Privacy & Information Security Law Blog

On January 23, 2025, the UK Information Commissioner’s Office (“ICO”) published its new online tracking strategy for 2025 (the “Strategy”) which sets out how it intends to achieve its “vision” of “a fair and transparent online world where people are given meaningful control over how they are tracked online.” Through the Strategy, the ICO seeks to ensure that, amongst other things, individuals can operate online with trust and confidence and meaningfully control how their data is used, and organizations are not disadvantaged by following the rules and improving their approach to online tracking to ensure it is compliant.

The ICO has identified the following four areas where individuals are not being given sufficient control of their data as provided by data protection law:

• Deceptive or absent choice: Individuals are often not presented with an adequate choice regarding the use of non-essential cookies and similar tracking technologies.
• Uninformed choice: When individuals are presented with the option to provide consent, there are instances where organizations do not provide adequate information with respect to the purposes being consented to.
• Undermined choice: When organizations appear to be transparent about their processing, there are instances when the processing activities performed do not align with the description of the processing.
• Irrevocable choice: When individuals are presented with a clear and transparent option to provide consent, there are instances where there is no meaningful way to withdraw consent provided.

In the Strategy, the ICO explains how it proposes to take action on these issues, specifically by:

• Encouraging publishers to deploy more privacy-preserving advertising that does not involve extensive profiling of individuals based on their online activity, habits and behavior potentially across different services and devices. In doing so, the ICO intends to revisit the requirements of the Privacy and Electronic Communications Regulations and to work with UK government to explore where amendments could be made.
• Building on the ICO’s work in 2024 regarding cookies, the ICO now intends to focus on bringing the UK’s top 1,000 websites into compliance with regards to non-compliant cookie usage (see previous blog on the topic).
• Ensuring that non-compliant online tracking does not take place on apps and Internet-connected TVs.
• Publishing guidance on ‘consent or pay models’ (also published on January 23, 2025) which seeks to clarify how publishers can deploy these models to give individuals meaningful control over online tracking while supporting their economic viability.
• Providing industry with clarity on requirements of data protection law. This includes, for example, publishing the final guidance on storage and access technologies (formerly known as the “cookie guidance”).
• Investigating potential non-compliance by data management platforms that connect online advertisers and publishers.
• Supporting the public in taking control of online tracking by publishing guidance on how individuals can understand and control the use of their information online, and raise awareness of their rights.

Read the ICO statement on the Strategy.