Cookie Compliance: UK Banks

The picture in UK banking is markedly better than in previous testing of local councils and CMP vendors. Where those sectors saw failure rates of 37% and 29% respectively, the banking sector produces just one outright failure from sixteen valid results.

That failure belongs to Lloyds Bank. And it is not a marginal case.

The one failure: Lloyds Bank

Before a visitor to lloydsbank.com can interact with the consent banner - or even read it - identifiers associated with analytics, marketing, and monitoring are set before any consent action.

Dynatrace, a real-user monitoring and analytics product, sets five cookies on arrival: dtPC, dtCookie, rxVisitor, rxvt, and dtSa. These identify the visitor's session and device and begin tracking behaviour from the moment the page loads.

Adobe Audience Manager sets demdex - a cross-site identifier that Adobe uses to link user profiles across domains and build audience segments for targeted advertising. Adobe Analytics also fires, setting AMCV, AMCVS, and s_cc. None of these require user consent to have been given. None wait.

A consent banner was present and detectable, but non-required cookies were set on first load before any consent interaction.

For a regulated financial institution operating under UK GDPR and PECR, this is a significant gap. Lloyds processes sensitive financial data for millions of customers. The expectation of consent hygiene on a public homepage should be higher, not lower.

The broader picture: requires manual verification

The dominant result across the dataset is warn - thirteen of sixteen valid sites. This is a different pattern from the council and CMP vendor datasets, where warns typically indicated non-required cookies present but ambiguously classified. Here, the warn verdict largely reflects a different limitation: unclassified infrastructure cookies that automated testing cannot definitively categorise, and which require human review to resolve.

LivePerson chat IDs (LPVID, LPSID) appear at NatWest, Nationwide, RBS, and others - cookie names associated with customer support chat widgets, which occupy a grey area between functional and non-required. Tealium's utag_main tag manager cookie appears at Barclays, Lloyds, HSBC, and the Co-operative Bank. Each of these requires a human auditor to classify with confidence. That is the purpose of the warn verdict.

This does not mean the warns are clean. Several banks almost certainly set non-required cookies that automated scanning cannot classify with confidence. Manual audits of these results would likely surface additional issues. But the automated failure rate - one site in sixteen - is notably lower than in any sector we have previously scanned.

Challengers lead on Google Consent Mode

All four banks with Google Consent Mode correctly configured in Advanced mode are digital-first or challenger institutions: Metro Bank, Starling Bank, Reliance Bank, and Monese. Not one of the traditional high street banks - Barclays, HSBC, NatWest, Nationwide, Lloyds - had GCM detected under this methodology.

This mirrors the pattern in the CMP vendor dataset, where GCM adoption split sharply between those who had invested in modern consent infrastructure and those who had not. In banking, that split follows the challenger/incumbent line almost exactly.

A note on CMP detection

Eleven of the seventeen scanned banks show "no recognised CMP" - a higher proportion than any previous dataset. This does not mean eleven banks have no consent layer. It means eleven banks have no consent layer that ConsentScout currently recognises.

Large financial institutions frequently build bespoke consent management systems rather than licensing a commercial CMP. Barclays, HSBC, and Lloyds all present consent banners on first load - the scanner detects the banners themselves - but their underlying implementation uses proprietary code that does not match any known CMP fingerprint. This is a limitation of the scanner's coverage, not evidence of absent consent infrastructure.

The practical implication is that PASS verdicts in this dataset are artificially constrained: a bank with a clean cookie profile and a working custom consent banner would receive warn rather than pass, because the CMP requirement cannot be satisfied by an unrecognised implementation. Starling Bank, Reliance Bank, and Monese all set zero non-required and zero unclassified cookies - a cleaner first-load profile than either of the two sites that received a formal PASS - but are scored warn due to this detection gap.

This makes Lloyds' failure more striking, not less. Lloyds has a detectable consent banner. The scanner sees it clearly. The banner simply does not stop the trackers.

Notable results

Santander and Cahoot both passed cleanly - no non-required cookies, recognised CMP (OneTrust), and no ambiguous signals. Cahoot is a Santander subsidiary; both sites share the same CMP configuration and both benefit from it.

Metro Bank has the most comprehensive consent setup in the dataset: OneTrust CMP, GCM Advanced, and no non-required or unclassified cookies on first load. The scanner returned a warn verdict due to detection confidence thresholds, but the cookie profile is clean.

Revolut blocked the scanner with a 403 response and is excluded from all totals.

Methodology

Scans were performed using ConsentScout with headless Chromium (Windows desktop user agent, en-GB locale). Each URL was loaded once in a fresh browser context (no stored cookies, no cached storage, no prior consent state) with no user interaction. A site is marked PASS only if, on first load, (1) no cookies classified as non-required (Analytics, Marketing, or Personalisation) are set, and (2) a recognised Consent Management Platform (CMP) is detected. FAIL indicates that one or more cookies were set on first load that are not typically considered "required" for delivering the requested service (e.g., analytics identifiers, marketing tags, cross-site IDs, or similar). WARN indicates cookies were set that ConsentScout could not confidently classify and therefore require manual verification. Sites returning HTTP errors, DNS failures, or timeouts are excluded from PASS/WARN/FAIL totals.