In the War on Cookie Compliance, Regulators Need to Follow the Money

The UK's ICO set an ambitious target for 2025: bringing the top 1,000 UK websites into compliance with privacy regulations. But there's one problem: Regulators are focused on the wrong target.

Image of a man in a black ICO jacket standing at a cookie-strewn crossroads. To the left a sign reads 'advertisers'; to the right,  a sign that reads 'publishers'.
What's a regulator to do? (image generated by ChatGPT)

The UK's Information Commissioner's Office (ICO) set an ambitious target in their 2025 Online Tracking Strategy: bringing the top 1,000 UK websites into compliance with privacy regulations. Yet buried within the strategy document lies an admission that undermines their entire approach.

Organisations have told the ICO: "We want to change but if we act unilaterally, we'll be disadvantaged compared to our competitors who will benefit from greater insights and revenues."

This reveals the fundamental flaw in the ICO's approach. Namely, they recognize the complexity of regulating adtech privacy, yet their solution remains focused only on one side of the industry equation: publishers—the most visible, but arguably the least powerful, and certainly the most economically challenged of industry players—whilst the entities with actual market power to drive change remain largely untouched.

The Strategy's Own Contradictions

The ICO finds itself caught between ambitious goals and practical limitations.

When they published their 2019 update on Adtech and Real Time Bidding, the regulator heavily criticized the current state of RTB in the UK. The report highlighted the need for industry-wide changes and engaged with stakeholders across the entire supply chain to address identified issues.

The ICO then participated in some sombre sabre rattling at various adtech conferences over the next few years, none of which led to any meaningful changes in the industry.  It was then that the ICO likely realized that tackling the complexity of the entire RTB ecosystem was, perhaps, an insurmountable task. So, they shifted focus, determining that publishers held the responsibility for the industry. Or as I likened it at the time, publishers are, and should be, the sole guardians of the “data gateway.” 

Coincidentally, publishers are also much easier to identify, target, and monitor.

In late 2023, the ICO wrote a sternly-written warning to 50 of the UK's most visited websites, stating they faced immediate enforcement action if they failed to improve their cookie consent mechanisms under the Privacy and Electronic Communications Regulation (PECR).

Yet, after years of reports, guidance and enforcement threats, the fundamental issues persist within the RTB ecosystem because the ICO is treating symptoms, not the disease. Their focus remains stubbornly downstream when real solutions require upstream coordination that only market pressure can drive.

The Compliance Theatre Problem

Here's the uncomfortable truth the ICO won't acknowledge: a publisher can obtain all the legally-compliant customer consents it wants, using ostensibly compliant consent management platforms (CMPs), but they still have no control over what happens in the code (or at other points along the supply chain). For example, as one industry insider noted, “most CMPs don’t actually control the tags and cookies operating on a [publisher’s] website. Instead, they use a series of APIs that rely on the cooperation of third parties to respect a user’s privacy selections after the fact.”

Notwithstanding user choice, personal data may still flow to dozens of Supply- and Demand-Side Platforms, with few guardrails built in. Supply-Side Platforms lack robust technical safeguards to enforce consent choices, while DSPs rely on little more than contractual obligations to respect user choice. Meanwhile, most everyone involved in this complex dance lacks the technical expertise to assess their partners' actual privacy compliance, despite the fact that advertisers and brands control the budgets that could enforce real change overnight.

I would go further to ask whether anyone even cares? There is a long list of tainted providers that many agencies used (and continue to use) without demonstrating a level of due diligence. For example, location data providers are routinely called out for harvesting (and doing questionable things with) sensitive data. And when it’s discovered, there’s usually a great deal of scrutiny and calls to do better. Yet, they continue to proliferate in the ad space. Similarly,  Criteo’s $44 million fine for breaches related to consent and transparency was big news in 2023, and yet, their stock price increased. Wash, rinse, repeat. 

The programmatic industry has been designed and built on an ecosystem of seamless interconnectivity, where consumer personal data is the lifeblood. But it's this interdependence that means privacy failures at one rung in the chain, cascade and compromise others. Yet regulatory focus continues to hyper-fixate on the most visible players—publishers—while the entities with actual purchasing power escape accountability and scrutiny.

As long as advertising budgets that support the industry rely on great swathes of personal data, publishers, agencies, and everyone in between will remain dedicated to perpetuating these approaches, damn the consequences. Nobody should be surprised that self-preservation is a driver of business.  

Money Talks Louder Than Regulation

The evidence is clear: market forces can, and should be the drivers of change. This isn’t just an argument for the standard laissez-faire industry cop-out here. There’s strong evidence for the market-drives-change position, even in the RTB space. For example, when Procter & Gamble demanded programmatic transparency in 2017, the industry transformed overnight. When major brands threaten to pull spending over brand safety or privacy concerns, platforms implement changes that years of regulatory guidance can’t achieve.

Even Google's attempted elimination of third-party cookies in Chrome—ultimately reversed—demonstrated how commercial incentives and market forces can do more to drive privacy-centric approaches than regulation or enforcement.

As Nick Stringer observed in his recent article, it’s not the ‘cookie conundrum’, nor a privacy one: it’s about trust. Consumers need to trust that advertisers won’t abuse them. While regulatory compliance matters, especially when hefty penalties are involved, revenue considerations will always prevail. And businesses, no matter where they are along the supply chain, follow the money.  Thus, the real power lies with those holding the purse strings: the advertisers who can demand transparency and accountability throughout the complex supply chain. Marry customer consent and desires with brand success, and we might actually get somewhere.

The ICO can write guidance and monitor websites, but until the money moves, meaningful change won't follow.

The Path Forward: Contractual Alignment

True privacy compliance requires what the UK Digital Marketing Association (DMA) and the Incorporated Society of British Advertisers (ISBA) refer to as “contractual alignment”—advertisers must play a proactive role in coordinating partnership agreements, ensuring privacy policies, and technical implementations are robust across all stakeholders–ending the current culture of privacy responsibility shifting.

In practical terms, this means:

  • Technical Coordination: The industry needs to move towards standardized consent signal transmission and privacy-by-design principles implemented by every platform, not just publishers. Ad agencies must move beyond basic vendor questionnaires. They need technical due diligence processes that assess actual data flows and consent implementation, not just policy compliance.
  • Transparent Communication: Each party must be open and transparent with one another about how, and what data will be exchanged, and how it's used.
  • Shared Accountability: Brands must stop delegating their privacy responsibilities, and instead implement direct contractual protections with every vendor in their supply chain and conduct regular audits of agency and tech partners. Regular compliance assessments  and data protection impact assessments should be conducted collaboratively across the supply chain. 
  • A Broader View on Regulation: Regulators (including the ICO) need to engage with advertisers and agencies, as well as publishers. Regulators should recognize that sustainable change requires engaging with the economic drivers of the ecosystem—the budget holders who can enforce compliance through commercial pressure.

Until regulators acknowledge the real power dynamics in the adtech ecosystem, they will  continue treating symptoms while the underlying privacy challenges persist. The buck should stop not only with publishers, but with those who control the money that make the entire system run.