UK ICO Advocates for Privacy-Centric AdTech Business Models

The UK’s Information Commissioner’s Office (ICO) is taking significant steps to reshape the landscape of online advertising by advocating for a 'privacy-first' approach among advertising technology (adtech) providers. This initiative comes in light of recent consultations aimed at balancing privacy concerns with the evolving advertising needs of businesses. The ICO’s move is seen as a pivotal effort to adapt to the changing regulatory environment, particularly following the enactment of the Data (Use and Access) Act (DUAA).

On July 15, 2025, the ICO launched a formal consultation to gather insights from industry stakeholders regarding the new regulatory landscape surrounding cookies and similar technologies. Kathryn Wynn and Malcolm Dowden, experts in data protection law at Pinsent Masons, emphasized the importance of these consultations in shaping the ICO's future enforcement strategies. The ICO aims to align its guidance with the provisions of the DUAA, which received Royal Assent last month, and is expected to come into force between November 2025 and June 2026.

According to Stephen Almond, the ICO’s Executive Director for Regulatory Risk, the objective is to ensure that privacy does not become a casualty of online advertising practices. “Online advertising doesn’t have to come at the expense of privacy. We want to see the industry develop new models that put users in control while supporting publishers and platforms to thrive,” he stated. This stance reflects a broader commitment to fostering innovation within adtech while ensuring user privacy is a priority.

The DUAA introduces significant changes to cookie regulations, including the potential for exemptions from consent for low-risk activities such as statistical analysis and service improvements. This shift could ease compliance burdens for businesses while maintaining essential privacy protections. As per the updated framework, organizations may face penalties up to £17.5 million or 4% of their global annual turnover for violations related to non-compliant cookies or unlawful direct marketing, a stark increase from previous penalties under the Privacy and Electronic Communications Regulations (PECR).

Historically, the PECR has been a key driver of ICO enforcement actions, with a significant number of complaints arising from invasive tracking practices and unsolicited marketing communications. However, the ICO is now considering allowing publishers to utilize cookies for specific advertising purposes without prior consent, provided that the privacy risks are demonstrably low. This approach aims to facilitate the development of more privacy-conscious adtech solutions.

Wynn highlighted the need for the ICO to navigate carefully between facilitating innovation and adhering to established privacy standards. “The ICO will also have to bear in mind the risk of excessive divergence from protections available in the EU and EEA,” she noted, referencing the upcoming review of the EU-UK adequacy decision, which is essential for the free flow of personal data between the UK and EU countries. The adequacy decisions are set to expire on June 27, 2025, but the European Commission has extended the deadline for another six months to evaluate whether the UK’s data protection regime aligns with EU standards.

In summary, as the ICO embarks on this regulatory overhaul, the implications for the adtech industry are profound. The balance it seeks to strike between user privacy and business interests could set a precedent for future regulatory frameworks, not only in the UK but potentially influencing global practices. The outcomes of these consultations will be critical in shaping the future of digital advertising and privacy regulations, ensuring that both user rights and industry interests are adequately represented in the evolving landscape of online commerce.