Get started

What's Really Loading on UK Websites — The Tracker Research

data-research 7 min read Updated 2026-03-23

What’s Really Loading on UK Websites — The Tracker Research

Most UK business owners don’t know how many third-party trackers are running on their websites. When asked, they might say “Google Analytics” or “Facebook Pixel.” When you scan their site, you find 15–40 trackers contacting domains they’ve never heard of.

This gap between what site owners think is on their site and what’s actually there is the root of most cookie compliance failures. You can’t disclose what you don’t know. You can’t block what you haven’t discovered.

This article compiles research from the ICO, academic studies, and compliance audits to show you what’s really on UK websites, what the regulations require, and what it means for compliance.

The ICO’s 2025 Assessment

In 2025, the ICO assessed the top 1,000 UK websites for cookie compliance. The initial findings were striking: 134 of the first 200 websites assessed failed cookie compliance.

But here’s the important part: after the ICO engaged with site owners and provided guidance, the picture improved significantly. By the end of the assessment period:

  • 979 of the 1,000 websites passed cookie compliance checks
  • 564 improved after failing the initial assessment
  • 415 passed without intervention (no initial failure)
  • 21 remained non-compliant even after engagement

This tells you something important: most compliance failures aren’t intentional. When site owners understand the requirements and get guidance, they fix the issues. The barrier is awareness and understanding, not malice.

The ICO’s findings align with academic research. A recent study examining the top 10,000 websites across 31 countries found that only 15% meet basic cookie compliance requirements. In the UK specifically, the pattern is consistent: widespread non-compliance, with most failures correctable through guidance.

One critical failure pattern: pre-consent tracking. Approximately 60% of websites offer a “Reject all” button, but research shows that only 40% actually honour that choice. Cookies get set before the user clicks anything.

More sharply: 3 out of 4 high-traffic websites fire cookies before a user interacts with the consent banner. You read that right — cookies are set during page load, before the user has any chance to consent or object.

A June 2025 study found that nearly 50% of sites use what researchers call “intractable cookies” — cookies that continue to track users even after consent has been explicitly declined. The user clicks “Reject,” but the tracking continues.

Why This Happens: Third-Party Services Add Layers

Site owners typically install Google Analytics and maybe Facebook Pixel directly. But they don’t always realise that:

  • Their CMS (WordPress, Shopify) ships with plugins that add tracking
  • Embedded widgets (live chat, contact forms, video players, review systems) contact external domains
  • Google Tag Manager, often installed to manage Analytics, allows multiple trackers to fire
  • Third-party integrations (payment processors, customer support tools, email capture) include tracking scripts

Each addition seems minor in isolation. Collectively, they create a tracking footprint far larger than the site owner realises.

Which Trackers Dominate

The ICO’s assessment identified the most common trackers on UK websites. Google leads by a wide margin:

  • Google: 47.3% of tracking cookie violations (across Google Analytics, Google Ads, Google Tag Manager)
  • Meta (Facebook): 8.8% of violations
  • Other networks (LinkedIn, TikTok, advertising exchanges): smaller but growing shares

Google’s dominance isn’t surprising — Analytics is ubiquitous. But it reveals where compliance focus should be: if you’re using Google Analytics without proper consent or without disclosing it, you’re in the majority of non-compliant sites.

Many sites use Consent Management Platforms (CMPs) to handle cookie consent. Yet research shows that many implementations have technical errors.

One study found that 67% of Consent Mode v2 implementations (Google’s latest consent framework) have technical errors. The most common: defaulting to “granted” consent instead of respecting user choice.

This is significant because Consent Mode v2 is Google’s recommended approach for handling consent. Yet the majority of implementations are broken. This suggests that either developers misunderstand the requirement or the tools are poorly documented.

Financial Services and Advertising Networks: Worse Than Average

Certain sectors show worse compliance than others. Financial services sites set non-essential cookies before valid consent in 72% of cases. This is higher than the overall average, suggesting either less awareness or less enforcement focus.

For advertising networks broadly, the pattern is that 57.5% keep advertising and analytics cookies after user revocation (even when the user clicks “No” or “Reject all”). 74.2% fail to inform third parties that the user has withdrawn consent, meaning those third parties continue processing personal data even after the user has objected.

The Regulatory Shift: DUAA and Increased Penalties

The Data (Use and Access) Act 2026, which came into force in February 2026, changed the regulatory landscape significantly. It introduced five new cookie consent exemptions:

  1. Analytics aggregate — anonymised analytics that don’t identify individuals
  2. Security — cookies needed to prevent fraud or detect attacks
  3. Functionality — cookies needed for the site to work
  4. Updates — cookies needed to deliver security updates
  5. Customisation — cookies for user preferences (language, theme)

These exemptions don’t require consent. You can set them without asking. But the other cookie categories (marketing, profiling, advertising) still require explicit consent under PECR.

More importantly, PECR penalties increased from £500,000 to £17.5 million or 4% of worldwide turnover — aligned with GDPR penalties. This sevenfold increase signals that enforcement posture is shifting.

What This Means: The Compliance Gap

For Site Owners

If you don’t know what’s on your site, you can’t comply. Your first step is to audit: scan your homepage and identify every third-party domain you contact. Be honest about the gap between what you think is loading and what’s actually there.

You’ll likely find:

  • Trackers you installed years ago and forgot about
  • Trackers your plugins or hosting added without you realizing
  • Trackers from services you integrated with (forms, chat, booking systems)

Once you know what’s there, you can address it: disable trackers you don’t need, configure those you do need to respect consent, and ensure your consent mechanism actually works (not just decorative).

For Regulators

Pre-consent tracking is widespread. The ICO’s 2025 assessment shows that enforcement activity combined with clear guidance produces results — 564 sites improved after failing initial assessment. This suggests that most compliance failures aren’t intentional malice but rather lack of awareness.

However, the increase in PECR penalties signals that regulators are no longer content with passive guidance. Expect heightened enforcement against:

  • Pre-consent tracking (the most visible violation)
  • Non-functional consent mechanisms (banners that don’t actually block scripts)
  • Missing or inadequate cookie policies
  • Failure to respect user choice (continuing to track after “Reject all”)

What You Can Do Now

  1. Audit your site. Use your browser’s developer tools (Network tab) or a free tool (Cookiebot, CookieYes) to scan your homepage. Load it, observe what third-party domains are contacted, and note every tracker.

  2. Classify the trackers. Go through your list and decide: do I need this? Is it essential? If you don’t recognize it, investigate (Google it, ask your developer, contact the provider).

  3. Disable what you don’t need. Delete unused plugins, remove abandoned scripts, deactivate theme features you’re not using. Each removed tracker reduces your risk.

  4. Implement a proper consent mechanism. Choose a CMP (Cookiebot, CookieYes, Termly) and install it. Crucially: configure it to actually block non-essential scripts until consent is given. Test that it works by clearing cookies, reloading with Network tab visible, and checking that non-essential requests don’t fire before you interact with the banner.

  5. Write or update your cookie policy. Most CMPs generate this automatically. Review it for accuracy: list the trackers you actually use, explain what data each collects, state the retention period, and link to privacy policies of third parties.

  6. Enable withdrawal. Users should be able to change their consent preference at any time. Set up a persistent preference centre or link to your cookie settings.

  7. Re-audit quarterly. Websites change. Set a reminder to scan again in three months and check for new trackers you may have added.

These steps take 3–5 hours initially and about an hour per quarter. They’re the difference between compliance and exposure.

The Path Forward

The research tells a clear story: cookie compliance failures are common, but they’re mostly fixable. Pre-consent tracking and non-functional banners are the most visible violations, but most site owners aren’t intentionally violating the law — they’re simply unaware of what’s on their sites.

The regulatory shift (higher penalties, enforcement focus, clearer guidance) signals that passive non-compliance will become riskier. But it also signals that compliance, once addressed, is maintained through ongoing awareness.

The businesses that will avoid enforcement and build customer trust are those that audit, fix, disclose, and maintain.

For a Full Assessment

If you want to understand your specific tracking landscape and compliance exposure, Bartram Web screens your website for:

  • Pre-consent tracking (cookies set before consent)
  • Non-functional consent mechanisms (banners that don’t actually block scripts)
  • Missing or inadequate cookie policies
  • All trackers present on your site (even the hidden ones)
  • Recommendations for remediation

To stay informed about cookie compliance and other regulatory updates, subscribe to our fortnightly newsletter.

Updated 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

Cookie Consent Changes Under the DUAA — What's Shifting in 2026

The February 2026 Data Use and Access Act reformed UK cookie consent: five new exemptions, £17.5M fines, and browser-level signalling. What changed and what it means for your site.

Read article →

Your Cookie Banner Probably Isn't Compliant — Here's Why

The most common cookie banner failures: decorative banners, no genuine choice, pre-consent tracking, missing policies. Why having a banner doesn't mean you're compliant.

Read article →

How to Set Up a Compliant Cookie Consent Mechanism

Step-by-step setup of a compliant cookie consent mechanism: choosing a CMP, configuring genuine choice, blocking pre-consent scripts, policy writing, and testing.

Read article →