❌

Reading view

↗️

UK’s Cookie Enforcement Campaign Brings 95% of Top Websites Into Compliance

βœ‡Cybersecurity News and Magazine
By:Mihir Bagwe

Cookie, cookie consent,ICO

Britain's data protection regulator issued 17 preliminary enforcement notices and sent warning letters to hundreds of website operators throughout 2025, a pressure campaign that brought 979 of the UK's top 1,000 websites into compliance with cookie consent rules and gave an estimated 40 million peopleβ€”roughly 80% of UK internet users over age 14β€”greater control over how they are tracked for personalized advertising.

The Information Commissioner's Office announced Thursday that only 21 websites remain non-compliant, with enforcement action continuing against holdouts.

The campaign focused on three key compliance areas: whether non-essential advertising cookies were stored on users' devices before users could exercise choice to accept or reject them, whether rejecting cookies was as easy as accepting them, and whether any non-essential cookies were placed despite users not consenting.

Enforcement Threats Drive Behavioral Change

Of the 979 compliant sites, 415 passed testing without any intervention. The remaining 564 improved practices after initially failing, following direct engagement from the ICO. The regulator sent letters that underlined their compliance shortcomings, opened investigations when letters failed to produce changes, and issued preliminary enforcement notices in 17 cases.

"We set ourselves the goal of giving people more meaningful control over how they were tracked online by the end of 2025. I can confidently say that we have delivered on that promise," stated Tim Capel, Interim Executive Director of Regulatory Supervision.

The enforcement campaign began in January 2025 when the ICO assessed the top 200 UK websites and communicated concerns to 134 organizations. The regulator warned that uncontrolled tracking intrudes on private lives and can lead to harm, citing examples including gambling addicts targeted with betting ads due to browsing history or LGBTQ+ individuals altering online behavior for fear of unintended disclosure.

Also read: UK Data Regulator Cracks Down on Sky Betting and Gaming’s Unlawful Cookie Practices

Industry-Wide Infrastructure Changes

The ICO engaged with trade bodies representing the majority of industries appearing in the top 1,000 websites and consent management platforms providing solutions to nearly 80% of the top 500 websites. These platforms made significant changes to ensure cookie banner options they provide to customers are compliant by default.

The action secured significant improvements to user experiences online, including greater prevalence of "reject" options on cookie banners and lower prevalence of cookies being placed before consent was given or after it was refused.

The regulator identified four main problem areas during its review: deceptive or missing choice where selection is preset, uninformed choice through unclear options, undermined choice where sites fail to adhere to user preferences, and irrevocable choice where users cannot withdraw consent.

Privacy-Friendly Advertising Exploration

The ICO committed to ongoing monitoring, stating that websites brought into compliance should not revert to previously unlawful practices believing violations will go undetected. We will continue to monitor compliance and engage with industry to ensure they uphold their legal obligations, while also supporting innovation that respects people's privacy," Capel said.

Following consultation earlier in 2025, the regulator continues working with stakeholders to understand whether publishers could deliver privacy-friendly online advertising to users who have not granted consent where privacy risk remains low. The ICO works with government to explore how legislation could be amended to reinforce this approach, with the next update scheduled for 2026.

Under current regulations, violations can result in fines up to Β£500,000 under Privacy and Electronic Communications Regulations or up to Β£17.5 million or 4% of global turnover under UK GDPR. Beyond financial penalties, non-compliance risks reputational damage and loss of consumer trust as privacy-conscious users increasingly scrutinize data practices.

  •  
  • ↗️
↗️

French Regulator Fines Vanity Fair Publisher €750,000 for Persistent Cookie Consent Violations

βœ‡Cybersecurity News and Magazine
By:Mihir Bagwe

Vanity Fair, CondΓ© Nast, Cookie Consent

France's data protection authority discovered that when visitors clicked the button to reject cookies on Vanity Fair (vanityfair[.]fr), the website continued placing tracking technologies on their devices and reading existing cookies without consent, a violation that now costs publisher Les Publications CondΓ© Nast €750,000 in fines six years after privacy advocate NOYB first filed complaints against the media company.

The November 20 sanction by CNIL's restricted committee marks the latest enforcement action in France's aggressive campaign to enforce cookie consent requirements under the ePrivacy Directive.

NOYB, the European privacy advocacy organization led by Max Schrems, filed the original public complaint in December 2019 concerning cookies placed on user devices by the Vanity Fair France website. After multiple investigations and discussions with CNIL, CondΓ© Nast received a formal compliance order in September 2021, with proceedings closed in July 2022 based on assurances of corrective action.

Repeated Violations Despite Compliance Order

CNIL conducted follow-up online investigations in July and November 2023, then again in February 2025, discovering that the publisher had failed to implement compliant cookie practices despite the earlier compliance order. The restricted committee found Les Publications CondΓ© Nast violated obligations under Article 82 of France's Data Protection Act across multiple dimensions.

Investigators discovered cookies requiring consent were placed on visitors' devices as soon as they arrived on vanityfair.fr, even before users interacted with the information banner to express a choice. This automatic placement violated fundamental consent requirements mandating that tracking technologies only be deployed after users provide explicit permission.

The website lacked clarity in information provided to users about cookie purposes. Some cookies appeared categorized as "strictly necessary" and therefore exempt from consent obligations, but useful information about their actual purposes remained unavailable to visitors. This misclassification potentially allowed the publisher to deploy tracking technologies under false pretenses.

Most significantly, consent refusal and withdrawal mechanisms proved completely ineffective. When users clicked the "Refuse All" button in the banner or attempted to withdraw previously granted consent, new cookies subject to consent requirements were nevertheless placed on their devices while existing cookies continued being read.

Escalating French Enforcement Actions

The fine amount takes into account that CondΓ© Nast had already been issued a formal notice in 2021 but failed to correct its practices, along with the number of people affected and various breaches of rules protecting users regarding cookies.

The CNIL fine represents another in a series of NOYB-related enforcement actions, with the French authority previously fining Criteo €40 million in 2023 and Google €325 million earlier in 2025. Spain's AEPD issued a €100,000 fine against Euskaltel in related NOYB litigation.

Also read: Google Slapped with $381 Million Fine in France Over Gmail Ads, Cookie Consent Missteps

According to reports, CondΓ© Nast acknowledged violations in its defense but cited technical errors, blamed the Internet Advertising Bureau's Transparency and Consent Framework for misleading information, and stated the cookies in question fall under the functionality category. The company claimed good faith and cooperative efforts while arguing against public disclosure of the sanction.

The Cookie Consent Conundrum

French enforcement demonstrates the ePrivacy Directive's teeth in protecting user privacy. CNIL maintains material jurisdiction to investigate and sanction cookie operations affecting French users, with the GDPR's one-stop-shop mechanism not applying since cookie enforcement falls under separate ePrivacy rules transposed into French law.

The authority has intensified actions against dark patterns in consent mechanisms, particularly practices making cookie acceptance easier than refusal. Previous CNIL decisions against Google and Facebook established that websites offering immediate "Accept All" buttons must provide equivalent simple mechanisms for refusing cookies, with multiple clicks to refuse constituting non-compliance.

The six-year timeline from initial complaint to final sanction illustrates both the persistence required in privacy enforcement and the extended timeframes companies exploit while maintaining non-compliant practices generating advertising revenue through unauthorized user tracking.

  •  
  • ↗️