ICO debunks 9 myths about cookies and similar technologies

Great to see the ICO addressing these myths so directly. Rules around cookies and similar technologies can be complex, especially when it comes to concepts like strictly necessary and the limits of legitimate interest. At iubenda, we support thousands of businesses in navigating these requirements and turning them into clear, compliant user experiences. Guidance like this helps everyone move toward greater transparency and accountability. Tools like our Cookie Scanner make it easier to identify and manage the technologies in use on a site: https://lnkd.in/etxGF63H

The ICO has yet MORE draft guidance, this time on the UK's upcoming changes to the law on cookies (etc). At the same time, it's running a "call for views" about whether it should enforce that law in certain contexts. The updated cookies guidance includes a new chapter on the consent exceptions provided by the Data Use and Access Act (DUAA). We also get new material reflecting the ICO's view that a "Reject" option should be accessible on the first layer of your cookie banner. There's also guidance on cookie walls and freely-given consent that, in my view, does not sit easily with the ICO's position vis-a-vis "consent or pay". — Separately to this guidance, the ICO put out a call for views in July about its approach to online advertising regulation in general. The document suggests that the regulator might not enforce the law against companies that undertake (without consent) certain activities that require consent under PECR, like frequency-capping, fraud detection, and some forms of targeting. (Side note: Awkward sentences like the above are how you know I don't rely on AI to write LinkedIn posts) — Putting aside the fact that, as far as I know, the ICO has never enforced the law in these contexts, it feels a bit odd to be running these two processes in tandem. Parliament has just passed changes to the rules on cookies, and it chose not to extend exceptions to the sorts of technologies covered in the ICO’s call for views. The government does have powers to pass secondary legislation on PECR consent, and the ICO's call for views might inform such legislation. Making some benign amendments via primary law and then passing more substantial reforms via regulation LATER could be a rather clever way for the government to kick the adequacy can down the road.

Building on or advertising through large platforms in the EU? The DMA sets expectations for access to data, ranking, default settings, and cross-service interoperability. 📊 We outline who’s in scope, compliance obligations, and how enforcement is playing out. Read more: https://hubs.ly/Q03HrT9k0

Cookie banners may be the clearest example of policy that, while well-intentioned and meant to protect privacy, has instead wound up creating problems for everyone involved in the data collection equation. 🙋🏻♂️ Consumers: Let’s be real - most still don’t understand what cookies actually do. Out of frustration, they continue to just click “accept all,” handing over far more personal information than they realize (I observe my own spouse doing this everyday 😑). ⚖️ Regulators: Many appear to lack a technical grasp of cookies themselves yet continue to double down on requirements and pat themselves on the back for conducting “cookie sweeps” that rarely lead to real consequences. 🏢 Companies: Some try to stretch the definition of “essential” to justify excessive tracking, create dark patterns to confuse consumers leading to an accept all result, or implement unlawful “legitimate interest” toggles as a CYA. 🙅🏻♂️ Legacy CMPs: Most continue to rely on static audits and manual categorization, expecting already overextended teams to ensure their own compliance. 💼 Industry: Even with IAB Europe’s Transparency & Consent Framework (TCF) in place, there is still no consensus on a truly standardized, practical approach to cookies that balances business needs with consumer protection. Waiting with bated breath to see what the European Commission’s promised “simplification” on #cookies actually looks like 🤔

#Cookie banners and #LegitimateInterest? There is a initiative in the European Commission to ease the usage of cookies (drop some requirements for consent). That is one of the goals of the business: easier collecting #personaldata for their marketing purposes. There are considerations that cookies could be used on the basis of a legitimate interest. And this is not new, currently there are bunch of websites where users are flooded with the list of cookies for marketing and they have to spend quite a time on unclicking them one by one. #EDPB has checked the ‘cookie practices’ few years ago and has come to the conclusion that legitimate interest is not suitable for such processing. It is very interesting to what extent question on ‘cookie practices’ will be opened and what results (hopefully, in fair balance) it will bring us. See EDPB report on cookies: https://lnkd.in/eayjFCdu See article on European Commission’s initiative: https://lnkd.in/em3Y_J-t #DGPR #ePrivacyDirective

Really proud to be pushing a new approach for DSA Data Access - a "mass data access" request for highly viewed content - with fantastic collaborators Claire Pershan LK Seiling & Louis Barclay We are making a request to 6 big tech platforms to provide regular delivery of their most viewed content — specifically, top 1,000 most viewed posts, per platform, per EU member state, for an initial six month period. 20 civil society and research organisations have signed on to this request, which means we would all get our own regular copy of this data to conduct a variety of important monitoring and accountability work. I'm excited - I genuinely believe this is an exciting step forward in exploring what DSA Data Access can do. The request is now with the platforms, so let's see what happens. More on the request here: https://lnkd.in/eHUAYXSS More on the anniversary of the DSA below, or for those who prefer some video content I delivered a happy birthday Instagram video: https://lnkd.in/e-yZaK6h

Europe’s cookie law is on the chopping block — and the stakes couldn’t be higher. Back in 2009, Brussels introduced the infamous rule that forced websites to plaster users with cookie consent banners. The goal? Protect privacy. The result? Banner fatigue. Today, most of us click “accept” without even reading. As one data lawyer put it: “Too much consent kills consent.” Now, the European Commission wants to simplify. Officials are considering ways to scrap redundant consent banners, let people set cookie preferences once in their browser, and even fold rules into the GDPR’s more flexible, risk-based framework. 🔴 But here’s the tension: 👉 Industry argues simplification is vital for innovation and competitiveness. 👉 Privacy advocates warn that loosening the rules risks giving adtech more room to track and profile users. This fight sets the stage for a broader showdown next year with the EU’s upcoming Digital Fairness Act, aimed at tackling manipulative design and unfair personalization in online ads. ❓The big question: Will Brussels strike the right balance between privacy rights and digital competitiveness, or are we just rearranging the deck chairs on the Titanic of surveillance advertising? 💬 What do you think — should cookie consent rules be simplified, or will that weaken privacy protections in Europe’s digital economy? https://lnkd.in/dNSHQmXM? Platform: POLITICO Author: Ellen O'Regan #Privacy #DigitalEconomy #TechPolicy #AdTech #DataProtection #GDPR #Innovation #DigitalFairnessAct #Advertising #Technology #Technews #Europe ➡️ If you’re interested in the future of #techregulation, #privacy, and #digitalmarkets, follow me here on LinkedIn for more insights.

ICO Debunks Myths on Storage and Access Technologies 📅 Date: 11 September 2025 📍 Source: Information Commissioner’s Office (ICO), UK 🛡 Subject: Data Protection Key Highlights: 🔧 Case Overview: The ICO has clarified common misunderstandings around the rules governing storage and access technologies (cookies, tracking pixels, device fingerprinting). This forms part of its broader Online Tracking Strategy and updated guidance consultation to strengthen user control and support responsible innovation. 🔍 Findings: The ICO stressed that: PECR rules apply to all information, not just personal data. The definition of “strictly necessary” remains unchanged since 2003 – it must be essential from the user’s perspective, not the service provider’s. Legitimate interests cannot replace consent where PECR requires it. Rules are not limited to cookies but extend to all storage and access technologies. The ICO has conducted an impact assessment to ensure its approach is proportionate and evidence-based. 💼 Regulatory Implications: The ICO is reinforcing compliance expectations in adtech and beyond. Organisations cannot dilute user rights through reinterpretations of “strictly necessary” or reliance on legitimate interests. Consent remains central where PECR applies. 📌 Strategic Insight: For businesses, this is a reminder that compliance with PECR goes beyond cookies—it encompasses all technologies that access user devices. Aligning innovation with transparency, fairness, and accountability is not just regulatory compliance, but also a trust-building strategy. Link: https://lnkd.in/gxZzEjdJ 🔔 Follow RegLex for updates on data protection enforcement, adtech regulation, and evolving interpretations of privacy laws in the UK and beyond. #ICO #PECR #GDPR #DataProtection #Adtech #PrivacyCompliance #OnlineTracking #UserConsent #DigitalRegulation #RegLexUpdates #ResponsibleInnovation #UKPrivacy

Big compliance wave in the digital space today: Ontario's Privacy Upgrade, as outlined in Bill 194, now mandates the completion of written Privacy Impact Assessments (PIAs) for public bodies when collecting or modifying the use of personal data. If your SME shares data with public institutions (health, education, municipal systems), your data practices and vendor contracts will be under more scrutiny. Bill C-59's Green Advertising Rules in Force - environmental or "sustainability" claims in digital ads now require provable evidence. Private parties can challenge misleading claims, and penalties can reach $10 million or 3% of a company's global revenue. Canada is watching platform tech more closely - the Digital Regulators Forum is preparing oversight on algorithms, synthetic media, and platform accountability. Pro: Forces better quality, more trustworthy marketing. Con: Raises documentation burden for small advertisers and brands. At Webhoster.ca, we build marketing and eCommerce tools that are legally conscious by design. When rules shift, your digital presence stays credible, compliant, and worry-free.

Data Privacy Alert: Motion to Dismiss Denied in Deivaprakash v. Condé Nast Digital, Case No. 25-cv-04021-RFL. The U.S. District Court for the Northern District of California denied Condé Nast’s attempt to dismiss a claim for a violation of the California Invasion of Privacy Act (“CIPA”). Plaintiff alleged: 1. Visiting newyorker.com and wired.com installed 3 trackers on his browser; 2. Those trackers collected his IP, embedded cookies, and enabled profiling of his geolocation, income, and preferences; and 3. Data was sold to advertisers without consent and absent court approval. The Court said that the CIPA’s pen register prohibition applies, rejecting Condé’s arguments that: (1)  Browsers transmitted data voluntarily; (2)  Trackers collected “too much” information; and (3)  Plaintiff consented to sharing. Takeaway: Courts are showing less tolerance for “surreptitious” tracking and data monetization. Digital publishers face rising litigation risk if user consent isn’t clear and specific and there is no prior court approval for online tracking. The Condé decision signals a potential shift toward judicial pushback on 3rd party online tracking practices, at least under California law.