Privacy & Information Security Law Blog

On July 7, 2025, the UK Information Commissioner’s Office (the “ICO”) announced it had launched two new consultations: (1) a consultation on its approach to enforcement of the regulation 6 consent requirements of the Privacy and Electronic Communications Regulations (“PECR”); and (2) a consultation on a new chapter within its draft guidance on storage and access technologies (the “Cookie Guidance”).

PECR Consultation

The consultation into enforcement of the regulation 6 consent requirements under PECR is focused on online advertising.  Specifically, the ICO is assessing whether a risk-based approach to enforcement could enable publishers to deliver online advertising to users who have not provided their consent, where there is a low risk to the user’s privacy. The ICO believes that a new approach may “create opportunities to unlock business growth through innovation” and “enable commercially viable ways to deliver online advertising.”  The ICO notes that any such methods must still be performed in accordance with data protection and privacy principles, and be methods that individuals would likely consider “acceptable” without consent.

The ICO is exploring framing guidance around the following categories of online advertising capabilities:

• ad delivery and billing;  
• ad fraud prevention and detection; 
• brand safety, brand suitability and brand compliance;  
• frequency capping; 
• measurement and attribution; and  
• targeting (i.e., how an advert is targeted towards a user or group of users).

The ICO confirmed that the review will not impact the enforcement of compliance requirements and practices under the UK General Data Protection Regulation, clarifying that there will be certain circumstances where online advertising will always require consent, such as where extensive profiling across different services is involved.

The deadline for the consultation is August 29, 2025.

Cookie Guidance Consultation

The consultation into the new chapter of the Cookie Guidance follows the passage of the Data (Use and Access) Act 2025 (the “DUAA”). The chapter reflect changes to PECR introduced by the DUAA, such as the ability to use certain non-essential cookies without consent for specific low-risk functions, such as statistical analysis.

In a bid to align its Guidance with public opinion, the ICO also announced its intentions to commission further research to improve its understanding of public attitudes to online tracking and consent.

The deadline for the consultation is September 26, 2025.