9th March 2026
Every day, millions of people across the UK visit websites to shop, bank, compare prices, book holidays, read the news and manage their energy. These are household names. The brands we trust with our money, our data and our attention.
But how well are those websites actually built? Are they fast enough to keep mobile users engaged? Are they accessible to the 16 million disabled people in the UK? Are they respecting your privacy under GDPR? And are they doing the basic things that any well-maintained website should be doing to keep visitors safe?
We decided to find out. As a web development agency that builds, maintains and optimises websites every day, we audited 200 of the UK’s biggest consumer-facing websites across 20 sectors, scoring each one on five key pillars of website health.
The findings are worse than we expected.
The table above shows every sector ranked by overall composite score. The colour coding tells its own story. The deeper the red, the worse the performance.
But the composite score only tells part of the story. Each pillar reveals a different problem, and a different set of industries failing their customers.
This is the headline finding, and it is not ambiguous.
Under the UK’s implementation of GDPR and the Privacy and Electronic Communications Regulations (PECR), non-essential cookies must not be placed on a user’s device until they have given explicit, informed consent . That means no analytics cookies, no marketing pixels, no advertising trackers, no third-party scripts. Not until the user has actively clicked “accept” or made a clear affirmative choice.
The reality is very different. We visited all 200 sites in a clean browser with no prior cookies, no logged-in accounts, no previous consent given, and recorded every cookie that was set before the consent banner was interacted with. The results were stark.
120 out of 200 websites failed. That is 3 in 5 (60%) of the UK’s biggest consumer-facing brands setting tracking cookies before asking permission.
Seven sectors had a failure rate of 80% or higher. Telecoms stands alone at 100%. Every single site we tested is dropping non-essential cookies before the user has been asked. News & Publishing follows at 90%, then Insurance, Comparison Sites, Healthcare, Property and Streaming & Entertainment, all clustered at 80%.
At the other end of the scale, Banks, Government & Public Services and Supermarkets & Grocery all achieved 80% pass rates. There is a pattern here: the sectors with the heaviest regulatory scrutiny, banking and government, are the ones getting this right. The sectors with less oversight are, by and large, not.
The issue is rarely the absence of a cookie banner. Every site in our study had one. The problem is… the banner is cosmetic.
It pops up, it looks compliant, and meanwhile Google Analytics, Meta Pixel, advertising tags and various third-party scripts are already running in the background. The banner is wallpaper. It creates the appearance of compliance without the substance.
Proper cookie consent implementation requires that non-essential scripts are blocked by default and only fire once the user has made an active choice. This is a website maintenance task.
It involves configuring tag managers, consent management platforms and server-side cookie controls so that nothing loads until it should. It is not difficult. It is not expensive. It is simply not being done.
Across all 200 sites, we identified and classified 1,731 individual cookies being set before consent. Every single one was categorised:
The critical figure is the combined 39% that are analytics or marketing cookies. These 670 cookies have no legitimate basis for running before the user has given consent. They are the difference between a compliant website and a non-compliant one.
Under GDPR, the penalties for non-compliance are significant: fines of up to £17.5 million or 4% of global annual turnover, whichever is higher. The ICO has been increasing its enforcement activity in recent years, and the European Data Protection Board has been issuing guidance that specifically addresses cookie consent mechanisms.
The fact that 60% of the UK’s biggest websites are technically in violation suggests that enforcement has not yet caught up with reality. But the direction of travel is clear, and the organisations that get ahead of this now will avoid both the reputational damage and the financial risk when enforcement does escalate.
If your business relies on a website, particularly if you are collecting user data or running analytics, it is worth checking whether your cookie consent implementation is actually doing what it claims to be doing.
A properly maintained WordPress site, for example, should have its consent management platform configured to block all non-essential scripts by default, with tag manager triggers that only fire after consent is recorded.
Website speed is not a vanity metric. It directly affects whether people stay on your site, whether they buy from you, and whether Google ranks you above your competitors.
Google’s own research has consistently shown that as page load time increases, the probability of a visitor leaving rises sharply. The shift from a one-second load time to three seconds increases bounce probability by 32%. At five seconds, it rises by 90%. For mobile users, who now account for over 60% of UK web traffic, the impact is even more pronounced.
We measured speed using Google Lighthouse’s performance audit, blending mobile scores (weighted at 70%) with desktop scores (30%) to reflect how people actually browse. A score of 90 or above is considered good. Below 50 is poor.
The average speed score across all 200 sites is just 54.6 out of 100. That puts the typical major UK website firmly in the “needs improvement” category.
Telecoms finishes bottom once again with an average of 39.3, comfortably in the poor range. The companies selling us faster internet connections have the slowest websites. News & Publishing (43.7) is not far behind, weighed down by the heavy advertising scripts and third-party trackers that fund the industry.
At the top, Comparison Sites (69.8) and Government & Public Services (69.3) lead. Both are sectors where speed directly affects usability and user retention. Insurance (68.9) performs well too, likely because quote-and-compare journeys need to load quickly to retain impatient shoppers.
The range plot above reveals something the averages do not: the enormous variation within sectors. Supermarkets range from 22.5 to 86.4, a 64-point gap between the best and worst in the same industry. Government ranges from 45.5 to 100. These are not marginal differences. They represent fundamentally different approaches to web development and performance optimisation.
What makes a website slow? Typically it is a combination of unoptimised images, excessive JavaScript, too many third-party scripts, poor server response times, and a lack of caching. These are not unsolvable problems. They are maintenance problems. The kind of things that accumulate when a website is built and then left alone.
Performance degrades gradually as plugins are added, content grows, and third-party scripts pile up. Regular website maintenance that includes performance auditing, image optimisation, script management and caching configuration is what prevents this decay.
There are approximately 16 million people in the UK living with disability, roughly 24% of the population. Their collective spending power, often referred to as the Purple Pound , is estimated at £274 billion per year. When a website is not built to be accessible, it is not just excluding people. It is excluding their money.
We measured accessibility using Google Lighthouse’s accessibility audit, which tests against the Web Content Accessibility Guidelines (WCAG) 2.1 standard. This covers things like colour contrast, keyboard navigation, screen reader compatibility, alt text on images, form labelling and heading structure. A score of 90 or above indicates a site that meets most accessibility requirements. Below 70 indicates significant barriers for disabled users.
Accessibility is the strongest pillar across the board. The average score across all 200 sites is 93.1, comfortably above the good threshold. No sector averages below 88.
Insurance leads at 97.2, followed by Government & Public Services at 95.9 and Comparison Sites at 95.8. Government websites’ strong performance is expected. Public sector websites in the UK are legally required to meet WCAG 2.1 AA standards under the Public Sector Bodies Accessibility Regulations 2018. The fact that the private sector is broadly keeping pace, despite having no equivalent legal obligation, is encouraging.
But sector averages can be misleading. Within each sector, the gap between the most and least accessible site can be substantial. An average of 93 still means that a meaningful number of individual sites are falling short, particularly in News & Publishing (88.1) and Travel & Hospitality (88.2), both sectors where complex page layouts, dynamic content and heavy advertising make accessibility harder to maintain.
Accessibility is not a one-time task. It is something that needs to be considered in every design decision, tested regularly, and maintained as content changes. A site that scores well today can score poorly in six months if new content is added without proper heading structure, images are uploaded without alt text, or interactive elements are introduced without keyboard support.
The commercial case for accessibility is straightforward. Excluding 24% of the UK population from your website is not just an ethical failure. It is a business one. And with increasing attention being paid to digital accessibility across both the public and private sectors, the organisations that invest in it now will be better positioned when expectations (and potentially regulations) tighten.
Security headers are one of the simplest, most effective protections a website can have, and one of the most commonly overlooked. They are not software. They are not code changes. They are server configuration settings that tell the browser how to handle the connection, and they protect visitors from some of the most common attacks on the web.
We checked for six standard HTTP security headers:
Each site was scored on how many of these six headers were present. A score of 100 means all six were found. A score of zero means none were.
The average security header score across all 200 sites is just 55 out of 100. That means the typical major UK website is missing nearly half of the basic security protections available to it.
Banking leads at 76.8, unsurprising given the regulatory environment, and Healthcare follows at 75.1. But even the best-performing sectors are leaving gaps.
At the bottom, Retail scores just 38.4 and Streaming & Entertainment 41.8. These are sectors where users are entering payment details, creating accounts and sharing personal information on sites that are missing fundamental protections.
Each missing header represents a specific vulnerability. Without HSTS, a user on public Wi-Fi could have their connection silently downgraded to unencrypted HTTP. Without CSP, a compromised advertisement or third-party script could inject malicious code into the page. Without X-Frame-Options, a user could be tricked into clicking buttons on your site while thinking they are interacting with something else entirely.
The remarkable thing about security headers is how easy they are to implement. For most web servers, adding all six is a matter of a few lines of configuration. It does not require a redesign. It does not require new code. It is a straightforward maintenance task that can typically be done in under an hour, and yet the majority of the UK’s biggest websites have not done it.
If you are responsible for a business website, particularly one that handles user data or payments, checking your security headers is one of the fastest, cheapest improvements you can make. Tools like securityheaders.com will scan your site for free in seconds.
SEO and web standards might seem like the least dramatic of the five pillars, but they are the foundation that everything else sits on. If your site is not crawlable, if your meta tags are missing, if you are using deprecated APIs, if your HTTPS implementation is incomplete, none of the other work matters, because search engines will not send you the traffic to see it.
We scored each site using the average of Google Lighthouse’s SEO and Best Practices audits. The SEO audit checks for things like meta descriptions, crawl directives, link text, image alt attributes and mobile-friendliness. The Best Practices audit covers HTTPS implementation, deprecated API usage, console errors, and various technical hygiene factors.
This is the most consistently strong pillar across the board. The average score is 89.4, and most sectors cluster within a fairly narrow band. Government & Public Services leads at 94.3, and Streaming & Entertainment is close behind at 93.2.
The outliers at the bottom are more interesting. News & Publishing scores just 78.5, the lowest of any sector by a significant margin. Telecoms follows at 80.8. In both cases, the sites tend to be content-heavy, ad-heavy and technically complex, which creates more opportunities for standards to slip.
For SEO , for any investment in search visibility to deliver results, the technical foundation has to be solid. A website that is slow, insecure, inaccessible and non-compliant will struggle to rank regardless of how good the content is.
The five pillars we have measured here are not separate concerns. They are interconnected, and they are all things that a well-maintained website should be getting right as a matter of course.
These are the UK’s biggest brands. They have dedicated development teams, six-figure web budgets, in-house legal departments and entire divisions focused on digital experience. And the majority of them are failing basic checks that any competently maintained website should pass.
If household names with those kinds of resources are getting cookie compliance wrong, missing security headers and shipping slow websites, what does that mean for the thousands of small and medium-sized businesses in the UK that do not have those resources?
It means the bar is low. And that is actually an opportunity.
A small business that gets these fundamentals right (a fast site, proper GDPR compliance, solid security headers, clean accessibility, good technical SEO ) is outperforming the majority of the UK’s biggest brands in measurable, provable ways. That is a competitive advantage that does not require a six-figure budget. It requires attention, expertise and regular maintenance.
The issues we have identified in this study are not design problems. They are not about how a website looks. They are about how it is built, configured and maintained over time. Speed degrades as content and plugins accumulate. Cookie consent implementations break when tag managers are updated. Security headers get missed when servers are migrated. Accessibility slips when new content is added without proper structure.
These are the things that ongoing website maintenance exists to catch and fix. Not the glamorous side of web development, but arguably the most important.
If you are not sure how your own website would score on the checks we have run here, we would be happy to take a look .
Speed, security and GDPR compliance are all things we audit and address as part of our maintenance and development work, and as this study shows, even the biggest brands in the UK have room for improvement.
We tested 200 UK consumer-facing websites across 20 sectors (10 sites per sector). Sites were selected on the basis of brand recognition, UK audience and consumer traffic volume. All data was collected in February 2026.
Each of the five pillars contributes 20% to the composite score. In the small number of cases where data for a pillar was unavailable (a handful of sites blocked automated scanning), the score renormalises across the remaining pillars.
The full data, including all 1,731 individual cookies, sector summaries, raw Lighthouse scores and live scoring formulas, is available upon request.
Craig Murphy is the founder and Managing Director of ALT Agency. He has worked in digital marketing and web development since the early days of the commercial internet, with a focus on growing businesses online. Craig is open about being autistic and how it shapes his approach to problem-solving, data and business leadership. Alongside agency work, he also runs a private investment business supporting early-stage entrepreneurs.
Find and fix the issues that could be holding it back.
Speed, security, accessibility, GDPR compliance and technical SEO all affect how well your website performs. Our team reviews and improves the technical foundations that keep websites fast, secure, compliant and easy to use, helping you spot problems early and keep your site working properly over time.
Check Your Website Health