The ICO exists to empower you through information.

Taking control: our online tracking strategy

Share

Introduction

Being tracked online is part of daily life for most people, enabling and funding many of their digital experiences. For example, people might let a social media platform track their browsing activity to receive more personalised ads, or use a fitness device to track their location and health metrics with an app.

When users are in control, online tracking enables them to receive more personalised and tailored services in line with the information they choose to share. Sometimes, however, organisations use information they have gathered about users’ activities online in ways they may not understand or expect.

When users lack control, harm can occur. For example, gambling addicts may be targeted with betting ads based on their browsing record – with no easy way to block them. People’s sexuality, beliefs, health and location may be identified, causing unwanted disclosures.

In our 2022 survey 90% of adults were concerned about companies using their personal information without permission. While many organisations take care when tracking people’s activity, others fall far short of data protection requirements.

Some 60% of the cookie-related complaints we received in 2024 related to people not being given the option to reject non-essential tracking. This is unfair to users of online services and organisations that are acting responsibly, who should expect a level playing field.

We expect organisations to give people meaningful control over how they are tracked online. This strategy sets out how we will promote compliance with the law in 2025 to obtain a fairer online tracking ecosystem for people and business. We’ll do this by:

  • clarifying how the law applies and our expectations in guidance and other publications;
  • engaging with industry to shape a more compliant and privacy-oriented ecosystem;
  • scrutinising the compliance of organisations across the online tracking ecosystem; and
  • investigating and enforcing against organisations that do not comply.

Together, this work supports our ICO25 strategic enduring objectives, namely:

  • safeguarding and empowering people; and
  • promoting responsible innovation and sustainable economic growth.

What we achieved in 2024

We have already done much to ensure organisations give people meaningful control over how they are tracked:

Our action does not stop here. In 2025 we will go further and faster to give people meaningful control over how they are tracked online and uphold a level playing field for all online services.

Our focus in 2025: online advertising

Giving users meaningful control is especially important in online advertising as these products and services typically rely on the tracking of a wide range of people’s activity online. The processing of this data can be used to build very detailed profiles that enable highly individualised insights and decisions about people.

These insights and decisions are sometimes benign but can easily relate to sensitive areas of people’s lives, such as their beliefs, health and sexuality. This creates risks that increase for people in vulnerable positions, who are more likely to adjust or limit their online activity to avoid risks of their personal information being disclosed or of discrimination and other harms.

Many people are concerned about the insights and decisions that may derive from their online activity. When controls are available, these people use them to try to restrict data collection.

“I look through how my data is used and deselect any ‘personalised’ advertising data and when I remember I delete voice commands in [my smart device] that it stores.”

– ICO research participant, ICO IoT Citizen Jury 2024

Meaningful control is critical to ensuring that people can confidently share and manage their information online. Our work to tackle non-compliance will enable people to make effective and informed choices, build trust, and reduce risks to those in vulnerable circumstances.

We want to see a fair and consistent online ecosystem where people have meaningful control over how their personal information is used. Our work will encourage changes to ensure that:

  • people can operate online with trust and confidence;
  • people don’t feel they have to contort their actions online to stay private and safe;
  • people can meaningfully control who can use their information;
  • people can meaningfully change how their information is used – especially if it’s causing them distress or discrimination; and
  • organisations are not disadvantaged by following the rules and improving their approach to online tracking to ensure it is compliant.

This will improve the lives of people in the UK and will particularly benefit those in vulnerable situations – directly contributing to the ICO’s enduring objective to safeguard and empower people.

Why we need to act

Through our engagement, we know that UK data protection law is widely understood. However, we also know that while organisations understand their obligations, they face difficulties when making the changes needed to comply. Their message is often, “We want to change but if we act unilaterally, we’ll be disadvantaged compared to our competitors who will benefit from greater insights and revenues.”

Without ICO action, this ‘first mover disadvantage’ will remain in place. Organisations will continue to face weak incentives to innovate and invest in more privacy-respectful approaches, such as contextual advertising. We’ll act to uphold a level playing field for businesses and make sure it’s easy to do the right thing.

Many people enjoy receiving personalised advertising. If they have meaningful control over how they are tracked, this can help them connect with new offers and businesses of interest to them:

“I think it's quite useful […]. I go to see quite a lot of concerts and bands and […] you start getting all these adverts about similar sorts of bands that you might like to go and see. […] some of it is actually quite smart and useful.”

– ICO research participant, ICO IoT Citizen Jury 2024

We support the delivery of ads that help people and businesses. However, our research tells us that some groups of people are less happy to get this personalisation. We also know that people’s comfort in sharing data can change depending on context. People need a fair choice about personalised ads, the ability to change their mind, and the ability to ensure their data isn’t used for extended purposes they didn’t expect.

Without control, harm can occur – with people being targeted by ads based on personal information they didn’t choose to share. We recognise that personalised advertising is lucrative for many organisations, but this is no excuse for their non-compliance with the law. We’ll act to restore users’ meaningful control.

What are the key problems?

We identify four areas where people are not being given the control they are entitled to under data protection law. These areas are present across a wide range of websites, services and technologies, affecting nearly all adults online.

  1. Deceptive or absent choice


    Often, people are not presented with an option to opt out of non-essential data processing. We also see deceptive choices being presented – for example, cookies being set regardless of users’ wishes.

    In our review of the top 100 websites, we found 30% setting advertising cookies without consent or after a user chose not to consent. This is also reflected in our qualitative research, where users tell us that choices are often not made available or that accepting terms and conditions is required to make a product work.
    “Sometimes when you’re on a site, it says ‘will you accept these cookies’ – [they] are basically just like information about you… [it feels like] you don’t actually get a choice.”
    – Research participant, ICO Children’s Data Lives 2024

    We also observe organisations adopting alternative forms of online tracking, such as fingerprinting, as the online advertising industry seeks to adapt to restrictions on cookies. Too often, we see these alternative forms of tracking deployed without genuine user choice.

  2. Uninformed choice


    Even when organisations provide a consent mechanism that works properly, we observe they don’t always present people with simple information about the purposes for which they’re agreeing to share their information. Making informed choices can be especially difficult on the wide array of smart devices people rely on in daily life, where these choices are often presented unclearly.
    “It’s not even laid out clearly. So if you’re in a hurry to look for something, you don’t want to sit and read all that; you just want the website to get going.”
    –Research participant, ICO Data Lives 2023

    People often have limited time to engage with choices presented to them about their data – but this doesn’t mean they don’t care. Because time is limited, it’s vital that organisations give people key information so they can make choices that best match their preferences. As we say in our joint report with the CMA on harmful design practices, failure to give people fair choices can lead to breaches of data protection, consumer and competition law.

  3. Undermined choice


    Even when organisations state clearly how they’ll process users’ information, alongside a functioning consent banner, we observe that the information isn’t always processed in line with the promise.

    Our engagement with the public shows that people are often surprised when they discover how their information is being used.
    “I don’t think [social media platform] uses my data at all. I know they’ve got it there, but they couldn’t give it out to anybody because it’s personal. I don’t think they’d use it for anything.”
    – Research participant, ICO Data Lives 2023

    People want more transparency, simpler controls and assurances that their personal information is being used responsibly. Our research shows that these mitigations were even more important to them when their information could be shared with third parties for advertising.

  4. Irrevocable choice


    Even when people have been given a clear and effective choice, and the purposes they’ve originally agreed to are upheld, we find that they may have no meaningful way to change their mind.

    People report feeling powerless in controlling their data online after having initially agreed to share it. When they have tried, they find the controls available are complex. People tell us that exercising their information rights feels like a battle which, to win, they’d need to hire a lawyer. They say it’s easy to give away their data but impossibly hard to wrestle back control of it.

Our plan of action

We are committed to giving people meaningful control over how they are tracked online, enabling them to go about their online daily lives with trust and confidence. In 2025 we will do the following things:

Make it easier for publishers to adopt more privacy-friendly forms of online advertising

We want to encourage publishers to deploy more privacy-preserving advertising that does not involve extensive profiling of people based on their online activity, habits and behaviour, potentially across different services and devices.

We will explore where PECR requirements to obtain consent for non-essential storage and access technologies prevents an industry-wide shift towards more privacy-friendly forms of online advertising, such as contextual models, and publish a statement outlining low-risk processing activities (such as, potentially, privacy-preserving ad measurement), which are unlikely to cause damage or distress or result in enforcement sanction. We will work with government to explore how it could amend legislation to reinforce this.

We will continue to enforce consent requirements for the collection of personal information for ad targeting and personalisation, ensuring that people have meaningful control over how their information is used.

Ensure publishers give people meaningful control over how they are tracked on websites

Building on our success last year, we will extend our action to ensure that people have meaningful control over how they are tracked for personalised advertising by the top 1,000 most popular websites in the UK. We will reinforce this with automated monitoring of website compliance, ensuring that people and businesses can have confidence that there is a level playing field.

We will engage with major consent management platforms to ensure that the options they offer publishers reflect the requirements of UK data protection law. We will warn publishers where consent management platforms do not support compliance by default.

Ensure that people have meaningful control over tracking for personalised advertising on apps and connected TVs

We will take action to ensure that non-compliant online tracking does not continue unfettered on apps and internet-connected TVs and uphold a level playing field for web publishers. We will consult on guidance on data protection for Internet of Things (IoT) devices. We will intervene with app developers and connected TV manufacturers to promote compliance with the law.

Confirm how publishers can deploy ‘consent or pay’ models in line with data protection law, supporting their economic viability

Alongside this strategy, we are publishing guidance on ‘consent or pay’ models. It clarifies how publishers can deploy these models to give people meaningful control over online tracking while supporting their economic viability.

If publishers choose to adopt ‘consent or pay’ models, they must be able to show that people can freely give their consent to personalised advertising. We will engage with publishers to ensure that people’s information rights are upheld. We will take action where the models are introduced in ways that inhibit meaningful control.

Provide industry with clarity on the requirements of data protection law, leaving no excuse for non-compliance

We will publish final guidance on storage and access technologies after our current consultation and the passage of the Data (Use and Access) Bill, giving industry regulatory certainty and leaving no excuse for non-compliance.

Where novel solutions emerge, we will support businesses to introduce them in compliance with data protection law through our Regulatory Sandbox and Innovation Advice services.

We will work with the online advertising industry and wider stakeholders on developing a certification scheme to enable organisations to show they are processing personal information in compliance with the law.

Investigate compliance failures in the wider adtech ecosystem

We will investigate potential non-compliance in the data management platforms that connect online advertisers and publishers, building on the audits that we concluded last year.

We will examine the case for further action to ensure that people can easily withdraw their consent from all organisations that their personal information has been shared with

Support the public to take control of how they are tracked online

We will publish guidance for the public on how they can understand and control the use of their information online, and raise awareness of their rights.

We will continue to seek feedback from the public via surveys and research to understand how our changes can raise their trust and confidence in the way their personal information is used.