The Information Commissioner’s Office (ICO) has recommended to the UK government that consent should no longer be required for all types of online advertising, as part of a broader review of the Privacy and Electronic Communications Regulations (PECR) rules on cookies and tracking. The ICO has proposed a model that would allow limited forms of advertising without consent, while keeping stricter requirements in place for more intrusive practices. This is not a wholesale rollback of the current regime but could signal a change to a more industry-friendly approach moving forwards, which will be welcome by many.
This builds on the recent changes already made to cookie rules under the Data (Use and Access) Act 2025, which softened rules on consent around certain analytics cookies but did not touch advertising cookies.
What may be changing?
Under regulation 6 PECR, organisations currently need consent to store or access information on a user’s device for advertising purposes, regardless of how that information is used. The ICO’s view is that this “one size fits all” approach may be preventing the development of lower-risk, more privacy-friendly advertising models. To address this, it has proposed that the government consider introducing new exceptions to the consent requirement.
A move towards “low-risk” advertising without consent
The ICO’s preferred model would allow organisations to deliver some forms of advertising without consent, provided they operate within defined limits. In particular, the focus is on:
Activity controlled primarily by the publisher (first party)
Limited use of data, with no extensive tracking or profiling
Restricted involvement of third parties
This reflects a clear attempt to distinguish between advertising that is functionally necessary or low impact and advertising that relies on tracking individuals across services.
What could fall outside consent?
The ICO identifies several purposes that could potentially be carried out without consent, including:
Ad delivery: the technical process of serving ads to users on a webpage, including the limited use of device and request-level information necessary to display the ad.
Contextual or basic targeting: targeting based on non-intrusive signals such as the content being viewed, time of day, device type, or broad location (for example, city-level), rather than tracking individuals across sites.
Measurement and billing: assessing ad performance (such as impressions, clicks, and views) on an aggregated and non-identifiable basis, including for billing purposes.
Frequency capping: limiting how often a user sees the same ad, typically within the confines of a single service (first-party environment), and using only the minimum information needed to achieve this.
Ad fraud prevention and detection: identifying invalid traffic or fraudulent activity (for example, bots or fake impressions), primarily at a first-party level and without widespread sharing of identifiable data with third parties.
Brand safety: ensuring ads do not appear alongside inappropriate or harmful content, for example by using page-level signals or classifications rather than sharing granular user data.
Attribution: measuring whether an ad led to an outcome (such as a purchase), but only where this can be done using anonymised or privacy-enhancing techniques that avoid tracking users across sites.
What will still require consent?
Importantly, the ICO draws a firm line around behavioural advertising. Targeting based on tracking user behaviour, especially across different sites or devices, should continue to require consent under PECR and, in many cases, under the UK GDPR as well, in the ICO’s opinion. In practice, this means that contextual and limited targeting may become easier to deliver without consent, but tracking-based advertising models and advertising using special category personal data will remain consent-based.
Safeguards remain key
Even where consent is no longer required, the proposal does not reduce overall compliance expectations. Organisations would still need to:
Comply with the UK GDPR (including data minimisation and conducting legitimate interest assessments when relying on legitimate interests)
Ensure processing is fair, proportionate, and within user expectations
Provide clear and transparent information about how data is used
The ICO also draws boundaries around children’s data (here meaning under-18s), where the scope for consentless advertising is much narrower. The ICO’s approach is best understood as redistributing regulatory friction, rather than removing it.
Why this matters?
If taken forward, this could represent a meaningful shift in the UK’s approach to online tracking. In particular, it may:
Reduce reliance on cookie banners for certain use cases
Allow publishers to monetise users who do not consent to tracking
Encourage a move towards privacy-preserving advertising models instead of real-time bidding
However, the impact is likely to be gradual. The ICO is clear that its proposals are intended to support incremental change, rather than reshape the market overnight.
What should organisations be doing now?
At this stage, the proposals are advisory and any change will depend on government action, but this is certainly one to watch.