June 2, 2026

The ICO's Online Tracking Recommendations: Is a Lifeline Coming for Independent Publishers?

Published By
Ross Webster
Time
Reading Time
5min
Chat
Chat

The ICO's Online Tracking Recommendations: Is a Lifeline Coming for Independent Publishers?

For independent online publishers, the last few years have felt like a war of attrition.

Not only have they been fighting off the relentless pillaging of their content and traffic by increasingly dominant AI platforms and LLMs, they have had to deal with an array of regulators tightening the screws on their ability to operate the traditional Real Time Bidding (RTB) business models.

But perhaps now, there's a genuine glimmer of hope on the horizon.

In spite of consistent pressure from privacy advocates preaching that RTB represents the largest data breach in history, the UK's Information Commissioner's Office (ICO) seems to have recognised that if the current regulatory trajectory continues, we are going to see widespread devastation across premium publishing, where quality content is replaced by AI slop and low-quality User Generated Content.  Digital advertising contributes an estimated £129bn annually to the UK economy. That's not a niche industry the regulator can afford to ignore.

The ICO's own surveys on the topic provided a nuanced picture that should encourage publishers:

  • 56% of adults would prefer to share less information and receive less relevant advertising
  • 57% reported a negative emotion when presented with a consent-or-pay choice
  • 76% agreed that websites "have to make money somehow"
  • Less than 50% of those who granted consent understood their data could be shared with third parties

The takeaway is that public discomfort is not really directed at advertising itself, rather it's directed at unexpected surveillance, invisible profiling, and opaque ecosystems. Users were significantly more comfortable with contextual advertising, first-party relationships, and aggregated measurement.

To quote the ICO "People firmly viewed the use of their personal data outside this boundary as something they wouldn't reasonably expect and should only happen with their consent."

Following a lengthy consultation, the ICO has published a report for the UK government's consideration titled "Advice on a viable approach to creating online advertising exception(s) to regulation 6 PECR". The context matters here: the Data (Use and Access) Act 2025 received Royal Assent and key provisions came into force in February 2026, inserting a new Regulation 6A into PECR that empowers the Secretary of State to create new exceptions to the Regulation 6 consent requirements. The ICO's report is its formal advice on how those new powers should be used. From the look of it, it could be a lifeline for publishers.

The Seven Proposed Consent Exemptions

The ICO is proposing a consent exemption under ePrivacy rules (PECR) for seven core advertising functions, provided strict safeguards are met:

  1. Ad delivery
  2. Targeting (limited signals only)
  3. Measurement and billing
  4. Attribution
  5. Frequency capping
  6. Brand safety
  7. Ad fraud prevention and detection

Targeting without consent would be limited to:

  • Device and platform — device, OS and browser (not browser version)
  • Geolocation — city or region level only (not town or postcode)
  • Temporal — date and time of day
  • Contextual — content mapped to a broad taxonomy (e.g. "sports", "cycling")

Behavioural advertising, cross-site tracking and profiling, processing of special category data, and granular location data would all still require consent.

The Big Win: Monetising the "Reject All" Audience

Right now, if a user refuses consent, standard practice dictates publishers should not drop the tracking IDs required to extract proper value from an ad impression.

The ICO's new advice turns this on its head. Under their proposed framework, publishers wouldn't need consent for basic ad delivery, fraud prevention, brand safety, measurement, and frequency capping.

For independent publishers, this is significant. Since the ICO started enforcing the equality of "Reject All" and "Accept All" buttons on Consent Management Platforms (CMPs), publishers have seen a material fall in consented traffic. This change means publishers could legally serve, measure, and protect ads across 100% of their audience including users who opt out of traditional tracking.

Furthermore, the ICO notes that for privacy-safe, non-behavioural advertising, GDPR's absolute "right to object" wouldn't apply giving publishers a more predictable legal foundation to operate on. When advertising processing is deemed outside the scope of direct marketing (because it relies on broad context rather than a personal profile), the absolute right to object doesn't apply.

Critically, the expected impact is strongest precisely where it's most needed: mid- and base-tier publishers most constrained by consent rejection will benefit most. Big Tech platforms with large banks of consented first-party data will see only neutral to modest impact. The short-term opportunity is most accessible via direct deals, requiring the least adaptation for a realistic starting point for smaller operations.

The Fingerprinting Problem Nobody Is Talking About

One issue that has emerged from the detailed analysis is that while the industry has spent years focused on third-party cookies, fingerprinting is rapidly becoming the more serious governance challenge.

Fingerprinting allows organisations to identify, recognise, or track users without obvious visibility or user control, combining device attributes, inferring identity probabilistically, and creating persistent identifiers across contexts. "Low-risk" analytics can quietly become high-risk fingerprinting without organisations even realising it.

The ICO's direction of travel is clear: any covert identification or hidden recognition technique, especially persistent cross-context identity systems, will continue to attract regulatory scrutiny regardless of whether traditional cookies are involved. Publishers using third-party ad tech should take note,  the consent exemptions do not provide cover for invisible tracking that continues through the back door.

The Reality Check: The Tech Hurdle for Independent Sites

While all of this is broadly positive, implementing it in the real world may be a challenge for smaller, independent publishers.

The ICO's proposal leans heavily on a "first-party" framework. They want data storage and processing to happen within the publisher's own domain, with widespread, unchecked data sharing with third parties strictly restricted.

This creates an operational challenge. Big Tech and Big Media have the developer resources and capital to build proprietary, server-side ad stacks, first-party data clean rooms, and complex Privacy-Enhancing Technologies (PETs). Independent publishers don't own their own technology stacks,  they rely on third-party vendors. Under the ICO's strict first-party definition, simply passing a user's data to an external vendor can technically cross the line into "third-party sharing," leaving independent publishers in a compliance grey area while the media giants pull ahead.

There are also legitimate technical critiques of the proposals. What constitutes "low risk" processing may be harder to police than the ICO's framework implies. Terms like "attribution" are broad in practice. Real-time attribution in the industry encompasses a wide range of sensor data about user behaviour before, during, and after an ad is served and it is not clear the ICO fully appreciates the scope of what is currently done under that label. 

Privacy Management, Not Just Privacy Compliance

Perhaps the most important shift the ICO's report signals is conceptual. The old model was: deploy a CMP → present a banner → collect consent → move on.

The emerging model is quite different and potentially more complicated. Organisations now need to know: what technologies are operating on their sites, what data is collected, who receives it, what level of risk it creates, what to collect consent for, and how to document and prove the risk level.  This is an operational discipline that goes well beyond cookie banner management.

Conclusion: Turning Policy into Revenue

The overall message from the ICO's report is encouraging. The regulator explicitly recognises that the ad-supported, independent web needs to survive, and is actively looking for ways to make digital advertising work without forcing users through an endless sea of consent banners. As the ICO itself concluded: "This approach would assist the government's growth agenda and deliver a positive net value, while maintaining people's rights and freedoms."

The framework being proposed of first-party infrastructure, contextual signals, privacy-enhancing technologies  is not a radical overhaul of digital advertising. It is a pragmatic clearing of space for sustainable, lower-risk advertising to operate legally. For publishers who get their house in order, it offers a solid legal foundation and a path to monetising audiences they are currently leaving on the table.

But independent publishers cannot be expected to become privacy engineers overnight just to keep the lights on. Platforms and partners such as Content Ignite that provide enterprise-grade compliance, contextual segmentation, and header bidding management through simple integrations will become critical partners through this transition.

The legal landscape is changing in a way that finally favours high-quality content environments. With the right tech stack behind you, and a clear-eyed understanding of what your site is actually doing under the hood, your independent business won't just survive the transition, it will be better placed than the incumbents who built their entire model on surveillance advertising.

Post Script - The Policy Window Is Still Open 

Since this piece was drafted, the ICO's advice has landed with the Department of Science, Technology and Innovation (DSIT), and the government is now seeking industry feedback before the formal consultation begins. The IAB UK has been asked to coordinate responses by 12 June. That deadline is closer than it sounds.

Here's what's still in play. The first-party framework is the element most operationally challenging for independent publishers,  and is not settled as policy.  DSIT is explicitly exploring whether exemptions could extend to third-party data for brand safety, measurement, and fraud prevention. 

Two questions are driving it. Can purpose limitation actually be enforced if exemptions extend beyond a first-party framework? And can brand safety and fraud prevention be delivered for users who reject consent, without third-party signals?  These are complex issues and DSIT seemingly doesn't know the answers yet, which means publishers who can demonstrate compliant, auditable, first-party-compatible infrastructure have a real opportunity to shape the outcome in their favour.

But the regulatory direction of travel is clear. Covert tracking is out. Opaque supply chains are out. Publishers who can demonstrate that purpose limitation is being followed will find the new framework works for them. Those still relying on ad tech built for the world of personal data will find it increasingly doesn't.

The right platform partner makes that transition achievable without rebuilding from scratch. That conversation is worth having now, not after the consultation closes.

Latest Articles

Latest Articles By Content Ignite

Optimising Website Ad Performance Using Content Ignite’s Experiment Technology

Content Ignite’s advanced experiment technology now offers a powerful platform for publishers to test, refine, and perfect their ad revenue strategies

View Article

Boosting Publisher Revenue: The Role of Demand Path Optimisation (DPO) and Split Testing

As no clear path or definitive solutions have emerged, it is vital that publishers explore new areas, test new partners and experiment with new technologies to maintain their revenue streams.

View Article

DPO vs SPO - What’s the difference?

Demand Path Optimisation (DPO) and Supply Path Optimisation (SPO) are two strategies in digital advertising, specifically in the programmatic ecosystem, aimed at improving the efficiency and transparency of the ad supply chain. Both focus on optimising different parts of the ad transaction process, but from different perspectives.

View Article

Mastering Ads.txt File Optimisation with Content Ignites Insight Tool

A guide of wow to improve your Ads.txt file and 5-step overview of understanding our Ads.txt Insights tool

View Article

Google's Privacy Sandbox Delay: What's next?

Google still plans to roll out Sandbox in a gradual manner, and will provide advance notice on how this will work. It looks likely that the ramp up will begin in early 2025.

View Article

Google's Plan to Deprecate Third-Party Cookies Delayed Once Again

Google has decided to postpone the deprecation of third-party cookies beyond the initially planned date of Q4 2024. The search giant has cited regulators as the reason, with the Competition and Markets Authority (CMA) needing "sufficient time to review all evidence, including results from industry tests."

View Article

Impressed? Signup or reach out for your free healthcheck

We only need your email and domain to complete each healthcheck

SignupGet Free Healthcheck
Preferences

Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website. More information

Accept all cookies

These items are required to enable basic website functionality.

Always active

These items are used to deliver advertising that is more relevant to you and your interests.

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.