Why 2025 is the year to refresh your marketing compliance

A version of this briefing first appeared in the Privacy Laws & Business UK Report, Issue 138 (March 2025)

The value of the UK advertising market is the largest in Europe and is growing, with digital marketing spend in the UK projected to rise from £32 billion in 2024 to £44 billion in 2028 according to research by PWC. Despite its clear commercial importance, for years digital marketing was an area of regulatory uncertainty. Long promised reforms to the e-marketing rules repeatedly stalled with the iterations of the Data Protection and Digital Information Bill in the UK, and the EU’s failure to progress the e-Privacy Regulation.

Equally, early regulatory efforts to examine ad-tech practices in the UK did not develop into concrete guidance, with a 2020 ICO consultation on a statutory direct marketing code of practice resulting in piecemeal guidance updates, but no final code. While the ICO routinely enforced some breaches of the marketing rules (as discussed in our previous article and blog), other areas, such as cookies, were not a focus. Instead, the ICO stated previously that: “[c]ookie compliance will be an increasing regulatory priority for the ICO in the future”. And that time is now. 

In this article, we outline how the legal landscape for digital marketing and cookies has moved on (especially since our previous article on the consequences of consumers paying with data) and the practical steps organisations should be taking to manage their digital marketing risks.  

Data (Use and Access) Bill updates UK e-marketing regime

In the UK, the Data (Use and Access) Bill (Data Bill) will align the maximum fines for breaches of the Privacy and Electronic Communications Regulations (PECR) in relation to electronic direct marketing and the placing of cookies and other storage and access technologies (all of which for simplicity we will refer to as “cookies”) with those under the UK General Data Protection Regulation (GDPR). They will therefore increase from the current £500,000 to the higher of £17.5 million or 4% of annual worldwide turnover. The Data Bill is currently progressing through Parliament and is expected to receive Royal Assent by the summer. 

However, the Data Bill also includes some more positive changes for marketing that may mitigate some existing areas of risk and uncertainty as set out below (for further discussion of the Data Bill, see our blog).

EU e-Privacy reform stalled

In contrast to the UK position, new regulation on digital marketing remains stalled in Europe, with the long-promised e-Privacy Regulation formally having been withdrawn in February this year, although there is speculation that a Digital Advertising Act may ultimately be tabled in its place.

ICO focus on cookie compliance

Having succeeded in driving changes to the top 100 UK websites’ cookie banners through ‘call to action’ letters and follow-up engagement through 2024, the ICO announced in January its extension to the UK’s top 1000 websites (see our blogs for details of the initial audit and its outcome). It also announced its new online tracking strategy (Online Strategy) which outlines how the ICO wants to ensure individuals have meaningful choice over how they are tracked online, with online advertising being a key focus for the regulator in 2025. Notably, the ICO’s accompanying statement states that it plans to affect changes through “advice, guidance and targeted enforcement”, with the Online Strategy outlining the concrete steps the ICO will take in each area. Additionally, the ICO has also confirmed it is investigating data management platforms for non-compliance, following its audit of those players last year.

Cookie guidance crystallising

Regulatory focus on cookies, as well as broader changes in the tech-landscape, such as the introduction of Apple’s App Tracking Transparency and Google’s (now rescinded) promise to deprecate third-party cookies in Chrome, has led many organisations to seek alternatives. So called “cookie-less” solutions are often being touted as ‘privacy compliant’, yet in many cases privacy teams have been struggling to conclude that such solutions address the challenge of requiring consent.

To address uncertainty and intervene in this market-shift, in December the ICO published a draft updated version of its cookies guidance (Cookies Guidance), renamed to refer to “storage and access technologies” rather than cookies to emphasise its broad application to all tracking technologies (which we first discussed in our blog). The Cookies Guidance clarifies the application of the PECR rules to non-cookie technologies (including fingerprinting, scripts, tags and link decoration), as well as offering new guidance, as summarised in the box below.

In the EU, the European Data Protection Board’s (EDPB’s) report on cookie banners, released at the beginning of 2023, outlined the DPAs’ shared understanding and interpretation of the issues, including around accept/reject-all buttons and cookie banner design. The EDPB has since issued finalised guidelines on the scope of Article 5(3) of the e-Privacy Directive which also confirmed that “storage and access technologies” capture emerging tracking technologies.

EU/UK exports cookie banners to US

Despite lacking specific laws on cookies, the US has seen a rise in class actions alleging that the collection of data via cookies, and the subsequent sale of such collected personal data, is unlawful, including under wiretapping laws. For example, Oracle agreed to settle such an action in July 2024 for $115 million and has subsequently stopped supporting its ad tech products. These actions have led to an increase in the use of cookie banners in the US as a risk mitigation technique.

EU regulators go big on fines

EU regulators are actively focusing on digital marketing, but unlike the ICO they have issued significant fines against infringers. For example, in October 2024 the Irish DPA issued a €310 million fine against LinkedIn in connection with targeted advertising (currently under appeal) and the French DPA issued a €50 million fine against Orange in December 2024 for displaying adverts in emails without valid consent.

We are also seeing EU DPAs seeking to drive cookie compliance more broadly. For example, at the end of last year the French DPA issued a suite of orders calling out misleading and non-compliant cookie banners by a number of publishers and the Dutch DPA launched a new public awareness initiative to inform individuals about cookies and encourage organisation to comply with the rules. While approaches across the bloc undoubtedly still vary, organisations should be on notice that approaches to cookie enforcement in the EU are coalescing.

ICO decides consent or pay may be ok

Most recently, the ICO has published new guidance on ‘consent or pay’ models (COP Guidance) (discussed in more detail in our blog). It provides that consent or pay models can be compliant with data protection laws if organisations can demonstrate that a user has freely consented to personal advertising taking into account the ICO’s detailed guidance around:

• whether there is a power imbalance between the organisation and the individual;
• whether the fee is appropriate;
• whether the organisation is offering an equivalent product or service under the two options; and
• whether the organisation has complied with its privacy by design obligations, such as in relation to the design of consent banners.

The ICO reaffirmed that contextual advertising may be a suitable alternative to personalised advertising and could be presented as an additional choice to users, such as where there is a power imbalance. The COP Guidance has been welcomed by industry as leaving the door open to consent or pay models, although some uncertainty remains, such as around what an appropriate fee will look like in practice.

The ICO’s guidance follows on from that issued by the EDPB in the context of large online platforms in April last year. This found that such platforms will likely be unable to obtain freely given consent if payment is the only other option. Subsequently, Meta challenged the legality of this opinion (and all EDPB opinions) and the outcome of this is awaited. Nevertheless, the EDPB is preparing guidance on consent or pay models with broader application (beyond those operated by large online platforms) which is expected to be published later this year. 

Overlap in the web of digital regulation

Of course, digital marketing is also subject to other laws and codes of practice, so it is important to avoid taking a siloed approach when considering e-marketing compliance, and consider for instance:

Competition laws: The CMA has indicated that competition investigations in relation to online advertising will be an area of focus for 2025 and 2026 and it was of course the European Commission that made the preliminary finding that Meta’s previous consent or pay model did not comply with the EU Digital Markets Act.

Consumer protection laws: In the UK, the Digital Markets, Competition and Consumers Act 2024 (DMCC Act) is modernising consumer protection laws to reflect the online world as discussed in our previous article. Whilst in the EU, the new European Commission is gearing up for its upcoming 2025-2030 Consumer Agenda and the Consumer Protection Cooperation Network (coordinated by the European Commission), is already investigating several pan-European complaints and pro-actively conducting “compliance sweeps”.

Advertising standards: In the UK, the Advertising Standards Authority is responsible for enforcing the advertising codes that are written by the Committee of Advertising Practice and the Broadcasting Committee of Advertising Practice. These codes therefore need to be borne in mind, particularly as they not only cover content, but also for instance the volume of marketing, with the version currently under consultation stating that “Marketers must not make persistent and unwanted marketing communications by any means [emphasis added]” rather than “by telephone, fax, mail, e-mail or other remote media”. Meanwhile, in the EU, the European Commission is holding workshops on the potential benefits and implications of voluntary codes of conduct for online advertising, to contribute to transparency in the online advertising value chain, building on the existing binding provisions on advertising in the EU Digital Services Act.

Practical steps

All these developments result in a more certain position than ever before as to the legal position and regulators’ expectations, and so help organisations to better ensure compliance. Organisations should now therefore review their approach to digital marketing against this by taking a variety of possible practical steps as set out below.

Conclusion

Against this backdrop of fast-paced developments, crystalising risk and more concrete guidance, marketing compliance should be a priority area for organisations to revisit in 2025. Failure to do so could result in enforcement action or, perhaps just as significantly, missing commercial opportunities presented by the new era.