The UK's Information Commissioner's Office today published formal advice to government recommending changes to the country's cookie consent rules for online advertising, laying out a detailed framework under which certain low-risk ad formats could operate without the consent requirements that currently apply to almost all commercially viable digital ad activity.

The advice, published on 18 May 2026, was submitted to Rt Hon Ian Murray MP - Minister for Digital Government and Data - and Lord Livermore, Financial Secretary to the Treasury, in a letter signed by William Malcolm, the ICO's Executive Director of Regulatory Risk and Innovation. The accompanying blog post and published documents represent the culmination of a review process that began in January 2025, when the Information Commissioner set out five commitments to support the government's economic growth agenda.

The regulatory gap the ICO is trying to close

At the centre of this work is regulation 6 of the Privacy and Electronic Communications Regulations (PECR). Under the current framework, regulation 6 prohibits the storage or access of information on a user's device for online advertising purposes without consent. The rule applies a single standard across a wide spectrum of activities - from targeted behavioural profiling that tracks individuals across dozens of sites, to a simple contextual ad that shows a cycling product to someone reading an article about cycling. No distinction is made between these cases under the current law.

According to the ICO, digital advertising is estimated to contribute £129 billion of gross value added per year to the UK economy. That figure, cited in William Malcolm's April 2026 letter to ministers, underlines the economic stakes attached to how the country regulates this space. The ICO's review focused specifically on where regulation 6's "one size fits all" consent requirement was blocking investment in more privacy-friendly advertising models, rather than protecting users from genuine harm.

The ICO has been vocal about its concerns with online tracking for years. PPC Land has covered the regulator's long-running scrutiny of real-time bidding and programmatic advertising, which dates back to 2019, as well as its response to Google's decision to lift fingerprinting restrictions in late 2024. Today's publication marks a shift in emphasis: rather than only tightening enforcement, the ICO is advising government on where consent requirements could be loosened without increasing risk to users.

What the call for views found

The ICO launched a public call for views in July 2025 on its proposed approach to regulation 6. The consultation ran until 7 September 2025 and attracted 76 responses - 59 through the ICO's Citizen Space platform and 17 by email. Of the 59 who answered the survey questions, 51% agreed or strongly agreed that the ICO's proposed approach could identify commercially viable solutions that also safeguard privacy. Around 37% disagreed or strongly disagreed.

Of those 59 responses, 33 were submitted on behalf of organisations and 21 were from individuals. Among the 38 organisational respondents, 58% - or 22 responses - came from SMEs with fewer than 250 staff. Larger organisations with over 2,500 employees accounted for 16% of organisational responses.

Respondents were asked to assess six advertising capabilities: targeting, frequency capping, measurement and attribution, brand safety, ad fraud prevention, and ad delivery and billing.

Targeting: where the ICO drew the line

On targeting, the ICO received input covering four broad approaches: contextual targeting based on the content being viewed, demographic and interest-based targetinggeolocation targeting, and behavioural targeting.

Contextual targeting attracted the most discussion. Many respondents described it as a privacy-preserving method, since it operates on the content of the page rather than a profile of the user. However, some noted limits to its commercial viability in isolation. According to the Professional Publishers Association's response: "Our members report that they cannot effectively monetise consent-less data inventory because ad agencies will pay several times for personalised advertising what they would pay for contextual advertising and in some cases wouldn't bid any money to certain contextual ad campaigns at all."

The ICO acknowledged this feedback but held its position. Its preferred approach recommends that content a user is currently viewing, mapped to a broad taxonomy such as "sports" or "cycling", is sufficient for consent-free contextual targeting. The ICO explicitly warns against using more granular categories, particularly where signals are shared across many parties, because this increases the risk of special category data being inferred.

On geolocation, the ICO concluded that targeting to the region or city level is acceptable without consent. Country-level location was described by respondents as an absolute minimum requirement. According to the response from Opt Out Advertising: "Country information is an absolute minimum. If allowed, this could either be retrieved from IP addresses (the typical way of doing it) or from the time zone information stored in the device. Next to that some indication of the type of device the ad will be watched on (eg a desktop or phone). Finally contextual information, like the page URL the user was watching and the identifier of the ad position within the publisher, which allows targeting on contextual things."

Behavioural targeting - using browsing history, purchase data, and cross-site profiles - is explicitly out of scope for any future exception. The ICO was unambiguous: this type of targeting should always require consent, both under PECR and UK GDPR.

Frequency capping: first-party only

Frequency capping, which limits how many times a single user sees a given ad within a set timeframe, generated significant disagreement. Most advertisers and publishers consider it essential to avoid wasting budget and damaging user experience. But the ICO drew a careful boundary.

Cross-site frequency capping, which typically relies on persistent third-party identifiers such as cookies, was deemed too risky to include in any consent-free exception. The concern is straightforward: an identifier used to cap frequency can equally be used to track a person across the web. The ICO's preferred approach limits consent-free frequency capping to the first-party publisher domain - meaning a publisher can cap ad frequency for a user within their own site only, without needing consent, but cannot extend that capability across third-party sites.

Cross-device frequency capping - linking the same user's behaviour across different devices - would always require consent, according to the ICO. The reasoning is that people should retain choice over whether their identity is tracked across devices for advertising purposes.

The ICO also noted that privacy-enhancing technology (PET)-enabled cross-site frequency capping could potentially be included in any future exception, should workable market solutions emerge. These solutions do not yet exist at commercial scale.

Measurement, attribution, and the affiliate question

For measurement, the ICO's position is that counting aggregated impressions, clicks, and views - the basic metrics advertisers need to assess campaign performance and justify spend - can be included in any future exception. Independent third-party verification of these figures was considered important by respondents, and the ICO factored this into its advice.

Attribution is more complex. Following a user's journey from an initial ad exposure through to a purchase, particularly across different sessions and devices, inherently involves cross-site tracking and the sharing of personal data outside the first-party domain. The ICO acknowledged the importance of attribution to the industry but indicated that cross-site attribution without consent would remain off-limits unless implemented through PETs such as differential privacy techniques or trusted execution environments.

Affiliate marketing attracted specific attention. The affiliate industry argued its model carries lower risk than programmatic advertising because it does not involve complex user profiling or lengthy supply chains. According to Awin Limited's response: "To measure how an advertisement has performed, it is necessary to use cookies: to record the referral of the consumer from the publisher's website to the advertiser's, typically on the clicking of an advertisement or other content which links to the advertiser's website; on arrival at the advertiser's website, to attribute the referral to the correct publisher; and to recognise the completion of an e-commerce transaction at the advertiser's website."

The ICO accepted that differences exist between affiliate and programmatic advertising but concluded that the technical underpinnings are the same and the tracking risks are similar. Innovation in the affiliate sector would be needed to operate within any future exception.

Brand safety and ad fraud

For brand safety - ensuring ads do not appear alongside harmful or inappropriate content - the ICO's preferred approach allows the publisher or a third party acting on their behalf to scan page content and submit an abstracted signal in the bid request, rather than exposing the full URL. Using the full URL was considered a misuse risk, since it could be combined with other data points to enable individual targeting. Contextual classification of the first-party site is the ICO's recommended approach.

Ad fraud prevention proved the most technically demanding area. Invalid traffic (IVT) detection was the most commonly cited requirement. Respondents described needing IP addresses, user agent strings, and in some cases more behavioural signals such as mouse movements and click patterns to detect sophisticated fraud techniques including incentivised browsing and click farms. The ICO accepted the need for pre-bid filtering using device and browser information, but stipulated that if this is to be exempt from consent, organisations must not share this information within the broader advertising ecosystem. Instead, publishers could use privacy-preserving verification mechanisms - the ICO cited the Private State Token API as one example - to signal to buyers that the user is a real person without exposing identifiable data.

Post-bid analysis of user behaviour by third parties was deemed to require consent, given the inherent tracking and profiling risks involved.

The ICO also addressed the IAB Tech Lab's suite of anti-fraud tools including ads.txt, app-ads.txt, sellers.json, ads.cert, and buyers.json. These tools operate on information about service providers and advertisers rather than end users, which the ICO assessed as carrying lower risk.

Industry concerns about wider context

The call for views produced a range of responses about factors beyond the regulation itself. Respondents noted that regulation 6 is only one of many challenges facing publishers. Some said that a change in the law alone would not resolve the industry's problems; others argued it could provide an incentive to overcome inertia and accelerate adoption of PETs. Several respondents warned that the benefits of any new approach depend on whether advertisers actually choose to buy inventory made available under relaxed rules.

Concerns were also raised about organisations that currently do not comply with regulation 6 because they do not foresee enforcement action. A number of respondents argued that relaxing the rules without strengthening enforcement would simply reward bad actors. The ICO noted in its response that its online tracking strategy has led to 99% of the UK's top 1,000 websites meeting compliance checks for advertising cookies.

The Open Rights Group raised broader concerns about the potential for harm: "The ability to target individuals based on personal data is the main enabler of harms, discrimination and predatory practices that plague online advertising. Targeting based on personal data exposes women to unjust prosecutions for their attempt to exercise reproductive health rights; problem gamblers to being targeted with gambling ads that are meant to exploit their addiction; anyone to be excluded on the basis of their gender, sexual preferences, ethnicity or other sensitive characteristics; children and those in a more vulnerable status to be targeted and taken advantage of."

The ICO did not dismiss these concerns. Its preferred approach is designed to limit the data points available for targeting to basic signals, and behavioural advertising would continue to require consent.

What changes - and what does not

The ICO was careful to state that nothing has changed at this stage. The existing PECR rules continue to apply in full. The documents published today constitute advice to government, not a change in the law. Any amendment to regulation 6 would need to be made through secondary legislation, using the regulation 6A powers introduced in PECR for this purpose. Government would also be required to consult the ICO as part of the statutory process under regulation 6A(3).

The ICO's preferred approach has also evolved from its original plan. Earlier in the project, the regulator intended to revise its enforcement posture in the period before any legislative change. That plan was abandoned after feedback from the call for views indicated that an enforcement-only approach would create confusion. Respondents said they would not make use of any new flexibility without a change in the law itself. The ICO concluded that clarity - through legislation - is essential to support economic growth and innovation.

If government does amend regulation 6, the ICO has committed to updating its guidance on the use of storage and access technologies. It also offered to open invitations through its Regulatory Sandbox and Innovation Advice services for organisations wanting to test new approaches.

For the marketing community, the implications are significant. The ICO's advice, if adopted into law, would create a clearer legal pathway for contextual advertising to operate at scale in the UK without consent requirements, while maintaining those requirements for behavioural advertising. It would also formalise limits on first-party frequency capping and aggregated measurement. The UK's approach is taking a distinct direction from the European Union's stricter framework, a pattern already visible in areas such as consent-or-pay models for publishers and cookie exemption rules in France.

The ICO also reminded organisations today that it will take enforcement action against those that act irresponsibly. "Where users lack control, harm can occur," according to today's blog post. That warning sits alongside the advice to government - the ICO presenting itself simultaneously as a body trying to enable growth and one that remains prepared to use its enforcement powers.

Timeline

  • January 2025 - Information Commissioner sets out five commitments to support economic growth, including a review of regulation 6 PECR consent requirements
  • July 2025 - ICO launches public call for views on proposed approach to regulation 6; consultation period opens
  • 7 September 2025 - Consultation period for the call for views closes; 76 responses received
  • 21 April 2026 - William Malcolm writes to Rt Hon Ian Murray MP and Lord Livermore with the ICO's findings and formal advice on regulation 6 changes; letter states documents will be published "next month"
  • 18 May 2026 - ICO publishes full advice to government, summary of call for views responses, citizens' jury findings, and cost-benefit analysis; ICO blog post by William Malcolm published alongside documents

Related PPC Land coverage:

Summary

Who: The UK Information Commissioner's Office (ICO), represented by William Malcolm, Executive Director of Regulatory Risk and Innovation, addressed advice to Rt Hon Ian Murray MP, Minister for Digital Government and Data, and Lord Livermore, Financial Secretary to the Treasury.

What: The ICO published formal advice to government recommending changes to regulation 6 of the Privacy and Electronic Communications Regulations (PECR) that would allow certain low-risk online advertising activities - including contextual targeting, city-level geotargeting, first-party frequency capping, and aggregated measurement - to operate without user consent, while keeping consent requirements in place for behavioural advertising and cross-site tracking.

When: The advice was formally submitted to ministers on 21 April 2026 and published today, 18 May 2026. The underlying review began in January 2025 and included a public call for views that ran from July to September 2025.

Where: The UK. The advice concerns changes to UK domestic legislation (PECR) and would affect organisations operating online advertising for UK users. Any legislative change would be made through secondary legislation under the regulation 6A powers in PECR.

Why: The ICO concluded that regulation 6's uniform consent requirement applies the same standard to a wide spectrum of privacy risks, limiting incentives for industry to invest in more privacy-friendly advertising models. Digital advertising contributes an estimated £129 billion in gross value added to the UK economy annually. The ICO acted under its statutory role as an independent expert adviser, fulfilling a commitment made to government in January 2025 to support economic growth while maintaining user rights and privacy protections.

Share this article
The link has been copied!