Online advertising is undergoing some major changes, including Google’s planned phase-out of third-party cookies. The UK’s Information Commissioner’s Office (ICO) has published an opinion outlining its “privacy expectations” in respect of the new adtech ecosystem.


The opinion, which stands at 48 pages and was published on 25 Nov 2021, provides details about the adtech developments from the ICO’s perspective, highlights several “data protection concerns,” and sets out the Commissioner’s “expectations” regarding the changes.

This article will look at the ICO’s position on adtech, how it characterises upcoming adtech industry changes, and what it recommends in respect of these changes.

The ICO’s History with Adtech

The ICO is currently in court over its alleged inaction on what it describes as “unlawful” activity in the adtech industry.

The case was brought to the Upper Tribunal by Open Rights Group director Jim Killock and academic Michael Veale. The complainants allege that the ICO closed their complaint about illegal activity in the adtech industry prematurely despite having found numerous GDPR violations.

This complaint, originally submitted in September 2018, focused on “real-time bidding” (RTB), which Killock and Veale alleged was leading to millions of people in the UK having their personal data shared without consent.

The ICO published a report on adtech on 20 June 2019, finding that the RTB process was “taking place unlawfully,” but also stating that the ICO would “move carefully” on the issue due to “economic vulnerability of many smaller UK publishers” that are involved in RTB.

In a blog post accompanying the report, the ICO said:

“We recognise the importance of advertising to participants in this commercially sensitive ecosystem, and have purposely adopted a measured and iterative approach to our review of the industry as a whole so that we can observe the market’s reaction and adapt our thinking.”

How Does the ICO Describe the Adtech Developments?

In its latest opinion, the ICO identifies several key developments that are taking place in the adtech industry:

  • The phasing out of third-party cookies
  • “Increases in transparency of online tracking” (such as Apple’s App Tracking Transparency framework
  • Mechanisms to “enable individuals to indicate their privacy preferences in simple and effective ways”
  • Browser-level tracking prevention tools

However, most of the ICO’s opinion is focused on Google’s “Privacy Sandbox.”

What Does the ICO Say About Google’s Privacy Sandbox?

The ICO identifies Google’s Privacy Sandbox project as a key adtech development, stating that Google is seeking to “ensure” that some of the functions of third-party cookies “can continue in a more privacy-friendly manner” following their phase-out.

The opinion identifies three main objectives of the Privacy Sandbox:

  • Replacing functionality served by cross-site tracking
  • “Turning down” third-party cookies
  • Mitigating ways that actors might work around the new measures

The ICO says that the phasing out of third-party cookies is a “welcome development” but that the new technologies must be “designed with data protection by design and default considerations from the beginning.” Note that the Privacy Sandbox Project began in August 2019.

The opinion states that one of Google’s Privacy Sandbox proposals, Federated Learning of Cohorts (FLoC), could “offer privacy benefits if engineered correctly” but acknowledges some criticisms suggesting FloC could “introduce new or different tracking vectors.”

As such, the Commissioner reiterates existing rules under the Privacy and Electronic Communications Regulations (PECRs) and states that the developments must not lead to increased fingerprinting or additional “privacy threat vectors.”

What Are the ICO’s Recommendations for the AdTech Industry?

The ICO makes several broad recommendations to adtech developers that can be summarised as:

  • Demonstrate and explain design choices
  • Be clear about the benefits
  • Protect users and give them meaningful control
  • Act according to the principles of necessity and proportionality
  • Ensure that organisations using the technology can:
  1. Identify a legal basis
  2. Conduct a DPIA
  3. Facilitate data subject rights
  4. Identify a separate and appropriate legal basis for processing special category data
  5. Identify and mitigate the risks associated with putting individuals into groups

What Will Happen If the Adtech Developers Fall Short of These Recommendations?

These recommendations reiterate existing legal obligations. If Google and others fail to implement them, they could be violating the law.

Whether such violations would lead to enforcement action is another matter. The ICO’s lack of enforcement action over previous violations suggests that it may continue to take a “cautious approach.”

Remember that the UK will soon have a new Information Commissioner, John Edwards. The country’s data protection framework will likely soon be reformed following the government’s consultation, “Data: A New Direction.”

Whether Google and other adtech actors will follow the ICO’s recommendations—and whether they will face enforcement action if they fail to do so—remains to be seen.

Digital Advertising at PrivSec Global

Digital advertising is a theme at PrivSec Global, a two-day live-stream event taking place on Nov 30-Dec 1.

If you’re interested in the data protection implications of the upcoming changes to online ads, be sure to register for our session: Death of Third Party Cookies: Why and How Digital Advertising will Thrive without Them

View the full agenda and register for the event