Keeping track: the ICO's regulation of online advertising tracking

Who: Information Commissioner’s Office (ICO)

Where: United Kingdom

When: 23 January 2025

Law stated as at: 5 March 2025

What happened:

The UK’s data protection regulator has been proactive in tackling online advertising tracking in recent years. Looking ahead to the remainder of 2025, the regulator has pledged to “go further and faster” in ensuring that people have meaningful control over how they are tracked when online.

Online tracking strategy 2025

The ICO’s 2025 online tracking strategy puts special emphasis on the use of cookies and other tracking technologies for online advertising. Such activity allows businesses to gain highly individualised insights about people and make targeting decisions based on them. While the ICO acknowledges that many people enjoy receiving personalised ads, it stresses the importance of giving users meaningful control over their personal data. When this data relates to individuals’ vulnerabilities, beliefs, health or sexuality, lack of control can create risks.

The regulator has identified four areas affecting nearly all adults online, where people are not being given the control over tracking that they are entitled to under data protection laws:

1. Deceptive or absent choice: cookies are set regardless of users’ wishes, or people are not given an option to opt out of non-essential data processing.
2. Uninformed choice: a consent mechanism exists, but users lack simple information about the purposes for which they are agreeing to share their data.
3. Undermined choice: a consent mechanism and clear information are present, but, in reality, the data is not always processed as promised.
4. Irrevocable choice: there is no easy way for users to change their choices.

Plan of action

The ICO has a plan to ensure that people have meaningful control over how they are tracked online, including how it will engage with industry. During the remainder of 2025, the regulator intends to:

• Publish a statement setting out low-risk processing activities that are unlikely to result in the ICO taking enforcement action. This is part of a bid to encourage the adoption of more privacy-friendly forms of online advertising, which do not involve extensive profiling. The ICO will explore where the Privacy and Electronic Communications Regulations consent requirements might be discouraging such a shift.
• Engage with publishers over its “consent or pay” guidance and take action where it detects non-compliance.
• Publish its final guidance on storage and access technologies following the Data (Use and Access) Bill becoming law. 
• Extend its review of cookie consent by the UK’s top websites, including by using automated monitoring of website compliance.
• Consult on data protection guidance for Internet of Things (IoT) devices to ensure that users have meaningful control over tracking for personalised advertising on connected TVs and engage with app developers and connected TV manufacturers to promote compliance.
• Investigate potential non-compliance where data management platforms that connect online advertisers with publishers are concerned.
• Provide the public with guidance on how they can understand and control the use of their information online. 

‘Consent or pay’

Alongside its online tracking strategy, the ICO has published guidance on the use of personal data as part of a “consent or pay” business model. The ICO has confirmed that businesses can, in principle, use consent or pay models, but that it is challenging to implement them in compliance with data protection law. The UK and the EU have taken differing approaches on consent or pay models.

Updated cookie guidance

At the end of 2024, the ICO also published for consultation its draft updated guidance on storage and access technologies (previously known as the “detailed cookies guidance”). The updates to this guidance focus on online advertising, the wider range of tracking technologies beyond simply cookies, and on consent mechanisms.

Review of the UK’s top websites

The ICO has been actively scrutinising the advertising cookie practices of the UK’s most visited websites and communicating its concerns to their operators.

• In 2023, the ICO requested changes from 53 of the top 100 websites, highlighting concerns that users were not always given fair choices about being tracked for personalised ads. The regulator stressed that rejecting all non-essential cookies should be as easy as accepting them.
• In January 2024, the ICO reported a positive response to its call to action and has since extended its review to the top 200 websites.
• For 2025 the ICO has set an ambitious goal to bring the top 1000 UK websites into compliance, saying that it will take enforcement action where required.

The ICO will also engage with major consent management platforms to ensure that the options they offer publishers comply with UK data protection law.

Why this matters:

The ICO has set out its vision clearly: “a fair and transparent online world where people are given meaningful control over how they are tracked online.” The regulator expects organisations to reflect this in their practices.

The ICO wants to make it easier for businesses to comply with data protection laws while ensuring they stay competitive in the digital advertising landscape. Through its strategy, it aims to clarify how the law applies and provide the necessary guidance. However, the regulator also emphasises that it will investigate non-compliance and take action where necessary. 

Organisations need to keep abreast of the ICO’s proactive approach to online tracking and make sure their users are informed about, and given meaningful control over, how their data is used for advertising.