If your website has a cookie consent banner, that is a good start. But having a banner is not the same as having a compliant banner. The Information Commissioner's Office (ICO) has been clear: it expects cookie consent to meet the standards set out in PECR and the GDPR, and it is actively auditing websites that fall short.
We have scanned hundreds of UK small business websites, and the same seven mistakes come up again and again. Some of them are easy to fix. Others require a bit more work. But all of them can result in enforcement action if the ICO comes knocking.
1. Reject-all is not as prominent as accept
This is the single most common issue the ICO flags. Your cookie banner must offer visitors a way to reject non-essential cookies, and that option must be just as easy to find and click as the "Accept All" button.
What this means in practice: if your banner has a large green "Accept All" button but hides "Reject All" behind a "Manage Settings" link in small text, you are non-compliant. The ICO has specifically stated that the reject option must be presented with equal visual prominence. Same size, same colour contrast, same number of clicks.
The fix: Add a clearly visible "Reject All" button next to your "Accept All" button. Both should be the same size and equally easy to tap on a mobile screen.
2. Pre-ticked consent categories
Under the GDPR, consent must be actively given. That means no pre-ticked boxes. If your cookie banner opens a preferences panel with analytics, marketing, or advertising categories already checked, that is not valid consent. The user has not actively chosen anything.
This was standard practice for years. Many older cookie consent tools defaulted to pre-ticking everything and requiring users to opt out. The ICO and the European Data Protection Board have both confirmed this approach does not meet the legal standard for consent.
The fix: All non-essential cookie categories must be unchecked by default. The user must actively tick the boxes for the categories they want to accept.
3. No way to withdraw consent later
The GDPR requires that consent can be withdrawn as easily as it was given. If a visitor accepts cookies on Monday, they must be able to change their mind on Thursday without having to hunt through your site for a hidden settings page.
Many websites show the cookie banner once, store the choice, and never give the visitor a way to revisit that decision. This fails the GDPR's requirement for easy withdrawal.
The fix: Add a persistent "Cookie Settings" link in your website footer. Clicking it should reopen the consent banner or preferences panel so the visitor can update their choices at any time.
4. Dark patterns and confusing language
The ICO has specifically called out the use of dark patterns in cookie banners. Dark patterns are design choices that trick or pressure users into making a particular choice. Common examples include:
- Double negatives: "Don't not personalised my ads" — confusing language designed to make users click the wrong option.
- Asymmetric button design: a bright, bold "Accept" button next to a tiny, faded "Manage Options" link.
- False urgency: "Your settings will be lost if you don't accept now!"
- Forced scrolling: requiring users to scroll through a long list of cookie purposes before they can reject.
- Confirmshaming: "I don't want a personalised experience" as the reject button text, making the user feel they are missing out.
The fix: Use clear, straightforward language. "Accept All" and "Reject All" are fine. Do not use emotionally loaded text, and do not make one option visually dominant over the other.
5. Missing banner entirely (but still loading tracking scripts)
You would be surprised how many UK small business websites load Google Analytics, Facebook Pixel, or other tracking scripts without any consent banner at all. Sometimes the business owner does not realise their website sets these cookies. Sometimes a developer added them and nobody thought about consent.
It does not matter why the banner is missing. If your site loads non-essential cookies without obtaining informed consent first, you are in breach of PECR. Full stop.
This is also one of the easiest things for the ICO to detect. Automated scans can identify tracking scripts on your site in seconds. If you are running analytics, advertising pixels, or any third-party tracking and you do not have a consent banner, you are exposed.
The fix: Audit your website to find out what cookies and tracking scripts it actually sets. If you find non-essential cookies, add a compliant consent banner immediately and ensure those scripts do not load until the user has consented.
6. Cookies set before the user interacts with the banner
This is a subtle but critical issue. PECR requires informed consent before non-essential cookies are set. Many cookie consent tools load the banner, but the tracking cookies have already fired by the time the user sees it. The user accepts or rejects, but their data has already been collected before they made a choice.
The ICO's technical guidance is clear: non-essential cookies must not be set until the user has actively consented. This means your Google Analytics script, your advertising pixels, and your third-party tracking should not execute until the visitor clicks "Accept."
Testing this is straightforward. Open your website in a private browsing window, open the browser's developer tools, and check the cookies and network requests before you interact with the consent banner. If you see analytics or tracking cookies appearing before you click anything, you have a problem.
The fix: Configure your consent tool to block non-essential scripts until consent is given. Most modern consent management platforms support this. If you are using Google Tag Manager, set up consent mode so that tags only fire after the user opts in.
7. Not documenting consent records
The GDPR requires you to be able to demonstrate that consent was obtained. This means keeping records of when each visitor consented, what they consented to, and how the consent mechanism worked at the time.
If the ICO asks you to prove that your visitors consented to cookies, saying "we had a banner" is not enough. You need evidence: timestamps, the version of the consent banner, what options were presented, and what the user selected.
Most free cookie consent tools do not store consent records. They set a local cookie on the visitor's browser and move on. That is not sufficient for GDPR compliance because the evidence sits on the visitor's device, not in your records.
The fix: Use a consent management platform that stores proof of consent on your server. You should be able to produce a record showing that a specific visitor was presented with a compliant banner and actively chose to accept or reject each category of cookies.
What to do next
If you recognise any of these mistakes on your own website, you are not alone. The vast majority of UK small business websites have at least one cookie consent issue. The important thing is to fix it before the ICO finds it for you.
Start by finding out what cookies your website actually sets. Many business owners are shocked to discover tracking scripts they did not even know were there. A free PulseShield scan checks your website for tracking cookies, consent banner issues, and other compliance problems in about 30 seconds.
Once you know what needs fixing, most of these mistakes can be resolved in an afternoon. The cost of a compliant cookie banner is minimal. The cost of an ICO fine is not.