The ICO has published its online tracking strategy which sets out how it will promote compliance with the law in 2025 to obtain a fairer online tracking ecosystem for people and business.
The ICO discusses its activities in 2024 and says that its focus in 2025 will be on online advertising. It says that giving users meaningful control is especially important in online advertising as products and services typically rely on tracking a wide range of people’s activity online. This data can be used to build detailed profiles that enable highly individualised insights and decisions about people. These insights and decisions are often benign but can easily relate to sensitive areas of people’s lives, such as their beliefs, health and sexuality. This creates risks that increase for people in vulnerable positions, who are more likely to adjust or limit their online activity to avoid risks of their personal information being disclosed or of discrimination and other harms. Many people are concerned about the insights and decisions that may derive from their online activity. When controls are available, these people use them to try to restrict data collection. The ICO has identified four key problems:
Deceptive or absent choice
Often, people are not presented with an option to opt out of non-essential data processing. Cookies may be set regardless of users’ wishes. In its review of the top 100 websites, the ICO found 30% setting advertising cookies without consent or after a user chose not to consent. Users have also told the ICO that choices are often not made available or that accepting terms and conditions is required to make a product work. The ICO has also observed organisations adopting alternative forms of online tracking, such as fingerprinting, as the online advertising industry seeks to adapt to restrictions on cookies. These are often deployed without genuine user choice.
Uninformed choice
Even when organisations provide a consent mechanism that works properly, they do not always present people with simple information about the purposes for which they are agreeing to share their information. In its joint report with the CMA on harmful design practices, the ICO said that failure to give people fair choices can lead to breaches of data protection, consumer and competition law.
Undermined choice
Even when organisations state clearly how they will process users’ information, alongside a functioning consent banner, the ICO says that the information is not always processed in line with the promise. People want more transparency, simpler controls and assurances that their personal information is being used responsibly, especially when their information could be shared with third parties for advertising.
Irrevocable choice
Even when people have been given a clear and effective choice, and the purposes they have originally agreed to are upheld, the ICO has found that they may have no meaningful way to change their mind.
The ICO’s plans for 2025
In 2025 the ICO will do the following:
- Make it easier for publishers to adopt more privacy-friendly forms of online advertising.
- Ensure publishers give people meaningful control over how they are tracked on websites.
- Engage with major consent management platforms to ensure that the options they offer publishers reflect the requirements of UK data protection law.
- Ensure that people have meaningful control over tracking for personalised advertising on apps and connected TVs.
- Confirm how publishers can deploy “consent or pay” models in line with data protection law, supporting their economic viability (it has also published guidance on this, watch this space for more news).
- Provide industry with clarity on the requirements of data protection law, including final guidance on storage and access technologies after its current consultation and the passage of the Data (Use and Access) Bill.
- Where novel solutions emerge, the ICO will support businesses to introduce them in compliance with data protection law through its Regulatory Sandbox and Innovation Advice services.
- Work with the online advertising industry and wider stakeholders on developing a certification scheme to enable organisations to show they are processing personal information in compliance with the law.
- Investigate compliance failures in the wider adtech ecosystem.
- Examine the case for further action to ensure that people can easily withdraw their consent from all organisations that their personal information has been shared with.
- Support the public to take control of how they are tracked online.
The ICO is also reviewing cookie usage on the biggest UK sites. It has looked at the 200 biggest sites and will now look at the biggest 1000.
