Online tracking has become an inevitable part of daily digital experiences, often enabling personalised services but sometimes using information in ways users may not understand or expect.
The Privacy and Electronic Communications Regulations (PECR) and (UK) GDPR requirements are notoriously challenging for the digital advertising industry to meet because they fail to take into account the realities of the business model. 60% of cookie-related complaints received by the ICO in 2024 concerned people not being given the option to reject non-essential tracking, although people are also tired of endless pop-up banners asking for consent, often with non-GDPR-compliant cookie notices. For regulators and individuals alike, the picture has been further complicated by emergence (following a string of CJEU rulings) of the 'consent or pay' model for online advertising – both in the EU and, to a lesser extent, in the UK.
It's not new for regulators to focus on online tracking. The European Data Protection Board has been active in this space and, at a national level, the French CNIL stands out. For the ICO, the challenge focuses on enforcing data privacy law in alignment with the government's pro-growth strategy.
Plans for 2025
On 23 January 2025, the ICO published its online tracking strategy for the year (strategy). It outlines the ICO's plans to promote compliance with data protection laws in the online tracking ecosystem, with a focus on safeguarding and empowering people to have meaningful control over their data while promoting responsible innovation and sustainable economic growth.
The strategy outlined the ICO's plans to "go further and faster" in 2025, heralded as part of a broader package of measures announced by the ICO on 16 January 2025, aimed at driving economic growth while maintaining high data protection standards (see here for more). It follows on from a series of actions the ICO took in 2024, including consulting on fresh guidance for storage and access technologies like cookies and fingerprinting, examining 'consent or pay' business models, reviewing the UK's top 200 websites, and concluding investigations and audits of data management platforms.
Why this strategy matters
The ICO identified four areas where users are not being given the control to which they are entitled under UK data protection law.
- Deceptive or absent choice - 30% of the top 100 UK websites were setting advertising cookies without consent or even after users had declined consent. Many organisations were also adopting alternative tracking methods like fingerprinting without receiving genuine user consent.
- Uninformed choice - organisations often fail to provide simple information about the purposes of tracking, making informed decisions difficult, especially on smart devices.
- Undermined choice - even when organisations clearly state how they'll process user information and provide compliant consent mechanisms, information isn't always processed accordingly.
- Irrevocable choice - users often have no meaningful way to change their minds after initially agreeing to share their data. People have reported feeling powerless when trying to control how their data is shared online, because controls are complex and it can be difficult to exercise information rights.
The ICO is concerned that without action, compliant organisations face a 'first mover disadvantage' compared to competitors which continue with non-compliant practices, creating weak incentives for investment in approaches which respect users' privacy. The ICO wants to level the playing field, to make it easier for businesses to comply, and ensure user control over personal data.
The strategy
The focus of the strategy is on online advertising and, in particular, user control. Many of the initiatives complete or extend the work done in 2024.
Making it easier for publishers to adopt more privacy-friendly forms of online advertising
The ICO wants to make it easier for publishers to adopt more privacy-friendly forms of online advertising that don't involve extensive profiling of individuals. It will explore where PECR requirements might be hindering industry-wide shifts toward more privacy-friendly advertising approaches, such as contextual models, and will publish a statement outlining low-risk processing activities. The ICO plans to work with the government to develop secondary legislation to amend PECR consent requirements, to create an exemption for specific low-risk advertising purposes.
Ensuring publishers give people meaningful control over how they are tracked on websites
The ICO will continue to enforce consent requirements to ensure users have meaningful control over how their information is used. It is extending its monitoring around online tracking and personalised advertising from the top 200 to the top 1,000 most popular UK websites, implementing automated compliance monitoring.
Ensure people have meaningful control over tracking on apps and connected TVs
For the first time, the ICO will extend its scrutiny beyond web browsers to include apps and connected TVs, preventing non-compliant tracking from migrating to these platforms. The ICO will consult on guidance for IoT devices and intervene with app developers and TV manufacturers to promote compliance.
Confirm how publishers can deploy 'consent or pay'
Alongside its online tracking strategy, on 23 January 2025 the ICO published guidance on 'consent or pay' business models, clarifying how publishers can implement these approaches while allowing users to have meaningful control over their data. These models allow users to choose between consenting to tracking for free access or paying for access without being tracked.
Provide industry with clarity
The ICO will publish final guidance on storage and access technologies after the Data (Use and Access) Bill is finalised. The ICO will also work with the online advertising industry to develop a certification scheme which will enable organisations to demonstrate compliance with data protection laws, and support businesses looking to introduce novel solutions through its Regulatory Sandbox and Innovation Advice services.
Investigate compliance failures in the adtech ecosystem
Building on the audits it concluded last year, the ICO plans to investigate potential non-compliance in data management platforms that connect online advertisers and publishers. It will also examine the case for further action to ensure that people can easily withdraw consent from all organisations with which their personal information has been shared.
Support the public to take control of how they are tracked online
The ICO will publish guidance for the public on understanding and controlling how their information is used online, raising awareness of their rights.
What does this mean for you?
The strategy takes a comprehensive view of the online tracking ecosystem, addressing not just websites but also apps, connected TVs, and data management platforms, emphasising that all participants in the digital advertising supply chain will face regulatory scrutiny.
The ICO's expanded monitoring scope and implementation of automated compliance checks suggest a more rigorous enforcement landscape for businesses operating in the UK digital advertising ecosystem. The strategy places particular emphasis on protecting vulnerable users who may face greater risks from unchecked tracking, including potential discrimination or unwanted disclosure of sensitive information.
As UK Information Commissioner John Edwards indicated in his letter to the Prime Minister, the ICO aims to balance its protective role with supporting economic growth. This means that the ICO's approach recognises how important personalised advertising is to organisations. The ICO's guidance on 'consent or pay' models and exploration of privacy-friendly alternatives like contextual advertising show a desire to help businesses find compliant revenue models and the ICO clearly wants to work with the industry, not against it. This is why it plans to offer regulatory sandboxes and innovation advice, and to develop certification schemes to help businesses demonstrate compliance with data protection laws.
For organisations involved in online advertising or tracking, the message is clear: the ICO is increasing scrutiny, expanded monitoring, and making a determined push towards ensuring users have genuine control over how their data is collected, used, and shared online. This applies whatever tracking technology is used. Despite this, the ICO will not lose sight of the economic importance of digital advertising, and aims to help businesses comply with their privacy obligations.
