The UK Information Commissioner’s Office (ICO) initiated two separate stakeholder consultations seeking feedback on a new approach to regulating online advertising. Both consultations were spurred by the UK’s Data (Use and Access) Act 2025 (DUAA), which amends but does not replace the UK GDPR. The DUAA introduces targeted amendments to both the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). While many of those amendments took effect on June 19th, the vast majority will take effect through separate legislation within the next six to twelve months.
Both consultations signal an effort by the ICO to provide more clarity to both consumers and business. These initiatives further appear to balance consumer privacy interests with technological innovation and new avenues for online advertising. By early next year, the ICO is expected to publish a statement with its updated guidance to identify activities that are unlikely to spur enforcement along with safeguards business are expected to implement.
The first consultation opened in July as the ICO considers its approach to enforcing PECR consent requirements by exploring how a risk-based approach to enforcing the PECR would impact online advertising publishers’ ability to deliver ads to users absent consent.
Specifically, the ICO seeks to understand whether online advertising can be delivered without consumers’ explicit consent for activities deemed low risk for privacy. Consent will remain mandatory for activities deemed high-risk to privacy such as extensive profiling across services or devices. The consultation seeks feedback on a wide variety of topics including ad delivery, billing, fraud prevention, brand safety, measurement, and targeting. The comment period for the PECR consultation closes August 29th.
The ICO is likewise holding a consultation seeking feedback on revisions to its guidance on storage and access technologies (SATs), commonly known as the “detailed cookie guidance.” The comment period for the SATs consultation closes September 26th. Notably, revisions to the SATs guidance include a chapter dedicated to exceptions and examples of such exceptions.
The guidance also aims to provide clarity on the difference between obligations and optional considerations. The revised guidance expands its reach by addressing other technologies such as pixels, local storage, and device fingerprinting.
Opening for Business
For providers of online services including web developers, online advertisers and even app developers, the ICO’s consultations provide a window for advocacy, particularly in light of the ICO’s explicit pro-business sentiments and goals to “create opportunities to unlock business growth through innovation, while safeguarding people’s privacy and improving user experience.”
While the DUAA necessitates a thorough review of existing business practices, both consultations provide opportunities for business to shape future regulatory action and provide input on how those future policies constrain or open the door for business innovation.
Business should:
- Determine whether they want to participate in the comment period for either or both consultations and submit any comments by the respective deadlines of August 29 and September 26;
- Evaluate current business practices to determine if the DUAA amendments and proposed revised guidance will impact current business practices; and
- Review existing policies (data subject rights, transfer risk assessments, cookie policies, etc.) for compliance with the DUAA and if those policies require any modifications.
