Accessibility statement

Significant number of UK websites do not comply with law on cookie banners

Posted on 20 April 2021

Research at the University of York has shown that around one in four websites do not comply with even the basic regulations on gaining permission from users to track and store their data.

Cookie consent banners pop-up on websites when a user visits them for the first time, and is, by law, meant to state that cookies and trackers are used on the website. They are meant to give users a choice before browsing the site on whether they want their data to be processed or not.

If users give their consent, the company can use the data to personalise content and adverts, and share the users’ interactions with their site with social media platforms and analytics companies.

To be compliant with General Data Protection Regulation (GDPR), websites should request explicit and informed consent from their users.

More attention

New research at the University of York into 17,000 websites and 7,500 cookies banners in Greece and the UK showed that more than 60% of websites store third party cookies in both countries, but just under 50% show the most basic cookie notice.

Dr Siamak Shahandashti, from the University of York’s Department of Computer Science, said: “Our goal was to analyse the largest number of websites possible to give a more comprehensive view of the scale of the problem.

“The results are not entirely surprising when you consider that companies have taken a long time to catch-up on digital security issues, and so privacy issues could take just as long.

“In the meantime, it is important to highlight where the problems are so that companies start to pay more attention. The good news is that guidelines from the EU and UK are getting better; Consent Management Providers are improving services; and strong legislation, like GDPR, will hopefully start to make an impact in the next few years.”

Opt-in, Opt-out

The research also found that only a small number of surveyed websites provide direct opt-out options in their cookie notices, which makes it more difficult for users to reject the tracking technology.  Researchers highlight that a simple binary choice – accept or reject – is a good example of best practice.

Dr Shahandashti said: “We are not trying to suggest that all companies, which do not comply with the laws, have malicious intentions. Some of the smaller companies we surveyed, for example, might not be aware of the trackers on their websites, but regardless, it is the responsibility of all companies to be aware of the guidelines and improve their practices to ensure that users’ privacy preferences are honoured.”

Media enquiries

Samantha Martin
Deputy Head of Media Relations

Tel: +44 (0)1904 322029

About this research

The research will be presented at the 36th International Conference on ICT Systems Security and Privacy Protection (IFIP SEC 2021), and published in the IFIP Advances in Information & Communication Technology series.

For more information on our research click here.