The ICO’s PECR Advertising Reforms Are About Less Harm Rather Than “Less Privacy”
A Summary, Interpretation and Response to the ICO’s Advice to Government on Potential Changes to Online Advertising Rules
The UK ICO’s latest advice to government on potential changes to PECR Regulation 6 may become one of the most important privacy developments for digital marketing, publishing and adtech since GDPR itself.
Walking a fine line, the ICO is relaxing consent rules for advertising, and moving to a sharper distinction between high-risk and low-risk advertising practices is the push – a growing recognition that not all digital advertising creates the same degree of harm.
The ICO’s analysis points toward a future built around:
- reduced cross-site tracking,
- less behavioural profiling,
- fewer opaque third-party ecosystems,
- more contextual advertising,
- more first-party governance,
- more privacy-enhancing technologies (PETs),
- and critically, less fingerprinting and invisible identification.
For brands and their websites, the implication is clear: Privacy is evolving from a narrow “cookie compliance” exercise into a broader discipline of privacy management and operational control.
The key regulatory shift that not all advertising is equally risky
Historically, PECR has treated almost all advertising-related storage and access technologies similarly, but now the ICO proposes a more nuanced approach: allow certain low-risk advertising activities to occur without consent, while maintaining strict consent requirements for higher-risk behavioural advertising.
It’s designed to be pro-business, they think with fewer cookie banners. We’ll see about that.
Clearer is the ICO’s separation into two broad states. Here’s your ‘AI-gen table’ of it:
| Lower-risk | Higher-risk |
|---|---|
| Contextual advertising | Behavioural advertising |
| First-party processing | Cross-site tracking |
| Aggregated measurement | Persistent profiling |
| Limited data sharing | Open RTB ecosystems |
| Broad regional signals | Granular location |
| Privacy-preserving measurement | Fingerprinting and identity resolution |
Creating a new framework for understanding digital privacy risk; relying on the same precision detection and diagnostic auditing for transparency and visibility of SATs (Storage Access Technologies).
Harm is the concept increasingly driving regulation
Perhaps the most important theme running through the ICO’s papers and citizens’ jury research is the concept of harm. The public’s concern is often not advertising itself, but about: unexpected surveillance / invisible profiling / misuse of sensitive information / manipulative targeting / loss of control / ecosystems etc that feel impossible to understand.
The ICO’s user research showed strong discomfort around:
- cross-site behavioural tracking
- hidden third-party data sharing
- granular location usage
- targeting vulnerable individuals (re health, finance, etc).
Importantly, users were significantly more comfortable with:
- contextual advertising
- first-party relationships
- aggregated measurement
- advertising tied directly to the content currently being viewed.
Fingerprinting more central
An important underlying issue in the ICO’s analysis is fingerprinting: identifiers being repurposed for tracking, in much the same way facial recognition can pinpoint an individual, if without naming them.
Where third-party cookies have dominated industry discussions for years, now fingerprinting increasingly represents a more serious governance challenge. This is because fingerprinting can allow organisations to identify, recognise or track users without obvious user visibility or control.
Even where traditional cookies decline, risk can remain high if organisations continue to: combine device attributes / infer identity probabilistically / track users across contexts / create persistent identifiers etc, indirectly.
The ICO’s shift in thinking suggests that any covert identification or hidden recognition techniques,
especially persistent cross-context identity systems, will continue to attract regulatory scrutiny.
Our research has shown many organisations still do not have visibility into the technical complexity of online tracking, such as what scripts execute across their websites or which vendors contribute to device recognition. Our data shows identifiers in adtech where “low-risk” analytics can become high-risk fingerprinting. The technical reality of modern websites is often far more complex than companies now.
Privacy management replaces “privacy compliance”
So if the old model was: deploy a CMP -> present a banner -> collect consent, and move on.
Then the emerging model is quite different: -> what technologies are operating -> what data is collected -> who receives it -> what level of risk it creates -> what to collect consent for -> prove the risk level.
Visibility will be critical to be sure actual implementation matches intended control, and transparency vital to document the level of risk and appropriate action = My deduction, if it’s to be enforceable.
Privacy management importantly to be more than checkbox-style privacy compliance, including -continuous auditing, -implementation governance, -monitoring changes, -risk classification, -vendor oversight, -advertising operational transparency.
Our data shows most organisations now operate somewhere between these two broad privacy states:
| Low-risk privacy management state | High-risk privacy management state |
|---|---|
| Contextual advertising | Behavioural advertising |
| First-party analytics | Cross-site tracking |
| Aggregated measurement | Identity resolution |
| Limited identifiers | Fingerprinting |
| Broad geolocation (city/region level) | Persistent identifiers |
| Privacy-enhancing technologies (PET)-enabled reporting | Granular profiling |
| Minimal third-party sharing | Extensive third-party ecosystems |
| On-device or first-party frequency capping | Cross-device tracking |
| Broad content taxonomies (“sport”, “cycling”) | Sensitive inference and audience segmentation |
| Transparent, limited-purpose processing | Opaque supply chains and unclear downstream use |
| Data minimisation | Excessive collection and retention |
| Privacy-preserving attribution | User-level attribution and retargeting |
| Lower likelihood of consumer harm | Higher likelihood of consumer harm |
| More aligned with ICO direction of travel | Greater regulatory and reputational risk |
The challenge for CPOs, CMOs and CTOs is that many organisations currently do not know which state their digital estate actually operates within. Managing website privacy without visibility is like driving without a speedometer; privacy management without technical visibility is flying blind.”
PS. we can provide the whole dashboard.
Next?
You do digital marketing, you probably track but do it nicely, and do it legally. Please.
Being proactive you’ll see operationally benefits of privacy governance too, in lower risk and lower cost, where diagnostics and guided remediation minimise reactive fixes and legal escalation (plus standardised workflows across legal, marketing, and technical teams – the people bit is hard too).
Take a Cressive approach to doing privacy properly: read more and ask for a free scan.
