Lawful disruption: Personalised advertising, meaningful control and managing revenue risk

In our previous Lawful Disruption article we assessed the future of search advertising in the light of recent competition law changes. In this article, we focus on personalised or behavioural advertising and explain how a new regulatory approach to data protection is impacting advertising strategies -  and revenue - and the resulting user experience. 

Many news and content sites are now adopting the “consent or pay” model, which requires users either to accept tracking of their personal search history (through third party cookies and other tools), or to pay to access the content. 

Nick Smallwood and Alastair Cotton explore whether this really is the death of the third party cookie.

Introduction

Online tracking technologies allow media business and their advertising partners to collect a treasure trove of useful data about the individuals who use their services. This data is then used to deliver personalised advertising, ie advertising which is tailored to users’ interests based on their browsing history. 

Many media businesses rely heavily on the revenue they generate from personalised advertising, as it has been much more lucrative than advertising which is not personalised, because the click-through rate is typically much higher. This leads to more purchases being made, which is why advertisers are willing to pay media businesses higher rates for advertising space on their digital platforms.

It is therefore important for those businesses to be highly sensitive to any legal or regulatory changes that could put that revenue at risk. The Information Commissioner’s Officer (ICO), the UK’s data protection regulator, has made it clear that it is focussing on giving individuals “meaningful control” of how they are tracked online. To achieve this, they will be paying closer attention to the data protection compliance of online services that track user data to deliver personalised advertising.

Media businesses need to ensure that they obtain consent for any online tracking which is not strictly necessary to deliver their services - and ensure that they provide their users with a clear explanation of how their data is used. This article explains: 

1. the law on online tracking for the purpose of delivering personalised advertising
2. the regulator’s new approach to enforcement of the law, and
3. alternative options, including the consent or pay model already adopted by some media businesses

Online tracking and how the law regulates it

The law in this area is not new - The Privacy and Electronic Communications Regulations (PECR) date back to 2003. They impose a restriction on ‘storing information’ or ‘gaining access to information stored’ in a users’ ‘terminal equipment’ (eg their mobile phone or laptop), unless:

• the user is provided with clear and comprehensive information about the purposes for which their information is being stored or accessed, and
• the user has given his or her consent

A variety of different online tracking technologies are used to store information and gain access to information stored on our mobile phones or laptops, including cookies, tracking pixels, link decoration and navigational tracking, web storage, fingerprinting techniques and scripts and tags. The humble cookie remains the most widely used.

Media businesses and their advertising partners will often use a variety of different tracking techniques to collect the user data they need to deliver personalised advertising. Most media businesses have a process for obtaining user consent for online tracking - the most common example is the ‘accept’ or ‘refuse’ button that we are all asked to click when we visit a website for the first time. 

The question is whether those processes are good enough to withstand regulatory scrutiny. It is not enough to seek consent - as indicated above, users must also be provided with information that is both comprehensive and clear about the usage of their personal data. The complexity of modern digital advertising techniques makes this challenging. 

As if that were not difficult enough, the UK GDPR says that in order to comply with data protection law, user consent must be “freely given”, “specific”, “informed” and “unambiguous”. UK Data protection law also requires that users be given an opportunity to withdraw their consent for personalised advertising - and it should be easy for them to work out how to do so. 

The ICO’S 2025 online tracking strategy

The ICO says that there are four ways in which users are not being given meaningful control of how their data is tracked for advertising purposes:  

1. no attempt is made to obtain consent
2. consent is sought, but then not respected
3. consent is sought, and respected, but the information provided is insufficiently clear and comprehensive to allow users to make an informed choice, as required by data protection law, and
4. users are not given an opportunity to change their mind

Most media businesses do attempt to obtain consent for personalised advertising - and do respect their users’ choices. The challenge is providing choices that are clear and unambiguous enough to collect legally valid consent from users. The ICO is planning a number of initiatives in 2025 to improve compliance, including: 

• Encouraging publishers to deploy “more privacy-preserving advertising that does not involve extensive profiling of people based on their online activity, habits and behaviour”. There is a hint that where publishers personalise advertising based on information that is not personal data, the government may change the law to make it clear that the PECR requirement to obtain consent does not apply.
• Reviewing whether the top 1000 UK websites obtain valid user consent for personalised advertising. The ICO also says that it has plans for ‘automated monitoring’ to check compliance on an ongoing basis.
• Taking action “to ensure that non-compliant online tracking does not continue unfettered on apps and internet-connected TVs and uphold a level playing field for web publishers”.
• Providing industry “with clarity on the requirements of data protection law, leaving no excuse for non-compliance”. The draft guidance on the use of storage and access technologies is currently subject to a consultation and is due to be finalised later this year, and
• Investigating “potential non-compliance in the data management platforms that connect online advertisers and publishers” and examining “the case for further action to ensure that people can easily withdraw their consent from all organisations that their personal information has been shared with”.

These initiatives should not be ignored. The ICO’s approach is becoming more proactive and stringent. For example, following their first review of the top 100 UK websites, the ICO wrote to 53 companies warning that they would face enforcement action if changes were not made. 52 companies implemented changes as a result. The only media business to hold-out - gossip website Tattle Life - is now the subject of an ICO investigation.

Alternative models: consent or pay and contextualised advertising

Last week, the Guardian was the latest newspaper to adopt a so-called ‘consent or pay’ business model. They explain the business model as follows: 

“Advertising remains a crucial part of how we fund our journalism. Personalised advertising is a common feature of many websites and leads to a more dynamic experience for readers. If readers reject personalised advertising via the “It’s your choice” pop-up banner, it is more difficult for us to generate revenue from the advertising they do see”. 

Put simply, the more people who press “reject”, the less money we have to fund the quality reporting you value from the Guardian, including in-depth investigations and world-leading climate coverage”.

As a result, we are now asking readers who aren’t already paying for an ad-free experience to pay to reject personalised advertising. Many similar news organisations have been asking readers to do this for a long time. Readers can continue to read the Guardian without a subscription but they will need to select “Accept all” when asked to make their consent choice”. 

Both the ICO and the European Data Protection Board have recently issued opinions about the lawfulness of consent or pay business models (with the ICO making rather more encouraging noises), but this solution to the data protection compliance challenges of personalised advertising is no panacea. Its advocates would argue that it does at least offer a clear choice (eg accept personalised advertising or pay a fee to remain anonymous). Its detractors argue that if an online service is ubiquitous and used by everyone, or if fees charged are too high then users are still not really being given a meaningful choice about whether to accept personalised advertising or not. 

Contextual advertising, by contrast, involves ads placed on websites based on the content of those websites, rather than users’ personal characteristics (for example, a company that sells football boots paying to display ads on a sports blog). This form of advertising might work well for publishers who cater to a specific demographic (eg high-income individuals who luxury brands may wish to target). The ICO has said that it is looking to encourage this form of advertising, which it regards as more likely to preserve user privacy.

How should media businesses respond? 

1. Consider the viability of different approaches to advertising in the context of your business. Could your business maintain its digital ad revenue by shifting to contextual advertising – what the ICO refers to as ‘privacy preserving advertising’ – ie working with advertising partners that are content to place ads on your website based on its content, rather than on users’ personal information.
2. Is consent or pay the answer? Regulatory guidance is still being developed and will need to be monitored on an ongoing basis (see below).
3. Keep up to date with the latest developments in this rapidly evolving space. Did you know, for example, that the ICO recently rebuked Google for reversing its policy not to use ‘device fingerprinting’ to track users online?
4. Finally, and most importantly, review your processes for obtaining consent for personalised advertising. This is an area where legal advice can be invaluable to protect your ad revenue without risking regulatory action for non-compliance with data protection law. 

Further information 

It will be important to keep up to date with the latest developments in this rapidly evolving area. Developments that we will be tracking and reporting on include: 

• the ICO’s new guidance on ‘consent or pay models.’ The European Data Protection Board issued an opinion on the same subject and is developing more detailed guidance.
• the ICO has rebuked Google for reversing its policy not to use ‘device fingerprinting’ to track users online
• whether Google – after a long will they, won’t they saga – may finally be discontinuing the use of third party cookies in Chrome. 

If you wish to read more about this topic please also see: Consent or else you’ll pay!

In a future article in this Lawful Disruption series we will also be looking at how AI is impacting digital advertising strategies and whether technology will a solution to the data protection challenges.

Our content explained