ICO Recommends Exceptions To Cookie Consent Requirements

Are we about to see more leeway for online advertising and fewer cookie banners in the U.K.? The U.K. ICO has recommended the government introduce new exceptions to consent requirements for storage and access technologies (SATs) for online advertising purposes with a view to creating opportunities for online service providers and adtech intermediaries.

On May 18, 2026, the ICO published its advice to government on amending Regulation 6 of the Privacy Electronic Communications Regulations (PECR) to introduce new exceptions to the requirement to obtain user consent to SATs including cookies, scripts and tags for certain lower-risk online advertising activities.

What are the ICO's recommendations?

Behavioral advertising

The ICO's view is that both storage and access of information, and subsequent processing for behavioral advertising should continue to require consent under Regulation 6. Even if a future exception were to permit storage and access for behavioral advertising to take place without consent under PECR, those processing activities involving personal data would likely require consent under the U.K. GDPR anyway.

Special category data

Using any special category data in online advertising requires explicit consent under Article 9 U.K. GDPR. No other condition is available. The ICO's preferred approach excludes special category data from consent-free options, seeking to guard against any processing (direct or inferred) for targeting and profiling purposes.

Children's data

The ICO considers processing children's information on the basis of legitimate interests for online advertising purposes is likely to be difficult, and only possible where the processing is very unintrusive and low risk, requiring a more finely balanced assessment than for adults. If an online service is likely to be accessed by a child, the organization should comply with the Children's Code.

Ad delivery

The ICO says information used and shared must be limited to what is necessary for ad delivery and used only for those purposes. Information shared with the publisher ad server and third-party advertiser ad server can only be used to assist the publisher.

Frequency capping

Frequency capping within the context of the user's interaction with the service provider could be permitted without consent, but the ICO's recommendation is that this should only be allowed provided that the information stored or accessed is solely used for limiting ad exposure on that service and limited only to what is necessary to achieve that purpose.

Cross-site frequency capping may be permitted only if enabled by privacy-enhancing technologies (PETs) to avoid users being identified and linked across sites.

Ad fraud prevention and detection

The service provider, or the publisher ad server on their behalf, should use device information (such as IP address and user agent string) to conduct pre-bid filtering for invalid traffic, and should not share that information with third parties including buyers. Instead, the service provider could reassure buyers that their user is human by passing on a signal that confirms the visitor is a valid user, for example by using a secure method like the Private State Token API.

The service provider, or a trusted third party on their behalf, should conduct only limited post-bid analysis to verify that visitors were human, which could include collecting statistical information for basic behavioral analytics such as information on which page users are visiting, scroll depth, and exit pages.

Brand safety

The first-party website, or a trusted third party on their behalf, should conduct page scanning for brand safety purposes, and convey information about the content of their page to buyers via an abstracted signal rather than sharing raw URL or content category data openly in the bid request.

Targeting

The ICO recommends that using storage and access technologies for targeting could be permitted without consent when limited to: device and platform information abstracted to high-level categories (device, OS, browser but not browser version); geolocation data abstracted to the city or region level; temporal information (date and time of day); and contextual information mapped to a broad taxonomy such as 'sports' or 'cycling'.

Billing and measurement

Billing and measurement could be permitted without consent when limited to the service provider counting impressions, clicks and views for billing and measurement purposes, and sharing this with the advertiser, provided the information is aggregated, non-identifiable and only stored for as long as it is needed. This information can be collected or verified by a trusted third party on behalf of the service provider and advertiser.

Attribution

Attribution could be permitted without consent, but only when limited to anonymized, cross-site attribution with technical and organizational measures to prevent cross-site tracking. The information and personal data accessed by the publisher and advertiser must be low risk, limited to only the necessary amount, and used only for these purposes. Some attribution use cases traditionally highly reliant on linking cross-site events to a single user would potentially require adaptation and innovation.

What does this mean for you?

The ICO admits that even if the government adopts all its recommendations (which it is not required to do), they "wouldn't revolutionise the ecosystem" but expects that the changes would provide publishers with revenue opportunities they don’t currently have where users do not consent to online advertising.

The ICO also recognizes that there are direct and indirect costs to its preferred approach but stresses these are largely short-term costs that would enable future growth and would be borne primarily by those businesses seeking to rely on new exceptions, in particular, online service providers and a smaller number of adtech intermediaries. With downstream benefits for advertisers, intermediaries and users arising from better measurement, reduced friction and improved trust, the ICO says it expects benefits to be strongest for mid- and base-tier publishers most constrained by consent rejections with modest to neutral benefits for top-tier platforms with large market share of extensive consented information. In the short-term, if you're using 'direct deals' you are likely to benefit most easily, but in the medium term, the ICO sees organizations taking advantage of opportunities to innovate in order to benefit from any new exceptions.

There is, however, a question mark over the extent to which this will be beneficial if changes happen only in the U.K. and not in the EU. The EU's Digital Omnibus data proposal includes some reforms to the EU ePrivacy Directive (from which PECR stems), but consent will still apply in the majority of cases with the only new exceptions likely to relate to processing of personal data on or from terminal equipment where necessary for transmission, for an explicitly requested service, for first-party audience measurement or for service/terminal security. The Digital Omnibus also provides for user choices to be submitted via automated and machine-readable methods within 24-months and via web browser within 48-months of entry into force. If the EU and U.K. do not align, then there is a risk the industry will default to the higher EU standards, limiting the overall financial impact of any U.K. changes.

If you're an advertiser, publisher or intermediary in the online advertising ecosystem, you will need to keep a close eye on developments in the U.K. and the EU.