ICO Opens the Door to Privacy-First Advertising

The UK Information Commissioner's Office (ICO) has launched a consultation that could fundamentally reshape UK online advertising.

In a move that risks angering privacy advocates, the ICO is exploring how to relax enforcement of consent requirements laid out in Regulation 6 of Privacy and Electronic Communications Regulations (PECR) for what it calls "privacy-preserving advertising" — essentially allowing publishers to serve ads to users who haven't given consent, provided the risks are "demonstrably low."

The ICO is spinning lots of ‘online tracking’ plates at the moment. The Privacy-First consultation, running until August 29, 2025, forms part of the ICO's broader online tracking strategy and comes alongside another consultation on Storage and Access Technologies (SAT) that reflects changes to PECR rules under the recently-passed Data Use and Access Act (DUAA). Additionally, there is another consultation where the ICO seeks to understand public attitudes to online tracking, ensuring that their regulatory approach aligns with real-world consumer expectations.

Simultaneously, the ICO has provided guidance on "consent or pay" models, and continues to pursue the Top 1000 UK publishers for regulatory non-compliance in personal data collection for targeted advertising. However, enforcement of publishers has been limited to letters, and a non-financial reprimand for Bonne Terre (Sky Betting) in September 2024 for processing individuals' data without consent. 

What is Privacy-First Advertising?

All UK regulators, including the ICO, have come under pressure from the UK government to create the right conditions for growth and innovation within their respective industries — a clarion call to which the ICO has responded positively.

The ICO's message on Privacy-First Advertising is carefully focused on innovation and economic growth. Stephen Almond, the ICO’s Director of Regulatory Risk, frames this as removing "unnecessary regulatory barriers" to enable "responsible innovation" in advertising models that "put users in control while supporting publishers and platforms to thrive."

The ICO emphasizes they're not dictating solutions to the online industry, but creating space for innovation. Rather than just being ‘enforcers’, they are positioning themselves as ‘enablers’ of privacy-first business models.

In particular, the ICO is looking at a range of online advertising capabilities to work with stakeholders and determine acceptable privacy-preserving models, including the “minimum requirements for a commercially viable advertising model”, with emphasis on the following:

• Ad Delivery and Billing
• Ad Fraud Prevention & Brand Safety
• Frequency Capping
• Measurement and Attribution
• Targeting

This is no easy task. The ICO is likely to discover that online ecosystem functionality is driven by personal data – whether it be an IP address or device identifier. For example, broad location data could be substituted for precise location data in some functions, while other capabilities including ad fraud prevention often rely on tracking devices for non-human behavior across multiple sites, where precision matters.

Zooming Out: Stuck Between a Regulatory Rock and a Hard Place

The Privacy-First consultation process represents a significant shift in UK privacy regulation, moving from a consent-first approach to a risk-based framework that balances economic considerations alongside privacy rights.

The recently passed DUAA has certainly given the ICO room to socialize this approach, as the Act permits consent-free cookies when used to collect statistical and other data to improve services, functionality and offer personalization.

The ICO has an unenviable job balancing the requirement to protect consumer rights whilst ensuring that the struggling publisher ecosystem can continue to offer a healthy level of diversity and plurality in media. Still, beyond the innovation rhetoric lies a more complex reality that raises serious questions about the direction of UK privacy regulation.

To the credit of the regulator, the consultation acknowledges that the current consent system isn't working effectively for publishers — the players arguably struggling most in the online ecosystem while power concentrates among Big Tech platforms, a point I touched on in our July 9 Bulletin. However, the proposed privacy-first framework risks creating an even more stark two-tier advertising market.

The first tier, dominated by Big Tech platforms like Google and Facebook, can leverage vast repositories of first-party data from users directly interacting with their services. This allows them to maintain sophisticated targeting capabilities without relying on third-party tracking technologies that require PECR consent. The second tier—encompassing the broader publisher ecosystem from news sites to e-commerce platforms—would be increasingly limited to basic contextual advertising and the limited capabilities the ICO deems "low risk" (ad delivery, fraud prevention, frequency capping, and basic measurement).

This disparity could inadvertently strengthen Big Tech's market position. As privacy regulations tighten, only the largest players with significant first-party data assets and technical resources will maintain access to the granular targeting that advertisers demand. Smaller publishers, already grappling with consent fatigue and declining revenues, may find themselves with even fewer competitive advantages—ultimately reducing diversity and plurality across the UK's digital landscape.

Real innovation in the industry requires addressing this market concentration, and empowering publishers with genuinely effective and lucrative alternatives.