What’s happened?

The ICO recently launched a major new review of cookie usage on the UK’s top 1,000 websites. This builds on last year’s assessment of the top 200 websites, when businesses were warned they would face enforcement action if they didn’t bring their online tracking practices into compliance with data protection law. This initiative resulted in significant improvements.

Online tracking is one of the ICO’s key current areas of focus. Alongside this new website review, the regulator launched its 2025 online tracking strategy and guidance for businesses on the use of ‘consent or pay’ online advertising models. It’s also currently consulting on updated guidance on the use of storage and access technologies (formerly known as its cookies guidance). This includes fingerprinting, an alternative form of online tracking to cookies. The final version will be published after the new Data (Use and Access) Bill is passed into law sometime this year.

Why does it matter?

Being tracked online enhances the user’s experience when they’re in control of what information they share. But harm can occur when users lack that control. The ICO says that, while many organisations take care when tracking people’s activity, others fall far short of data protection requirements. A lot of complaints concern users not being given an option to reject non-essential tracking, which is unfair to both users and those responsible businesses that do play by the rules.

The ICO’s focus on online tracking is unlikely to stop at the top 1,000 websites. It will ultimately affect businesses of all sizes, from small online retailers to major corporations that rely on digital marketing to drive revenue. If you use online tracking practices, this renewed focus on compliance is directly relevant to you.

The ICO’s increased oversight presents both risks and opportunities. Those who embrace fairness and transparency and make sure proper consent mechanisms are in place, will not only avoid potentially costly enforcement action but can also gain the trust of increasingly privacy-conscious users of digital services. On the flip side, businesses that fail to comply risk not only a range of possible enforcement actions, but reputational damage and loss of consumer confidence.

What’s changing?

The law itself isn’t changing (yet). But what the ICO wants to achieve is a level playing field when it comes to online tracking, promoting innovation in advertising models that respect user privacy, building trust and fostering long-term business growth. The regulator acknowledges that businesses face challenges complying with the law while remaining competitive in the digital advertising industry. Its strategy is designed to ‘remove barriers, clarify areas of ambiguity and make it easier for organisations to do the right thing’.

This year the ICO’s particular focus is online advertising because the nature of this tracking and processing of people’s personal data can be used to provide highly individualised insights and decisions about them relating to sensitive areas of their lives, increasing the risk of harm for vulnerable people. The key identified problems are: deceptive or absent choice; uninformed choice (lack of clear, key information to make fair choices); undermined choice (information not processed in line with what was promised); and irrevocable choice (users not given a meaningful way to change their mind).

The ICO wants a fair system where people can confidently share and manage their information online, but also where organisations aren’t disadvantaged by improving their approach to ensure compliance. This year the ICO will:

• Make it easier for publishers to adopt more privacy-friendly forms of online advertising, such as contextual models. This includes exploring whether changes are needed to the Privacy and Electronic Communications Regulations.
• Ensure publishers give people meaningful control over how they’re tracked on websites. This will include automated monitoring of website compliance. The ICO will engage with major consent management platforms to make sure the options they offer reflect the legal requirements.
• Ensure that people have meaningful control over tracking for personalised advertising on apps and connected TVs. There will be a consultation on guidance on data protection for Internet of Things devices.
• Confirm how publishers can deploy ‘consent or pay’ models in line with data protection law, supporting their economic viability. See the ICO’s recent guidance on this. The regulator wants to support businesses to adopt more privacy-friendly business models that give users the lawful choice and control they expect.
• Provide industry with clarity on the requirements of data protection law, leaving no excuse for non-compliance. In addition to publishing its final guidance on the use of storage and access technologies, the ICO will support businesses to introduce novel solutions through its Regulatory Sandbox and Innovation Advice services. It will also work with industry and stakeholders to develop a compliance certification scheme.
• Investigate compliance failures in the wider adtech ecosystem. This includes investigating potential non-compliance in the data management platforms that connect online advertisers and publishers.
• Support the public to take control of how they’re tracked online. This includes publishing public-facing guidance to raise awareness.

What should businesses do now?

With cookie compliance and online tracking squarely on the ICO’s radar, businesses should act promptly. Take the following practical steps to make sure you’re following the rules:

• Audit your online tracking practices. This includes reviewing the ICO’s draft updated guidance on the use of storage and access technologies and assessing whether your consent mechanisms, including cookie banners, comply with requirements.
• If you use ‘consent or pay’ models, review the ICO’s latest guidance and adapt your practices accordingly.
• Stay proactive. Compliance requirements are evolving. Set up a process for ongoing compliance checks and stay up to date with any new laws or best practices emerging from the ICO or other bodies, seeking advice where necessary.

Cookie compliance: How we can support you

The ICO’s enhanced focus on cookie compliance and other online tracking practices is a critical moment for businesses operating in the digital space. It’s not just about avoiding penalties – it’s an opportunity to innovate, strengthen your reputation, foster trust with your customers and grow your business.

Our Regulatory & Compliance and Technology & Digital experts are closely monitoring these developments and are on hand to help you navigate the complexities and stay on the right side of the law. Whether you need support with audits, staff training or broader data protection strategies, we can guide you through the process.

Please contact Andrew or Sally to discuss how we can help.