The Information Commissioner’s Office is intensifying its crackdown on cookie compliance, expanding its review to the UK’s 1,000 most-visited websites as part of its 2025 strategy.
The initiative aims to ensure consumers have greater transparency and control over how their data is collected and used online.
The ICO identified compliance concerns in two thirds of cases following an initial review of the top 200 websites. It has already contacted site operators to address these issues.
Its executive director of regulatory risk, Stephen Almond, warned that “uncontrolled tracking intrudes on the most private parts of our lives and can lead to harm. For example, gambling addicts being targeted with more betting ads due to their browsing history or LGBTQ+ people altering their online behaviour for fear of unintended disclosure of their sexuality.”
Ben Green: the use of data in personalisation is becoming harder
A key pillar of the ICO’s 2025 strategy is ensuring individuals have meaningful control over how they are tracked online, addressing the “significant harm” that can arise from the misuse of tracking technologies.
To support businesses in adopting privacy-friendly practices, the ICO is publishing draft guidance on tracking methods such as cookies and fingerprinting, final guidance on consent-or-pay business models, and potential reforms to encourage privacy-preserving advertising technologies.
The final guidance on consent-or-pay models, now available for review, clarifies how organisations can offer users a choice between accepting personalised ads for free access or paying for an ad-free experience while ensuring compliance with data protection laws.
It outlines best practices for businesses to follow to ensure users’ consent is freely given and that they retain control over their personal data.
Almond emphasised the ICO’s dual approach of enforcement and support, saying: “We’ll continue to hold organisations to account, but we’re also here to make it easier for publishers to adopt compliant, privacy-friendly business models.
“By combining advice, guidance and targeted enforcement, we aim to create an environment where businesses can succeed and people can have trust and control over their online experiences.”
Ben Green, CRO of adCAPTCHA, said: “People have become increasingly aware of their data privacy, requiring digital advertisers to rethink how they collect, store and utilise consumer data.
“In its cookie review, the ICO will discover millions of bots trawling these websites, scraping user data, content behind paywalls, and advertising materials, at significant financial cost. For the distrust that cookies cause, it’s actually the bots that are roaming across the websites that are doing the most damage.
“The use of data in personalisation is becoming harder with 3rd party cookies being phased out due to privacy concerns and lawsuits as seen by Google’s recent $5 billion settlement.”
“From a digital advertising perspective, we are seeing a shift to a post-cookie world, focusing ads on where the user is in the journey, rather than the user themselves, due to the emphasis on advertising on specific platforms. Advertisers are exploring new, cookie-less ways to merge user experience, data collection and relevance in a way that protects user privacy while boosting engagement. However, these strategies will only be effective if the bot epidemic is tackled, restricting content scraping to prevent warped advertising data and stolen user data.”
Related
Massive rise in cyber attacks on finance firms
Rise in AI makes critical thinking essential