Cookie consent is one of those things most websites get wrong not because the rules are complicated, but because the defaults that plugins and themes ship with are not compliant. A recent review by the ICO found 134 of 200 top UK websites in violation, and research across cookie consent studies consistently shows only around 15% of banners meet minimum legal requirements.

The result is a quiet legal risk sitting on a lot of sites right now.

Why this matters in the UK

UK GDPR and the Privacy and Electronic Communications Regulations (PECR) are legally binding. They apply to any website that stores non-essential cookies on a visitor’s device, including analytics, advertising, and most third-party tracking scripts.

The ICO can fine businesses up to £17.5 million or 4% of annual global turnover for serious breaches. The Data (Use and Access) Act 2025 has now brought PECR fines in line with those maximums, so the stakes are higher than they were.

The core requirement is straightforward: explicit consent before setting any non-essential cookie, freely given, informed, and easy to withdraw.

The four most common mistakes

1. Hiding the reject option

The most widespread issue. A large, prominent “Accept all” button paired with a tiny “Manage preferences” link in the corner is not compliant. Both options need equal visual prominence. If accepting is easy and rejecting is hard, that is a dark pattern, and the same research shows up to 90% of users accept when rejecting takes multiple clicks, compared to around 50% when a “Reject all” button is clearly visible. The ICO knows what these patterns look like.

This one catches a lot of sites out. If Google Analytics or Meta Pixel fires when the page loads, before a visitor has clicked anything, you have already set cookies without consent. The banner appearing on screen does not count if the scripts have already run.

This usually happens because plugins are configured to load by default rather than conditionally. It needs fixing at the implementation level, not just visually.

3. Privacy policies written for lawyers, not visitors

Consent requires that users are genuinely informed. A 4,000-word policy written in legal language does not meet that standard in practice. The ICO expects you to explain clearly what you are collecting, why, and for how long, in plain English that an average person can understand.

If a visitor has already made a choice and you show them the full consent banner again on their next visit, you are effectively invalidating their previous decision. Consent should be stored and respected. Repeating the banner on every visit is both non-compliant and genuinely annoying.

Script blocking

Non-essential scripts are blocked until consent is given, not just visually deferred.

Equal prominence

Accept and reject options presented with the same visual weight.

Consent storage

Returning visitors are not asked again unless their consent expires or your cookies change.

Preference management

Users can update their choices at any time via an accessible link.

Current documentation

Your cookie policy reflects what is actually running on your site, and is updated when that changes.

Plain language

Readable font, simple explanations, no legal jargon in the banner itself.

The tool we use: Termageddon

Rather than manually maintaining your cookie policy and consent setup, Termageddon handles it as a managed service. It scans your site for cookies, categorises them, generates the relevant legal documentation, and updates automatically as regulations change.

It integrates cleanly with WordPress and most custom-built sites, and costs a fraction of what you would pay a solicitor to keep your policies current manually.

If you are currently relying on a free plugin you set up a few years ago and have not touched since, it is worth checking whether it actually blocks scripts pre-consent and whether your documentation still reflects what is running on your site.

Want crawl, index, or structure issues fixed? Explore SEO foundations →