Responding to the regulator’s demand to give people more control over personalised advertising

The Information Commissioner’s Officer (ICO), the UK’s data protection regulator, has made it clear that it is focused on giving individuals “meaningful control” of how they are tracked online in 2025. To achieve this, they will be paying closer attention to the data protection compliance of organisations that track users online (ie, piece together information collected from various online locations visited by the user to to build profiles about them) and deliver personalised advertising (ie, advertising which is tailored to users’ interests).

Organisations that use this kind of technology and data need to ensure that they obtain consent for any online tracking which is not strictly necessary to deliver their services – and ensure that they provide their users with a clear explanation of how their data is acquired and used.

Online tracking and how the law regulates it

The law in this area is not new. The Privacy and Electronic Communications Regulations (PECR) date back to 2003. They impose restrictions on “storing information” and on “gaining access to information stored” in a user’s “terminal equipment” (eg, their mobile phone or laptop), unless:

• The user is provided with clear and comprehensive information about the purposes for which their information is being stored or accessed.
  
  
• The user has given their consent.

A variety of different online tracking technologies are uses to store information/gain access to information stored on our terminal equipment, including cookies, tracking pixels, link decoration and navigational tracking, web storage, digital fingerprinting techniques, and scripts and tags, operating via websites, apps, email and some devices. Organisations, their advertising partners, and technology and data suppliers will often use a variety of different tracking techniques to collect the user data they need to deliver personalised advertising. The humble cookie remains the most widely used, but it’s important for us all to get out of the habit of over-focusing on cookies and websites.

Most tech companies and data suppliers have some kind of process for obtaining user consent for online tracking – typically online Privacy Notices addressed to the user. Many organisations that use tracking technology also have some kind of process, the most common example being the “accept” or “refuse” type button that we are all asked to click when we visit a website for the first time. The question is whether those processes are good enough to withstand regulatory scrutiny.

The task for those buttons is to seek consent and produce an appropriate response to the user’s decision to either grant or withhold consent. For tracking that falls within the scope of PECR, it is not enough merely to seek consent. As indicated above, users must also be provided with information that is both comprehensive and clear about the tracking, and subsequent usage of their personal data that relies on the tracking and data acquired from it. The complexity of modern digital advertising techniques makes this challenging. As if that were not difficult enough, the UK GDPR says that in order to comply with data protection law, user consent must “freely given”, “specific”, “informed” and “unambiguous”. UK data protection law also requires that users be given an opportunity to withdraw their consent for tracking and personalised advertising, and that it should be easy for them to work out how to withdraw it.

There are alternative legal justifications, besides consent, that organisations and their technology and data supply chains may be able to rely on for some aspects of tracking and data use. Similarly, users must be informed about the data and how it is used, and the legal justification relied on, and users will often have related rights that must be observed. For example, the right to object, and the right to stop marketing, may apply.

The ICO’s 2025 online tracking strategy

The ICO says that there are four ways in which people are not being given meaningful control of how their data is tracked for advertising purposes: 

1. No attempt is made to obtain consent.
   
   
2. Consent is sought, but then not respected.
   
   
3. Consent is sought, and respected, but the information provided is insufficiently clear and comprehensive to allow users to make an informed choice, as required by data protection law.
   
   
4. Users are not given an opportunity to change their mind.

Based on experience we can all readily observe that the ICO has a point. “Big Tech” and data companies typically do attempt to obtain consent for personalised advertising but perhaps fall down at item 4 (change of mind) if not in other areas. For other technology and data suppliers, and organisations that use tracking, many need to review their compliance, and an additional challenge for them is with providing choices that are clear enough to collect legally valid consent from users. This may be particularly challenging in supply chains where a lack of communication, consensus, unity of use/purpose (for using tracking and data), or flexibility about compliance and how to achieve it, may make it difficult to find, much less iron out, compliance wrinkles.

Challenging it might be, but it is a challenge to which organisations must rise, as the ICO is planning a number of initiatives in 2025 to improve compliance, including:

• Reviewing whether the top 1000 UK websites lawfully manage user consent for personalised advertising. (A review of the top 200 UK websites over the past two years showed that most were falling short of their legal obligations in some way.)
  
  
• Taking action “to ensure that non-compliant online tracking does not continue unfettered on apps and internet-connected TVs and uphold a level playing field for web publishers”.
  
  
• Providing industry “with clarity on the requirements of data protection law, leaving no excuse for non-compliance”. The draft guidance on the use of storage and access technologies is currently the subject of a consultation and is due to be finalised later this year. 
  
  
• Investigating “potential non-compliance in the data management platforms that connect online advertisers and publishers” and examining “the case for further action to ensure that people can easily withdraw their consent from all organisations that their personal information has been shared with”.

How should you respond?

1. Keep up to date with the latest developments in this rapidly evolving space. Did you know, for example, that the ICO recently rebuked Google for reversing its policy not to use “device fingerprinting” to track users online?
   
   
2. Review your process for obtaining consent for personalised advertising.
   
   
3. Drive compliance into your supply chain. Use tenders and RfPs to communicate your expectations and initial due diligence, in terms of operational and technical compliance, and your required contractual terms and conditions.

Our content explained