The Information Commissioner’s Office (“ICO”) has announced its strategy for online tracking in the year ahead, focusing on ensuring that users have ‘meaningful control’ over how they are tracked online, particular in the context of online advertising.

The strategy builds on work that the ICO has already conducted in this area in the past year, including its consultation on guidance about storage and access technologies (which we discussed here), a call for views on how data protection law should apply to ‘consent or pay’ business models (discussed here), and an assessment of the data protection compliance of the top 200 UK websites.

According to the ICO, “giving users meaningful control is especially important in online advertising as these products and services typically rely on the tracking of a wide range of people’s activity online”. However, it describes a fear of a ‘first mover disadvantage’ as having emerged within organisations, in which they are aware of their obligations under UK data protection law, but are slow to make changes in case it will lead to a competitive disadvantage in the marketplace. For example, the ICO points to the lack of incentives “to innovate and invest in more privacy-respectful approaches, such as contextual advertising”.

The ICO identifies four key areas where “people are not being given the control they are entitled to under data protection law”. First, it points to “deceptive or absent choice” whereby users are either not presented with an option to opt out of non-essential data processing, or cookies are set regardless of users’ wishes. Second, the ICO highlights that organisations present users with insufficient information about the purposes for which they are agreeing to share their information, leading to what it describes as ‘uninformed choice’. Third, even if organisations provide sufficient detail about how information will be processed, the ICO points to the problem of ‘undermined choice’, as organisations fail to process information in line with their stated purposes. Finally, the ICO talks of ‘irrevocable choice’: it describes people reporting “feeling powerless in controlling their data online after having initially agreed to share it” and having no meaningful way to change their mind.

To address these problems, the ICO has set out seven specific measures it intends to take in the next year:

1. Making it easier for publishers to adopt more privacy-friendly forms of online advertising

The ICO states that it wants to encourage publishers to “deploy more privacy-preserving advertising that does not involve extensive profiling of people based on their online activity, habits and behaviour”. It says that it will publish a statement outlining low-risk processing activities which are unlikely to cause damage or result in enforcement action in the hope that it will address the problem it identifies of requirements within the Privacy and Electronic Communications Regulations 2003 (“PECR”) to obtain consent for non-essential storage and access technologies preventing an industry-wide shift towards more privacy-friendly forms of online advertising, such as contextual models. It also commits itself to working with the Government to explore if the relevant legislation could be amended.

2. Ensuring that publishers give people meaningful control over how they are tracked on websites

The ICO will expand its work of assessing how well the most popular websites in the UK ensure that people have meaningful control over how they are tracked for personal advertising. Last year, the top 200 websites were assessed. This year, that will expand to the top 1,000. The ICO also says that it will reinforce its work with “automated monitoring of website compliance, ensuring that people and businesses can have confidence that there is a level playing field”.

3. Ensuring that people have meaningful control over tracing for personalised advertising on apps and connected TVs

The ICO commits itself to consulting on guidance on data protection for Internet of Things devices and ensuring that “non-compliant online tracking does not continue unfettered on apps and internet-connected TVs”.

4. Confirming how publishers can deploy ‘consent or pay’ models in line with data protection law, supporting their economic viability

According to the strategy, any publisher that adopts a ‘consent or pay’ model “must be able to show that people can freely give their consent to personalised advertising”, and the ICO will engage with publishers to ensure that people’s information rights are upheld, taking action where necessary if models are introduced in ways that inhibit meaningful control.

5. Providing industry with clarity on the requirements of data protection law, leaving no excuse for non-compliance

In the year ahead, the ICO states that it will publish final guidance on storage and access technologies, continue to support businesses through its ‘Regulatory Sandbox’ and ‘Innovation Advice’ services, and work with the online advertising industry to develop a certification scheme for organisations to demonstrate that they are processing personal information lawfully.

6. Investigating compliance failures in the wider adtech ecosystem

The ICO states that it will investigate potential non-compliance in the data management platforms that connect online advertisers and publishers, in addition to examining whether further action should be taken to empower people to withdraw their consent easily from all organisations with which their personal information has been shared.

7. Supporting the public to take control of how they are tracked

Finally, the ICO will publish guidance for the public on “how they can understand and control the use of their information online, and raise awareness of their rights”.

To read more, click here