ICO calls on adtech providers to adopt ‘privacy-first’ approach

Kathryn Wynn and Malcolm Dowden, data protection law experts at Pinsent Masons, were commenting after the UK data regulator launched a consultation to gauge the industry’s views on how best to approach the new regulatory requirements in relation to cookies and similar technologies.

The regulator also published a second consultation paper on potential changes to cookie guidance and the enforcement of consent requirements after the Data (Use and Access) Act (DUAA) received Royal Assent last month, with its main substantive provisions likely to be brought into force between November 2025 and June 2026.

The ICO is seeking to incorporate within its guidance changes introduced by the DUAA, which allow for possible exemptions from consent for certain low-risk functions, such as statistical analysis and service improvement.

Stephen Almond, the ICO’s executive director for regulatory risk, said in a statement: “Online advertising doesn’t have to come at the expense of privacy. We want to see industry develop new models that put users in control, while supporting publishers and platforms to thrive.” He said that the industry’s responses would help inform potential secondary legislation under the DUAA.

DUAA includes some provisions aimed at reducing administrative and compliance burdens in relation to cookies and other tracking technologies used to drive and target online advertising. It also increases the penalties and extends the enforcement powers available to the ICO under the Privacy and Electronic Communications Regulations 2003 (PECR) in relation to cookies and direct marketing.

PECR has also been brought into alignment with UK GDPR. This means that, once the relevant provisions are in force, businesses will face a maximum penalty of up to £17.5 million, or 4% of their global annual turnover – whichever is highest – for breaching UK data protection laws in relation to non-compliant cookies or unlawful direct marketing.

Under regulation 6 of the Privacy and Electronic Communications Regulations (PECR), storage and access of information on a device is prohibited unless you obtain consent or an exemption applies.

To date, PECR has accounted for the majority of ICO enforcement actions, driven in part by the fact that intrusive tracking or unsolicited marketing calls, texts or emails tend to generate complaints. However, the ICO says it is now exploring whether publishers could rely on storage and access technologies – cookies – for specific advertising purposes without consent, where the associated risks to users' privacy are demonstrably low.  

Commenting on the consultations, Dowden said: “The outcome is likely to be a careful balance, seeking to facilitate specific low risk adtech use cases while holding firmly to the general requirement for consent for most targeted advertising, with enhanced penalties to drive compliance.”

Wyn said the regulator would also need to be mindful of how the UK’s updated data protection regime complements existing EU data protection laws. “The ICO will also have to bear in mind the risk of excessive divergence from protections available in the EU and EEA, not least because the EU-UK adequacy decision is due for review and renewal by 27 December 2025,” she said.

The ‘adequacy decisions’ related to the UK – which provide for the free flow of personal data between EU countries and the UK – were due to expire on 27 June 2025. However, in March the European Commission said it would extend the deadline by six months until 27 December 2025 to allow it more time to assess whether the UK’s updated data protection regime continued to meet the standards required for new adequacy decisions to be issued.