Cookie banner dark patterns in the UK: ICO enforcement in 2026

Cookie banner design in the UK is no longer a grey area. In November 2023, the ICO wrote to 53 of the top 100 UK websites warning them that their cookie banners did not comply with PECR. By January 2024, 38 had become compliant and a further 4 had committed to changes. Commissioner John Edwards and Deputy Commissioner Stephen Bonner have made the ICO's position explicit: a site without a reject-all button is, in Bonner's words, "breaking the law". This article maps twelve dark patterns, ranked by regulatory consensus, and links them to what the EDPB classifies as prohibited, discouraged or best practice.

For UK-specific privacy policy requirements, see privacy policy requirements under UK GDPR.

The EDPB taxonomy: six categories

Although the UK is no longer an EU member state, the EDPB's dark pattern taxonomy remains the most comprehensive classification available. The ICO has not published an equivalent taxonomy but has cited the same principles in its enforcement actions. The EDPB published Guidelines 03/2022 (version 2.0, 14 February 2023) with six categories. The Cookie Banner Taskforce (report 18 January 2023) applied these specifically to cookie banners.

Overloading means overwhelming the user with information, requests or options to cause decision fatigue. In cookie banners this translates to endless lists of individual cookies requiring per-item consent, while "accept all" takes one click.

Skipping means designing the interface so the user bypasses the choice. A banner that automatically disappears after a few seconds and records that as consent falls under this category.

Stirring appeals to emotions or uses visual nudging. The classic green "accept" button next to a small grey "reject" link is the most recognised example.

Hindering makes the privacy-friendly choice harder than the default. Three clicks to reject, one click to accept.

Fickle means inconsistent design: the explanation about cookies says one thing, the actual processing does something else.

Left in the dark withholds information or presents it in a confusing manner. Labelling marketing cookies as "functional" falls under this category.

The twelve patterns, ranked by consensus

Trackers before consent is the most heavily sanctioned pattern. The CNIL fined Yahoo EUR 10 million in 2023 and Google EUR 325 million in 2025 because trackers were already active before the visitor had made a choice. The same principle applies under PECR regulation 6.

Pre-ticked checkboxes have been unambiguously prohibited since the Planet49 ruling (CJEU C-673/17). The UK retained this principle through the UK GDPR. Consent requires an active act. Pre-ticked boxes are not consent.

No reject-all on the first layer is a majority position, not unanimous, at the European level. In the UK, the ICO has taken a stronger stance. Bonner stated publicly that sites without a reject-all option are "breaking the law". The ICO's November 2023 letter campaign to the top 100 sites focused specifically on this issue.

Asymmetric button design is unanimously problematic. There is no fixed WCAG threshold in the EDPB text, but colour difference, element type (link vs. button), font size and position are repeatedly used as evidence.

Legitimate interest for advertising and tracking cookies is unanimously prohibited. The Taskforce states in paragraph 3.6 that legitimate interest is not a valid legal basis for placing non-functional cookies.

UK enforcement: ICO strategy in 2026

The top-100 letter campaign

In November 2023, the ICO wrote to 53 of the top 100 UK websites whose cookie banners did not meet PECR requirements. The letters were not formal enforcement notices but carried an implicit threat: comply voluntarily or face regulatory action. By January 2024, the ICO reported that 38 sites had become compliant and 4 had committed to changes. The remaining sites were under continued scrutiny.

The 2025 tracking strategy

The ICO announced in 2025 an expanded programme targeting the top 1,000 UK websites. The programme uses AI-based detection to identify non-compliant cookie banners at scale. This marks a shift from manual review to automated enforcement, mirroring the approach taken by the AP in the Netherlands (10,000 sites) and the CNIL in France.

Penalty framework

The UK operates a dual penalty regime for cookie violations:

• PECR: maximum fine of GBP 500,000 per breach
• UK GDPR: maximum fine of GBP 17.5 million or 4% of global annual turnover, whichever is higher

PECR fines apply specifically to cookie and e-privacy violations. UK GDPR fines can apply when the underlying data processing lacks a valid legal basis. In practice, the ICO has used PECR for cookie-specific cases and UK GDPR for broader data protection failures. For most SMEs, the PECR maximum of GBP 500,000 is the relevant ceiling.

What the scanner actually tests

The TrustYourWebsite scanner has a feature that directly addresses the most heavily sanctioned pattern: after clicking "reject all", the scanner re-checks network traffic for persistent trackers. Specifically, we detect whether Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag or Criteo continue sending data after a reject action. This matches the core finding in the CNIL Yahoo case (EUR 10 million) and the principle underlying PECR regulation 6.

The scanner also detects asymmetric button design (CSS contrast ratio, element type a vs. button, font-weight), the presence of a reject button on the first layer, pre-ticked checkboxes, cookie walls, missing withdrawal mechanisms and the use of legitimate interest for advertising cookies.

All findings are technical signals, not legal verdicts. The scanner can establish that a tracker is active after rejection. The scanner cannot assess whether the legal basis claimed for that tracker is valid.

Prohibited, discouraged or best practice

Prohibited (explicit DPA/court rulings): pre-ticked checkboxes, trackers before consent, persistent trackers after rejection, legitimate interest for marketing cookies, consent by continued browsing, missing withdrawal mechanism.

Majority consensus, not unanimous: reject-all on the first layer. The EDPB Taskforce notes this as a point of divergence. In the UK, the ICO's position is stronger than the European majority, but epistemic honesty requires noting the broader context.

Case by case: button colour, size and contrast. No fixed WCAG threshold exists in the EDPB text. The parameters are nevertheless repeatedly used as evidence.

Best practice: persistent withdrawal icon (small icon in bottom-left or bottom-right corner always visible), six-month consent refresh, layered transparency.

The ICO is scaling up

The progression from 53 letters to top-100 sites in 2023 to AI-based scanning of 1,000 sites in 2025 shows the direction. The ICO is building the technical infrastructure to enforce at scale. Bonner's "breaking the law" framing removes the ambiguity that many site owners relied on. For UK businesses, the question is no longer whether cookie banner compliance matters. The question is whether your site will be in the next batch the ICO reviews.

---

This article is technical analysis, not legal advice. Consult a solicitor for advice on your specific situation.