025 to bring PECR into line with the UK GDPR.
Do most people accept cookies when asked?
When shown a "consent or pay" choice, 37% of UK adults typically accept free access with personalised ads and cookies, 19% leave the site, and just 7% pay to remove personalised cookies, according to the ICO's Public Attitudes to Information Rights Survey 2025 (n=8,019).
What did users complain to the ICO about most?
In 2024, 60% of cookie-related concerns received by the ICO were about the lack of any straightforward way to reject non-essential tracking. The ICO's own testing then found around 30% of the top 100 UK websites setting advertising cookies without consent or after it had been refused.
Related guides
- GDPR cookie consent in the UK: rules after the DUAA 2025
- GDPR Fines UK: ICO Fine & Enforcement Statistics
- ICO Complaints Statistics UK: Volumes, Outcomes & Response Times
- AI and Data Privacy Statistics UK
- GDPR consent and lawful basis: what UK organisations need to know
- What is GDPR? A UK guide to the General Data Protection Regulation
Sources & references
- Information Commissioner's Office — Action secures increased cookie compliance (top-1,000 sweep results, December 2025)
- Information Commissioner's Office — Action across the UK's top 1,000 websites (January 2025)
- Information Commissioner's Office — Our strategy for levelling the playing field for online tracking in 2025
- Information Commissioner's Office — Public Attitudes to Information Rights (PAIR) Survey 2025 (n=8,019)
- DSIT / DCMS — UK Business Data Survey 2026 (official statistics)
- Stevens & Bolton LLP — The Data (Use and Access) Act 2025: cookies, what is changing
- Mayer Brown — The Data (Use and Access) Act: PECR reform on electronic marketing and cookies
Cookie banners are only the visible edge of PECR and UK GDPR — make sure your team understands the whole picture with accredited online training.
Explore the GDPR & Data Protection Course →