Executive Summary
What is new: The ICO is proposing to relax its enforcement of cookie consent requirements, meaning user consent would not be required for lower-risk advertising cookies.
Why it matters: The proposals aim to address concerns about the current “one size fits all” cookie rules, which require website-user consent for all types of cookies. The proposals would mean consent would only be needed for the more privacy-intrusive practices, reducing “consent fatigue” and giving incentives for businesses to adopt less intrusive practices.
What to do next: The precise scope of any enforcement relaxation is still to be determined. Therefore, companies that rely on online advertising to generate revenue should consider making submissions on the UK guidance, as the exact scope of relaxation will determine the viability of “less intrusive” advertising models. Consultation closes on 29 August 2025.
__________
The UK Information Commissioner’s Office (ICO) has announced a series of proposed changes to its online tracking and advertising strategy that build directly on the reforms introduced by the Data (Use and Access) Act 2025 (DUA Act) in June 2025. (See our 1 July 2025 client alert “Something Is Better Than Nothing: UK and EU GDPR Reform Finally Arrives.”)
Key Proposals: Enforcement Pause, Updated Guidance and New Regulations
The ICO’s main proposal, announced on 7 July 2025, is to “relax enforcement of [cookie] consent requirements,” allowing publishers to set certain advertising cookies — such as fraud-prevention cookies that only pose “a low risk to privacy” — without user consent.
This would mean that companies would only need to obtain consent for advertising that uses more invasive practices, such as detailed behavioural targeting and profiling.
In parallel, the ICO is also:
Consulting on updates to its existing cookie guidance to reflect the DUA Act’s introduction of new exceptions for low-risk cookies used for statistical analysis and website appearance purposes.
Considering the development of secondary legislation under the DUA Act that would formally exempt low-risk advertising from consent requirements.
Addressing the Shortcomings of Blanket Consent
The ICO’s move is a direct response to long-standing concerns that the current “one size fits all” approach to cookie consent under the Privacy and Electronic Communications Regulations (PECR) (and the European Union’s similar ePrivacy Directive) is counterproductive.
At present, almost all cookies — even those with minimal privacy impact — can only be set with user consent, which has led to widespread “consent fatigue” and little incentive for businesses to adopt less intrusive technologies.
Similar concerns have also been raised in the EU, though efforts to reform the ePrivacy Directive, including through the proposed ePrivacy Regulation and the European Commission’s “cookie pledge” initiative, have been shelved.
Key Issues and Uncertainties
While the ICO’s initiative represents a welcome attempt to balance privacy protection and commercial realities, several questions remain.
Economic viability. The ICO argues that less privacy-intrusive advertising models are viable, but it remains unclear whether these less-intrusive models can generate sufficient revenue to sustain publishers and platforms.
Regulatory certainty. The proposed “relaxed enforcement” stance would be a matter of regulatory guidance rather than a formal legal exemption — and there would likely be a significant grey area on what counts as a lower-risk advertising cookie under the ICO’s regulatory guidance. The ICO has historically been an aggressive cookie enforcer, and businesses may be hesitant to rely on guidance that could be revised or reversed in the absence of clear legislative backing.
International fragmentation. The EU’s strict cookie rules are unlikely to change. Companies operating in the EU and UK would therefore be faced with divergent cookie compliance regimes, limiting the commercial incentive of taking advantage of the UK’s looser approach.
Final Thoughts
The ICO’s proposed enforcement pause for low-risk advertising cookies, coupled with the DUA Act, represents a continued shift in the UK toward looser cookie consent requirements. Companies that rely on online cookies may want to assess whether that loosening justifies changes to their UK cookie consent systems.
Companies that rely on online advertising to generate revenue may also want to consider making submissions on the UK guidance, as the exact scope of any enforcement relaxation will determine the viability of “less intrusive” advertising models.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.
For further information, please contact:
David A. Simon, Partner, Skadden
david.simon@skadden.com
