ORG roundtable finds ICO plan to regulate online advertising is flawed

A recent stakeholder roundtable organised by the Open Rights Group (ORG) identified significant risks in the Information Commissioner's Office's (ICO) consultation concerning its new enforcement approach to regulating online advertising and cookie consent.

The ICO is aiming to promote "privacy-preserving alternatives" to the current adtech model by exempting less-invasive forms of online tracking from consent requirements. However, participants were generally sceptical that relaxing these rules would drive the intended change. In this summary of the event, the ORG highlights two main weaknesses in the ICO's proposal. 

First, the current failure by the ICO to enforce existing consent rules already disadvantages law-abiding companies that do not track individuals. Exempting new privacy-preserving models from consent is deemed insufficient if regulators continue to ignore or inadequately punish providers who use digital coercion, such as "consent-or-pay" banners, to force behavioural tracking. 

Second, consent rules are not the most significant barrier. Instead, gatekeepers within the real-time-bidding ecosystem often block the trading of ads that do not use personal data as a matter of commercial policy. The ICO's focus on deregulation fails to address this key issue and requires a different regulatory intervention. 

Roundtable participants urged the ICO to step up effective and dissuasive enforcement against illegal online tracking and profiling to remove illegal advertising from the market. 

Concerns were also raised about the consultation process itself, which was criticised for lacking detail on which technologies would be exempted, preventing public interest groups from offering feedback on risks and legal safeguards. 

In a related post, ORG addresses the impact that the Data (Use and Access) Act 2025 (DUA Act) is having on this issue.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.