The Information Commissioner’s Office has launched a consultation on a new enforcement approach designed to unlock privacy-preserving alternatives to the adtech business model, as it has emerged that firms which fall foul of the cookie law could face much tougher action.
The proposals, which were first mooted back in March even before the UK data reforms were passed, are set out in a call for views on how the ICO applies regulation 6 of the Privacy & Electronic Communications Regulations (PECR) – aimed at supporting innovation by enabling new advertising models that respect user privacy while maintaining revenue streams.
The ICO is exploring how publishers could deliver privacy-preserving advertising to users who have not given consent, where the risks are demonstrably low. The regulator will continue to enforce consent requirements for the collection of personal information for targeted advertising.
ICO director of regulatory risk Stephen Almond said: “Online advertising doesn’t have to come at the expense of privacy. We want to see industry develop new models that put users in control while supporting publishers and platforms to thrive.
“Our role isn’t to dictate how that’s done – it’s to remove unnecessary regulatory barriers and open the door to responsible innovation.”
The ICO has also launched an updated consultation on its Storage & Access Technologies (SATs) guidance, revised to reflect changes introduced by the new Data (Use & Access) Act 2025. The Act permits consent-free use of cookies for certain low-risk functions, such as statistical analysis and website improvement.
The ICO is also commissioning further user research to better understand public attitudes to online tracking and consent, ensuring its regulatory approach is aligned with what it calls “real-world expectations”.
The call for views on the ICO’s enforcement approach closes on August 29, while the SATs guidance consultation closes on September 26. Responses will inform the ICO’s final guidance and a formal statement on its updated enforcement approach, due in early 2026.
Over the past year, the ICO has issued 16 fines, totalling £1,667,500, for breaches of PECR, and, while many of these were for rogue telemarking activities, they also include action against firms for cookie violations.
As the law currently stands, a cookie contravention has to be both serious and likely to cause substantial damage or substantial distress before the ICO could even consider issuing a fine.
However, that is all set to change under the DUAA, according to Mischon de Reya senior data protection specialist Jon Baines. He points out that once section 115 and schedule 13 are commenced (at a date yet to be announced), both PECR and the Data Protection Act 2018 will be amended so that any contravention of regulation 6 of PECR is potentially subject to a fine.
The ICO will still have to regard factors such as the nature, gravity and duration, and the intentional or negligent character of the contravention, but there will be no seriousness threshold and no “harm” threshold, Baines explained.
He added: “So, does this mean that, when the amended powers come into effect, the ICO will be issuing a swathe of cookie fines? That seems unlikely: although the ICO has adopted an online tracking strategy, which involves assessing some large websites’ compliance, there has been no indication that this strategy will lead to multiple fines being deployed.
“However, the possibility cannot be ruled out, especially if the ICO were to encounter cookie contraventions which are serious and egregious.”
Related stories
ICO set to relax PECR rules to boost online advertising
Data Act jitters build as firms face race to get in shape
DMA claims Data Act victory as privacy groups seethe
ICO unveils business guidance as Data Act becomes law
Four years in the making, UK data reforms are passed
Fresh call for Brussels to scrap UK adequacy agreement
Lords on alert over EU deal as Data Bill concerns grow
