The Information Commissioner’s Office (ICO) got in touch with us recently. They wanted to run an online audit of our website, specifically looking at how we use non-essential advertising cookies.
We didn’t panic. We were ready.
Thanks to our setup with iubenda, we passed the audit without issue. Here’s how it worked, and what other businesses should know.
Who is the ICO?
The ICO is the UK’s data protection regulator. They enforce GDPR, the Data Protection Act and the Privacy and Electronic Communications Regulations. If your site uses cookies or handles customer data, they’re the ones making sure you’re doing it properly.
Why were we audited?
Our site was listed among the top 1000 in the UK. That’s a nice milestone, but it also means we’re expected to lead by example. The ICO wanted to check that our cookie practices weren’t just compliant, but robust.
What does a cookie audit involve?
The ICO reviews how non-essential cookies are used. They look at whether cookies are placed before consent is given, whether users can reject cookies as easily as they accept them, and whether any cookies are set without permission.
They also check the visibility and clarity of the cookie banner. Ours, powered by iubenda, was easy to find and simple to use.
After the audit, they send a letter with the results. Ours confirmed we’d passed.
How iubenda helped us stay compliant
We use iubenda’s Consent Management Platform (CMP). It lets us categorise cookies properly, show clear “Accept” and “Reject” options, and ensure no non-essential cookies are placed without consent.
That’s just the start. The platform also logs consent records, which means we can show auditors that we respect user choices. It’s not just about ticking boxes; it’s about building trust.
For example, when the ICO reviewed our site, they could see that our systems didn’t set any advertising cookies until users gave permission. That’s the kind of detail that matters.
What happens if you fail an audit?
The consequences can be serious. Although this specific audit was just on cookie use, there are more detailed ones the ICO can run. Depending on the type of audit fines can reach £17.5 million or 4% of global turnover, whichever is higher. In 2023, TikTok was fined £12.7 million for mishandling children’s data. In 2024, two firms were fined £340,000 for spam calls, and the Police Service of Northern Ireland was fined £750,000 after a spreadsheet error exposed staff data.
You don’t need a complaint to trigger an audit. The ICO can spot-check any site, especially high-profile ones.
How to prepare
If the ICO contacted you tomorrow, would you be ready?
We were, because we’d built compliance into our daily operations. Using iubenda’s CMP made it easier to meet the standards and show we take privacy seriously.
The ICO isn’t looking for perfection. They want to see that you’re making a genuine effort, that you respect user choices and that you can back it up with evidence.
That’s what we did. And that’s what you can do too.
