The UK ICO’s latest advice to government on potential changes to PECR Regulation 6 may become one of the most important privacy developments for digital marketing, publishing and adtech since GDPR itself.

Walking a fine line, the ICO is relaxing consent rules for advertising, and moving to a sharper distinction between high-risk and low-risk advertising practices is the push – a growing recognition that not all digital advertising creates the same degree of harm.

The ICO’s analysis points toward a future built around:

• reduced cross-site tracking,
• less behavioural profiling,
• fewer opaque third-party ecosystems,
• more contextual advertising,
• more first-party governance,
• more privacy-enhancing technologies (PETs),
• and critically, less fingerprinting and invisible identification.

For brands and their websites, the implication is clear: Privacy is evolving from a narrow “cookie compliance” exercise into a broader discipline of privacy management and operational control.

The key regulatory shift that not all advertising is equally risky

Historically, PECR has treated almost all advertising-related storage and access technologies similarly, but now the ICO proposes a more nuanced approach: allow certain low-risk advertising activities to occur without consent, while maintaining strict consent requirements for higher-risk behavioural advertising.

It’s designed to be pro-business, they think with fewer cookie banners. We’ll see about that.

Clearer is the ICO’s separation into two broad states. Here’s your ‘AI-gen table’ of it:

Creating a new framework for understanding digital privacy risk; relying on the same precision detection and diagnostic auditing for transparency and visibility of SATs (Storage Access Technologies).

Harm is the concept increasingly driving regulation

The challenge for CPOs, CMOs and CTOs is that many organisations currently do not know which state their digital estate actually operates within. Managing website privacy without visibility is like driving without a speedometer; privacy management without technical visibility is flying blind.”

PS. we can provide the whole dashboard.

Next?

You do digital marketing, you probably track but do it nicely, and do it legally. Please.

Being proactive you’ll see operationally benefits of privacy governance too, in lower risk and lower cost, where diagnostics and guided remediation minimise reactive fixes and legal escalation (plus standardised workflows across legal, marketing, and technical teams – the people bit is hard too).

Take a Cressive approach to doing privacy properly: read more and ask for a free scan.

The post The ICO’s PECR Advertising Reforms Are About Less Harm Rather Than “Less Privacy” appeared first on Cressive DX.

How It Works

Add our “Privacy Monitored by Cressive” badge to your website footer. 

It signals to visitors that you’re compliant to GDPR — while we continuously scan your site to ensure it stays that way.

• Continuous Monitoring – Cressive Privacy Compliance, our best-in-class software, scans your website weekly for privacy issues, including cookies, trackers, and data collection methods.
• Customer Trust – Display the badge to prove to visitors that privacy compliance and data protection matter to you. That they – and their wishes – matter to you.
• Instant Alerts – Get notified the moment we detect a problem, so you can fix it before it becomes a fine.

FAQs

What does the badge mean?
It means Cressive actively monitors your website for privacy issues. If we find a problem, you get alerted so you can stay compliant.

I already have a Cookie Banner. What value does a badge add for me?
As we over in our privacy compliance introductory guide, only 5% of sites are GDPR/ privacy law compliant despite having a cookie banner. Our monitoring, on the other hand, captures and flags all tracking technologies, allowing full compliance. The badge guarantees we’re monitoring your site.

How often do you scan my website?
Monthly automated scans (unless you want more frequent).

What happens if you find compliance issues?
You’ll receive an alert with details on what needs fixing. Your badge stays active while you resolve them. 

Does this replace my privacy policy?
No. You still need GDPR-compliant policies and cookie consent. But we automate the monitoring whether your live site actually follows them.

So why monitor privacy?
Because technology changes constantly. Staying compliant means respecting your customers — and staying on the right side of the law.

What if I want to remove the badge?
You can. We’ll stop monitoring.

How much does it cost?
Ask about basic monitoring, or upgrade to premium features: detailed reports, priority support, and deeper scans.

What compliance standards do you monitor?
GDPR, CCPA, PDPL, PIPEDA, the ePrivacy Directive — plus best practices in cookie consent and data collection transparency.

Can customers click on the badge?
Yes. It links to a public status page showing your compliance level and last scan date.

Why Join the Privacy Monitor Network?

The Cressive Privacy Monitor network is designed to show solidarity in respect for customer privacy in a world moving the wrong way. Fight entropy with us.

It’s a cost-effective way to:

• demonstrate respect for your customers,
• meet legal digital privacy obligations, and
• reduce one more worry in managing your business.

The post Cressive Privacy Monitor Network appeared first on Cressive DX.

If reality of the current Internet is only 5.4% of websites are compliant, why have laws that aren’t policed? Actually they are — more fines are being issued every month.

Will you avoid a fine — or be next to be outed by your customers on social media for not caring?

Perhaps more remarkable: most non-compliant site owners don’t know they’re non-compliant until we tell them.

An Expensive Mistake 95% of Companies Are Making

This doesn’t mean 95% of companies don’t care about privacy — it means most think they’re compliant when they aren’t. 

Too many marketers believe a cookie banner = compliance. It does not. Not even close. We can show you.

A cookie banner can be like a cardboard cut-out security guard at the door while thieves climb through every window. It looks official, but the real threats walk straight in.

The current market share of cookie banners: OneTrust leads way with a 16% market share — and growing fast. But a cookie banner can be like printing an MOT certificate – pointless unless you perform the test itself and ensure safety, in this case privacy; the sector is flooded with ineffective, poorly configured banners.

What’s Collecting Data While Your Cookie Banner Isn’t Looking

And while you’re focused on cookies, everything else is still harvesting data:

• Network requests send IP addresses, referrer data, and user agent strings every time a page loads.
• Tracking pixels from Facebook, Google, LinkedIn beam back data before your banner even appears.
• Browser fingerprinting builds unique profiles from device settings, fonts, timezone.
• Client-side scripts from analytics, chat widgets, marketing tools start collecting instantly.

Your cookie banner may see none of this; may block none of this. Meanwhile, bad actors exploit these methods the way spammers dodge filters: endlessly, for their own gain.

If you don’t know what’s firing, you need to audit your website’s privacy.heoretical. It’s operational. And “we thought the banner worked” won’t impress regulators – nor customers.

When the Fines Come, They Come Hard

Privacy regulators aren’t bluffing. During the last 18 months:

• Meta: €1.2 billion (data transfers)
• Amazon: €746 million (processing violations)
• TikTok: €345 million (failing to protect minors’ data)

These weren’t companies without cookie banners. They were companies who thought they were “covered.”

Healthcare, pharma, and finance are particular targets due to industry standards. Their banners and tracking setups are under scrutiny.

The pattern is clear: cookie banners create false confidence, and false confidence creates fines. (Privacy banner would be a better term than cookie banner but that’s another post…)

Your Website Changes Daily — Your Compliance Doesn’t

Most companies audit quarterly. That’s 89 days where a single rogue script can break compliance and cost millions / leave you at brand risk. (Think we’re exaggerating? Ask us about the predicament some of our US clients find themselves in.)

Meanwhile, your cookie banner sits there, looking official, blocking the same old cookies, while new trackers slip past unnoticed.

How to Increase the 5% of Compliant Websites

Truly compliant companies don’t just manage cookies. They monitor everything:

• Catch network requests sending data without consent.
• Detect when new trackers appear.
• Spot fingerprinting and pixels.
• Automate scanning in real-time, not months later.
• Keep detailed logs, timestamps, and proof regulators can accept.

Stop Guessing, Start Knowing

Your cookie banner is necessary but nowhere near sufficient. (Original: Your cookie banner is necessary but not sufficient. It’s not enough.)

If you’re serious about avoiding fines, you need to see what’s really tracking users. In business terms: audit, monitor, act.(Original: – where the business and professional version of ‘see’ is: audit, know, be proactive, monitor.)

Because when regulators come calling, “we had a cookie banner” won’t save you.

Fines are growing in size and frequency. Today, mostly for egregious breaches — but how long until regulators make an example of companies who simply flout the rules?

And beyond fines, there’s reputational risk: being outed on social media as a brand that ignores privacy.

Are you fine with that?

The post Cressive Privacy Data – Q3 2025 appeared first on Cressive DX.

Do you care about privacy? You should. Your customers do. The law says you must. Over 80% of users decline cookies – is that you? Yet more than 95% of websites track them anyway – is that you too?

Technically illegal; alarmingly common. Your site(s) is probably already non-compliant, ie. illegal.

Whenever inventing new technology (steam engines, electricity, TikTok), we rush to exploit it first and ask ethical questions later. Cookies were no different. Regulators are now catching up and fining companies millions for illegal non-compliant websites. And while the spectre of a fine may seem a long way off, can you in good conscience put hand on heart and say your website is respecting customer privacy?

Here is an introductory guide to privacy compliance and customer tracking — to challenge you: how not to be the moral equivalent of spam in your customers’ inbox. Do you like getting spam? No. Do you send spam? No. Do you like being tracked online? No. Does the website you’re responsible for track?…

Stage 1: Are You Required to Comply — Or Choose Not To?

Is Your Website (i.e. You) Legally Required to Comply?

Does this apply to you and me? In short, most likely, yes. If you:

• Receive traffic from the EU, UK, California, or Canada – to name but four hotspots
• Use any analytics, ad tracking, or CRM integrations – ie. is other than a single dormant page
• Share data with platforms for marketing or personalisation – most do, even unwittingly.

GDPR says: anything non-essential requires opt-in consent before it’s set.  GDPR is the main law; the ePrivacy Directive (a.k.a. “the cookie law”) is its sidekick. Together, they require prior, informed, opt-in consent. It is fast becoming the global standard, with CCPA PIPEDA and PDPL on the inside rail.

How & What We’re Talking About

Cookie banners: just showing one does not make you compliant. Most banners today are broken or misleading.

• Cookies should not be dropped before consent, but 95% of sites do it anyway – really
• Even when users click “Decline,” banners ignore this and sites still track them – alarmingly
• Obscure designs, delayed opt-outs, and dark patterns are everywhere – we’ve all seen it.

This applies to any website, large or small. And chances are you’re using tracking technology, whether you know it or not.

What Counts as Tracking?

• Cookies even for “basic” analytics – like Google Analytics (GA4), Google Tag Manager (GTM)
• Third-party pixels – like Meta/Facebook, LinkedIn
• Session replays – like Hotjar, FullStory
• Network requests, script injections, fingerprinting, pings, beacons, eTags – and many more nasties.

Why Businesses Don’t Comply

1. They don’t know the law – but ignorance is no defence
2. They assume tracking violation is too trivial to matter, or deprioritise it – to stay “under the radar”
3. They thought “someone else” in their company did it – yes, including that ‘external person’ you thought knew what they were doing when they set it up, and you didn’t know how to check their work
4. They ‘put off’ implementing consent so as not to ‘miss out on’ traffic data – an inevitable consequence
5. They don’t know for one website let alone the 100 they manage – but ‘it’s difficult’ is no defence.

Decision Point:

Are you comfortable tracking users without their consent, knowing it breaches the law — or by not knowing — if you might not get caught? This isn’t a grey area. It’s black and white, and you’re running a red light. 

Do you in good conscience know either way?

Stage 2: Are You Taking Compliance Seriously?

Best not guess; proactively audit your risks. Even if enforcement hasn’t reached you yet, your privacy setup may already expose you — find out and ensure you know what your websites track, and how.

Red Flags & Risk Triggers

• You use Google Analytics, Meta Pixel, TikTok Ads, or HubSpot – or you have agencies adding this stuff – and let’s be very clear that any tracking of this kind is a serious risk to your compliance
• Your banner appears, but doesn’t block anything
• You use embedded YouTube, Maps, Calendly, or chat tools that set cookies silently
• You can’t say: “How many trackers fire on our homepage and are they blocked until consent?”

Key Questions to Ask (and Answer) Now

• Is our banner legally configured – or just cosmetic?
• Do we log consent properly – or just assume?
• Can we detect new trackers when devs or agencies add them – with or without our knowledge?
• Can we prove, with evidence: “We comply with the relevant GDPR/CCPA/CPRA rules”?

If you can’t answer these, your risk isn’t theoretical, it’s operational. Saying “we thought the banner was set up correctly” won’t impress regulators – nor customers.

Stage 3: Full Technical Compliance — Treat Customers With Respect

This is where mature organisations arrive (tickets for a trip to Cressive-ville available below) — because they care about customers, or at least about brand trust, data quality, and being ready for regulatory audits.

What Real Compliance Looks Like

• Privacy banners that actually block all un-consented tracking with suitable and correct configuration
• Automated detection of rogue scripts, cookies, and trackers (both client- and server-side)
• Customers’ geography accounted for (stricter in EU, Middle East, Canada, increasingly the US)
• Audits logged and documented, with monitoring that show regulators you are proactive
• Consideration of Global Privacy Control (GPC) – OK, a more advanced aspect but it’s here and important, and real compliance knows where you stand on it.

Still need convincing? There’s (a lot) more: i) the existence of Google Consent Mode* (GCMv2) confirms even Google knows that GA4 is not compliant, and ii) are you aware of the stipulation in Google’s own T&Cs that to use its products, like Google Ads, a (/your) website must itself remain privacy compliant? – therefore all those 95% of non-compliant websites will therefore be simultaneously not compliant with Google T&Cs , and iii) MS Clarity has followed suit in requiring you to be compliant to use it… … …

*(Google Tag Manager is now ruled to be not compliant by the German courts. True. Holy moly… Therefore if you use GA, GTM or GCMv2 on your website then it is likely illegal, Blimey. )

So, Why It Matters & What Matters Most To You

• Regulatory risk: non-compliant website (with broken banners, etc etc) now attract fines
• Brand trust: respect your customers or lose them
• Investor diligence: privacy is part of M&A checklists
• Legal compliance: you obey the law elsewhere – why not in website privacy compliance?

This isn’t just hygiene. It’s modern digital governance. It’s your brand respecting customers. And it’s the law.

A Real-Life Example (Because Humans Like Stories)

An American retailer installs a marketing pixel. EU visitors arrive. No consent asked. Data flows. One visitor complains. Regulators agree: personal data was processed without consent. Result: a hefty fine. This isn’t theory. It’s happening. But ignoring privacy isn’t just illegal — it’s bad manners, and a risk to your brand.

You risk brand reputation when you find yourself outed in social media by an irate customer whose privacy you did not respect. (Indeed, you might have the privilege of being showcased in one of our ‘Bad Examples of Privacy‘ updates, alongside ‘Good Examples of Privacy’ against which to benchmark your brand…)

The Three Stages (For People Who Like Tables)

Next Action?

Nearly every website tracks. Worryingly few do it transparently, respectfully, and legally.

Think of this as digital hygiene. In the 19th century, people learned not to dump sewage in the town well. In the 21st, we’re learning not to drop trackers before consent. Do your bit: our rivers — digital and real — are polluted enough already. You need to track — you do marketing — but do it nicely, and do it legally.

(Pragmatically, at least demonstrate your proactivity in being compliant,, to avoid costly and time consuming legal suits — be like our US clients, be monitored, and avoid getting sued every other week.)

Your choice: fix it now, or become the case study quoted in the next regulator’s press release. We can help. Take a Cressive approach to doing privacy properly: read more and ask for a free scan …

The post Is Your Website Tracking Visitors Legally? appeared first on Cressive DX.