Cookies and similar tracking technologies have been a recent focus area for regulators and legislators. Deloitte Legal’s Data Protection & Cybersecurity team have been closely monitoring these developments to advise our clients on how to stay on the right track for compliance. Here’s our round-up of key UK and EU tracking news from 2024 and beyond, including the UK Data Use and Access Bill, new EDPB Guidelines on trackers, recent regulatory enforcement action and guidance from the UK ICO, and our view on emerging trends and business impacts in this space.
News and enforcement round-up
1. Proposed UK Data Use and Access Bill (“Data Bill”)
The UK Government’s new Data Bill proposes reforms to various aspects of the legal framework related to data protection and electronic communications rules contained in the Privacy and Electronic Communications (EC Directive) Regulations 2003) (PECR), including:
"Instigator" Liability
The Data Bill will bring into its sights those who "instigate" tracker use (in addition to those who set trackers or access tracker data on users’ devices), potentially allowing the ICO to take enforcement action against website publishers. (This seeks to align online marketing compliance with current UK direct marketing rules applicable to telephone, email and SMS marketing, under which those who instigate others to send marketing on their behalf (i.e. specialist subcontractors and viral marketers) can face liability.)
Analytics Exemption
Cookie consent may not be needed for data analytics if used solely to improve your website, optimise content, or reflect user preferences and when clear information is provided and an opt-out is available.
Security and Essential Function Exemption
Consent is not required for cookies that are strictly necessary for security, fraud prevention, technical functions, authentication, or for tracking user selections within a service.
Stronger ICO Enforcement
Liability for most cookie and electronic marketing-related breaches will be increased from its current limit of £500,000 to fall under the UK GDPR's higher penalty cap of £17.5 million or 4% of global turnover in the preceding financial year.
2. European Data Protection Board (EDPB) Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
Tracking technology has also been in focus at an EU level. On 4 October 2024, the EDPB released guidelines to address the applicability of the tracking rules under the ePrivacy Directive to different technical solutions. These guidelines clarify the key concepts of ‘information’, ‘terminal equipment of a subscriber or user’ and ‘gaining access and ‘storage of information and stored information’, and examine specific use cases, including tracking links and email pixels.
The EDPB explains that these:
“can be distributed through a wide variety of channels, for example through emails, websites, or even, in the case of tracking links, through any kind of text messaging systems [and] that distribution to the user’s terminal equipment does constitute storage, at the very least through the caching mechanism of the client-side software… The addition of tracking information to URLs or images (pixels) sent to the user constitutes an instruction to the terminal equipment to send back the targeted information (the specified identifier). In the case of dynamically constructed tracking pixels, it is the distribution of the applicative logic (usually a JavaScript code) that constitutes the instruction”.
Therefore, even if information touches the client-side cache very briefly or identifiers are provided through the above tracking mechanisms, they will be caught by the same rules and consent and transparency information for cookies is required (unless an exemption applies).
This will be viewed unpopularly by some as closing a “loophole”. However, as the ePrivacy Directive (PECR in the UK) regulates storage of and access to information on users’ devices (without mentioning cookies by name), this is arguably a logical interpretation of the requirements. This is consistent with the UK ICO’s approach, which confirms that other trackers such as pixels and device fingerprinting are subject to the same rules as cookies under the Privacy and Electronic Communications Regulations (PECR). We are expecting the ICO’s guidance in this area to be expanded in the coming months.
3. Recent UK PECR regulatory enforcement action
| Date | Sector | Infringement | Enforcement action taken |
| September 2024 | Gaming | Processing people’s personal information and sharing it with ad tech companies for ad targeting without consent (before they had the option to accept or reject advertising cookies) and in a way that was not lawful, transparent or fair. | Reprimand by ICO |
| 2023 – 2024 (ongoing) | Ad tech / Marketing | Widescale ICO investigation of ad tech industry, including audits of various data management platforms (DMPs) to understand personal data use. Ongoing investigation of some DMPs for potential non-compliances with data protection law. | Audits by ICO, with further action TBC. |
| 2023 – 2024 (ongoing) | Various | ICO review of UK’s top 100 websites, with +50% of these using advertising cookies non-compliantly. Further website reviews are to follow, with the ICO announcing that it is developing an AI solution to help identify websites using non-compliant cookie banners. | Warnings issued by ICO that these websites face enforcement action if they didn't bring their use of advertising cookies into compliance with data protection law. Only one website did not engage with the ICO and improve compliance, and it will be investigated for its use of cookies. |
4. Regulatory guidance and other initiatives
| Date | Sector | Guidance / initiative |
| Late 2024 | All | Updated guidance expected on the use of cookies and similar tracking technologies. |
| March 2024 | All (but tech and media most impacted) | ICO launched call for views on regulatory approach to “consent or pay” model. |
Key trends and business impacts
Here are our insights on the key trends we’re seeing and what businesses need to think about when using ad trackers:
User choice
Trend
There is a strong regulatory trend towards promoting user choice about advertising trackers, which is set to continue. Expect “consent or pay” models to be in the spotlight.
Impact
Consent mechanisms must be designed to offer genuine user choice and control, and “consent or pay” models must strike a careful balance to ensure consent to processing of personal data for personalised advertising has been freely given, is fully informed, and can be withdrawn without detriment.
More tracking guidance
Trend
UK law and ICO guidance has been clear for some time that tracking technologies such as pixels and device fingerprinting can be subject to the same rules as cookies.
Impact
We are likely to see more specific and nuanced regulatory guidance on use of different types of trackers and their associated transparency information and consent management platforms.
Consent management platform (CMP) updates
Trend
The ICO has historically taken a pragmatic stance to not taking enforcement action against websites setting non-intrusive first party analytics cookies without consent. This looks set to be baked into regulation with the proposed Data Bill lessening consent requirements for less intrusive cookie types.
Impact
Organisations may need to consider updates to CMPs to move to an opt-out rather than an opt-in model for less intrusive cookie types, and to realign with broader definitions of “strictly necessary” cookies.
Realignment of contractual liability
Trend
“Instigators” of website cookies may be liable under the proposed Data Bill.
Impact
Contracts between key ad tech players may require updating to take into account increased liability for “instigators” of website cookie use.
More challenging multi-country tech implementations and policy unification
Trend
UK regulatory requirements for cookies and other trackers use look set to diverge from those in the EU/specific EU member states.
Impact
This may add complexity for global organisations wanting to take a consistent approach to tech implementation and cookie/tracker policy across various markets.
Enforcement / risk tolerance shift
Trend
The UK has to date been a “low-enforcement” jurisdiction where isolated infringements of tracking rules are concerned, and has preferred to engage with non-compliant websites to improve compliance rather than issuing fines.
Impact
With significantly higher fines set to be added to the ICO’s enforcement armoury, organisations that may have until now taken a risk-based approach to cookie/tracker compliance are advised to revisit this.
Considering alternatives to trackers
Trend
With some browsers and devices moving towards blocking third party cookies by default, and the signalling by regulators of a more restrictive approach to use of other types of trackers, organisations may look to explore alternative solutions for targeted marketing. These might include driving more direct user interactions to collect first-party data, contextual advertising and cohort advertising.
Impact
Each solution comes with specific limitations related to scalability, privacy, impact, granularity of insight and other factors. Therefore, organisations will need to take an innovative strategic approach to ensure that they can connect with audiences in an effective and compliant way.
Your contacts
Deloitte Legal’s Data Protection & Cybersecurity team has proven capabilities in supporting organisations with legal advisory services and creative compliance solutions for marketing initiatives, including (non-technical) website cookie and tracker reviews.
For further information about how we can help your business, please contact:
Cavan Fabris, +44 0(20) 7007 4952
Kathryn Eyres, +44 20 7007 2280
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Document/2024-08-15-13-48-16-956-Contractingexcellencemasterclass-August2024_thumbnail_1.png)
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Images/2024-09-10-09-34-55-974-66e012bf097b7a1aca1a6b99.png)
/Passle/5d1eec76989b6e0f3cff1041/SearchServiceImages/2024-11-18-12-45-09-147-673b36d53b36a96609ebbd86.jpg)