The Information Commissioner’s Office (ICO), the UK's data protection regulator, have set out their strategy for online tracking in 2025. The strategy aims to create a fair and transparent online environment, ensuring people have meaningful control over their data when they are online. The ICO has also suggested this strategy will help the UK Government’s growth agenda.

We are all familiar with cookies – the constant requests to consent to cookies are the bane of most of our online lives. Have you given up hope and just consent to everything, figuring what’s the worst that could happen? Or do you reject all cookies, or even fastidiously untick all the pre-ticked boxes for consent and legitimate interests, grumbling about unlawful approaches used? 

You can probably guess which camp we’re in. Cookies are used to monitor our interactions when online – whether that is via websites, within an app, or even when interacting with emails. Some are essential, like presenting content in the right language, or remembering what is in your shopping basket. Cookies can also be used to track your use of and movement between websites, your use of apps, and even your interaction with (and/or skim reading of) emails. They are, of course, also used to permit relevant businesses to provide personalised advertising, which in turn helps funds many of the associated online services. 

While cookies can have very positive and unobtrusive uses, online tracking can also cause harm if misused. This may be particularly obvious when used to target vulnerable individuals, children, gambling addicts, or to make unwanted disclosures of your personal information. 

In their 2025 strategy, the ICO have set out an aim to make it easier for organisations to carry out responsible online tracking, while maintaining the financial viability of the online services they provide. The key elements of that strategy are as follows: 

Bringing the top 1,000 UK websites into compliance.

Last year the ICO continued to review the online tracking practices of the UK’s top 200 websites. Non-compliant websites were warned that they faced enforcement action, if they did not make changes to advertising cookies and comply with data protection law. One example of such enforcement was Sky Betting and Gaming who were issued with a reprimand for unlawfully processing people’s data through advertising cookies without their consent. The response to the ICO’s review led to many of the UK’s top websites changing their cookie banners, and working to develop alternative solutions. This included introduction of contextual advertising, which involves less tracking of personal data, and more widespread use of subscription models. This review has already helped to bring significant improvements in compliance. The ICO now aims to expand their reach to include the UK’s top 1000 websites. 

If you operate a website in the UK, or a site which is aimed at UK individuals, and you haven’t yet updated your cookie banners, cookie policies, and privacy notices – please get in touch for advice on how to ensure these are compliant. 

Enabling publishers to implement more privacy-friendly advertising methods.

The Privacy and Electronic Communications Regulations (PECR) complement the Data Protection Act and the UK GDPR, giving individuals specific privacy rights for electronic communications, including rules on cookies and other tracking technologies (such as email tracking pixels). While the PECR aim to protect user privacy, its stringent requirements can inadvertently slow down the shift towards more privacy-friendly advertising methods. The ICO have pledged to review the current PECR, which was last updated in 2019, in particular looking at how it might be hindering the adoption of more privacy-friendly online advertising methods, such as contextual models, and to clarify how the law applies. The ICO say they will also collaborate with the government to consider legislative amendments to support this shift. 

If you need to audit your current use of online targeting and advertising, or you are thinking of implementing a new system and need some help to ensure this is compliant, let us know. 

Guidance on the use of "Consent or pay" models.

"Consent or pay" is a business model for funding online products and services, offering users a choice to:
•    consent to the service provider using their personal data for personalised advertising;
•    pay a fee to access the service and avoid personalised advertising; or
•    decide not to use the product or service. 

The ‘consent or pay’ model has emerged due to developing regulations around online tracking and gives online publishers an alternative way to monetise their online products and services. The ICO raised questions about the use of this ‘consent or pay’ model and held a public consultation in 2024 to seek public views. This resulted in the ICO introducing guidance on ‘Consent or pay’, published in January 2025. The guidance indicates that while it is feasible to run a consent or pay model in accordance with the UK's GDPR and PECR, doing so is not without its complexities. Importantly, publishers using ‘consent or pay’ models must be able to show that individuals can freely give their consent to personalised advertising. The ICO’s guidance therefore provides a set of factors to help assess this, and details how to justify and document compliance. 

If you are struggling to wrap your head around staying on the right side of the ‘consent or pay’ requirements, please get in touch.

Public Consultation on use of ‘Storage and access’ technologies.

‘Storage and access technologies’ refer to any technology that stores information, or accesses information stored, on a user’s ‘terminal equipment’. This includes cookies; tracking pixels; link decoration; navigational tracking; web storage; fingerprinting techniques; scripts and tags. In 2024 the ICO also opened a public consultation on proposed updated guidance for organisations on how to use ‘storage and access technologies’ and to ensure individuals have meaningful control over tracking. That consultation is still open and will run until 5pm Friday 14 March 2025. You are encouraged to respond, and view the draft Impact Assessment, on the ICO’s guidance on the use of storage and access technologies consultation page. The ICO’s goal is that the guidance will “provide industry with clarity on the requirements of data protection law, leaving no excuse for non-compliance.” 

If you need to audit your current use of storage and access technologies, or you are thinking of implementing a new tech and need some help to ensure compliance, let us know.

We are always here to help if your organisation has questions about legal issues arising from online tracking or following the ICO’s guidance, or indeed if your business needs help in assessing or improving compliance with data protection and privacy laws generally. Please don’t hesitate to contact us anytime for a no-obligation chat.