I have summited a response to the Information Commissioner's Office's call for views on their approach to regulating online advertising.
It seems clear that the ICO, having concluded, unequivocally, back in 2019, that the adtech industry was egregiously violating the GDPR, are moving, now, towards finding ways to enable the industry to avoid or evade their data protection obligations with impunity.
The pressure from the UK government to facilitate growth will be a factor here. However the ICO has been underperforming on enforcement for quite some time, as their own annual reports, including the latest, and eminent commentators such as Professor David Erdos of Cambridge University and Baroness Young of Old Scone, the former head of the UK’s Environment Agency, have, unimpeachably, noted. As Prof Erdos says, The ICO's
"strong duty to enforce and to respond to complaints has generally not
been reflected in ICO practice and, even more concerningly, its
accelerating stance points strongly away from rather than towards any expectation of regular and concrete regulatory action...
Especially post-Brexit, it may be argued that UK regulation as a whole is beset by an serious enforcement gap
and that the ICO’s track-record merely reflects this. Even if true,
this would in no way demonstrate that such an outcome is acceptable
either in the abstract or given the UK GDPR’s very specific
expectations...
the ICO’s relative performance cannot be explained by a lack of
resourcing as it is likely the single best resourced data protection
(and freedom of information) authority in the world with approximately 1,000 members of staff.
Rather it has been primarily driven by deeply rooted ICO internal
culture which has been fuelled by a lack of effective accountability
mechanisms for data subjects and by an Information Commissioner who has
publicly set his face against full use of the UK GDPR’s powers by, for
example, peremptorily degrading fines in the public sector in June 2022 and, without clear evidence, stating in November 2024 that neither high value nor high volume fines against companies were the best way to achieve impact."
Baroness Young was, if anything, more damning when speaking in the House of Lords in 2023,
"We need a powerful and effective regulator. The ICO’s enforcement and
prosecution record has not been sparkling, with low levels of
enforcement notices, prosecutions and fines. If, when I was at the
Environment Agency, I had had as low a level of those as the Information
Commissioner has had, I would think I had gone to sleep somewhere along
the line."
The ICO's own recent defence of the lack of enforcement action against the Ministry of Defence, following the serious breach involving the disclosure of
personal details of thousands of Afghans who worked with British forces
during the UK’s presence in Afghanistan, was weak, at best.
This latest consultation, therefore, which seems to be about enabling the adtech industry to continue to generate oceans of what the Open Rights Group rightly call stalker ads, would appear to be another worrying indication of a longer term trend of the inefficacy and regulatory capture of the ICO.
For the past three decades, we have transformed the greatest communications medium in the history of the planet, the internet, into an invasive, toxic, and in the case of the people of Palestine and other marginalised peoples, oppressive and deadly, mass surveillance machine. We have facilitated the development and deployment of this infrastructure primarily in the interests of economic actors who generate their main revenues through targeted aka stalker advertising.
States have, enthusiastically, supported and exploited and engaged in these developments, in their own interests. Essentially the most powerful ecomomic and political forces have all been pushing in the same direction - more mass surveillance, more mass data collection, storage, analysis and processing, more mass privacy invasion. Hypnotised by the belief that the magic computerised mass surveillance machine can deliver their economic or political dreams, decision makers have paid little substantive attention to the social or democratic consequences.
The most powerful economic actors are thriving, even as the services and technology they offer get worse, so they are happy. Policymakers are in thrall to billionaire techbros building machines they claim can solve the politicians' complex socio-political-economic-environmental problems. The techbros are now claiming we should not even worry about burning the planet, in the quest to build an AI machine that will figure out how to fix the problems of global warming, climate change, environmental destruction.
When the magic tech solutions don't work for the politicians and economic actors they become even more obsessed with making them work - techies must just nerd harder. Besides, as their billionaire techbro mates will constantly remind them, the technology is better now, it will work this time, or sometime in the future, if only you give them the license and enough resources. Innovation and growth will see us through.
My colleague at the Open University, Dr. Syed Mustafa Ali,
characterises all this as a combination of racial capitalism and
digital colonialism.
I would simply ask -
Is the world more stable than it was 30 years ago?
Have we tackled global warming?
How about racism and xenophobia?
Discrimination on all fronts?
War crimes and genocide?
Crime?
Terrorism?
Poverty?
Equity and equality?
Conflict and mass population displacement?
Social welfare?
Fair and equal access to healthcare, treatment and medicines?
Migration, immigration & border control?
Security and intelligence?
Disinformation & misinformation?
Concentration of wealth and power?
Exploitation and abuse of the under-privileged, on every dimension?
Housing?
Employment?
The obsession of the UK government - economic growth, at seemingly any cost?
Enabling people to live in basic comfort and dignity?
Is there a greater recognition of and respect for fundamental human rights?
What problems has this giant mass privacy invasion machine solved?
How well has it solved them?
What other problems has it caused?
How much has it cost, not just in economic terms but in structural social, political, cultural, environmental, in human, personal, community, local, regional, national and global contexts?
Has it been or is it worth it?
How can we better shape and/or retrofit and/or evolve and/or scrap and replace the architectures of these systems in more socially progressive ways, in the public interest?
Perhaps giving the most blatant and flagrant, systemic and systematic violators of basic data protection rights the ICO's blanket blessing, to continue and expand those practices, might not be the most appropriate course of action?
With all that in mind, and when the appalling notion of chat control is coming perilously close to being endorsed by most EU governments, my response to the ICO consultation copied below, has tended, in places to be direct. Please excuse the formatting - it is copied and pasted from the pdf version of my submission via the ICO webform. It should be noted that parts of my response are also guided by and/or edited from the response of the Open Rights Group to the same call for views.
"Submitted to Our approach to regulating online advertising - Call for views
Submitted on 2025-09-05 21:31:09
Advertising purposes and capabilities
1 Ad delivery and billing
What features within ad delivery and billing are the minimum requirements for a commercially viable advertising model, and why?:
Up front I would remind the ICO of your own adtech & RTB report in 2019 specifying:
"general, systemic concerns around the level of compliance of Real Time Bidding (RTB):
1.Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used
for placing and/or reading a cookie or other technology(rather than obtaining the consent PECR requires).
2.Any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies).In general,
processing such data requires more protection as it brings an increased potential for harm to individuals.
3.Even if an argument could be made for reliance on legitimate interests,participants within the ecosystem are unable to demonstrate that they have
properly carried out the legitimate interests tests and implemented appropriate safeguards.
4.There appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law more broadly (and
specifically as regards the ICO’s Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and
mitigated.
5.Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to
ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with
attendant implications for PECR compliance.
6.The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all
without the individuals’ knowledge.
7.Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and
organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about
international transfers of personal data.
8.There are similar inconsistencies about the application of data minimisation and retention controls.
9.Individuals have no guarantees about the security of their personal data within the ecosystem."
Having not addressed these concerns, why does the ICO now wish to find ways to permit the advertising industries to continue evade data protection
law?
2 Ad fraud prevention and detection
What features within ad fraud prevention and detection are the minimum requirements for a commercially viable advertising model, and why?:
How is this question within the remit of the ICO?
3 Brand safety, brand suitability and brand compliance
What features within brand safety, brand suitability and brand compliance are the minimum requirements for a commercially viable advertising model,
and why?:
I realise the ICO is under pressure to legalise some targeted online advertising, without consent, so the advertising industry can continue to generate
revenues but, again, how is this question within the remit of the ICO?.
4 Frequency capping
What features within frequency capping are the minimum requirements for a commercially viable advertising model, and why?:
Yet again, how is this question within the remit of the ICO?.
5 Measurement and attribution
What features within measurement and attribution are the minimum requirements for a commercially viable advertising model, and why?:
Yet again, how is this question within the remit of the ICO?.
6 Targeting
What features within targeting are the minimum requirements for a commercially viable advertising model, and why?:
Why is the ICO so concerned with the commercial viability of advertising models. If I can quote from your own website, "The Information Commissioner is
the UK’s independent regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and
Freedom of Information Act 2000 (FOIA)." Your "role is to uphold information rights in the public interest" not working out commercially viable advertising
models. You cover
Data Protection Act
Privacy and Electronic Communications Regulations
Environmental Information Regulations
eIDAS Regulation
NIS Regulations
Freedom of Information Act
General Data Protection Regulation
INSPIRE Regulations
Re-use of Public Sector Information Regulations
Investigatory Powers Act
None of these, as I understand the regulations concerned, have anything to do with "What features within targeting are the minimum requirements for a
commercially viable advertising model, and why?"
RTB and behavioural advertising blatantly operate in breach of data protection regulations where, once consent is given (and often, even when it's not)
adtech intermediaries process, share and re-purpose this data at will. This is illegal under the UK GDPR, which requires data not to be processed beyond
the specific, granular purpose for which consent was given.
The true commercial viability of advertising practices cannot be measured despite the claims of the industry on its efficacy. Prices are distorted and the
market is dominated by giant oligopolies and consequent unfair competition of non-compliant advertising practices. Rather than asking what targeting
features are needed to attain a “commercially viable advertising model” should not the ICO be taking action to enforce data protection law so egregiously
ignored by the industry, to remove illegal advertising from the market, and restore a level playing-field for actual law-abiding businesses.
7 How significant are the changes in ICO regulatory posture towards PECR regulation 6 consent requirements that would be required to
enable delivery of a commercially viable advertising model?
Change needed - Ad delivery and billing:
Change needed - Ad fraud prevention and detection:
Change needed - Brand safety, brand suitability and brand compliance:
Change needed - Frequency capping:
Change needed - Measurement and attribution:
Change needed - Targeting:
No change
Please explain your answer::
Why is the ICO concerned with undermining PECR to "enable delivery of a commercially viable advertising model?"
Regarding the changes on targeting there should be 'No change'.
The ability to target individuals based on personal data is the main enabler of harms, discrimination and predatory practices that plague online
advertising. Targeting based on personal data exposes women to unjust prosecutions for their attempt to exercise reproductive health rights; problem
gamblers to being targeted with gambling ads that are meant to exploit their addiction; anyone to be excluded on the basis of their gender, sexual
preferences, ethnicity or other sensitive characteristics; children and those in a more vulnerable status to be targeted and taken advantage of.
These are not unfortunate outcomes, but a feature of the technology. Behaviour is the only personal data that can be observed and captured by storage
and access technologies. It is never a reliable proxy for an individuals' characteristics, preferences or inner desires, but is a reliable means to identify
addiction, health statuses and other syndromes—all of which are, indeed, recognisable by “typical”, “compulsive” behaviours and clearly discernible
patterns of behaviour.
A system that is inherently bad at guessing your commercial preferences but inherently good at identifying weak spots that can be exploited does, not
surprisingly, serve the purpose of exploiting individuals better than it does serve the purpose of delivering legitimate advertising. Advertising systems that
target individuals on the basis of personal data should NEVER be considered low-risk or exempted from consent requirements. That the ICO is running a
consultation on how to enable such activity would appear directly at odds with your duty to act in the public interest.
This call for views includes the following statement: “We will continue to enforce consent requirements for collecting personal information for ad
targeting and personalisation.”
A RELAXATION of the consent requirement for ad targeting, based on ANY amount of personal data, is clearly outside of the scope of this consultation. It
is important, therefore, that the ICO to honour this statement.
Impacts of our approach
8 How far do you agree that the approach outlined in our call for views can identify commercially viable solutions that can also safeguard
people’s privacy and improve user experience?
Strongly disagree
Please explain your answer::
Your call for views appears specifically designed to undermine people's privacy in order to facilitate the ongoing data protection breaching practices of
the industry.
I strongly disagree that such a consultation can remotely "safeguard people's privacy and improve user experience." On the contrary this call for views
displays all the hallmarks of regulatory capture by industry.
DPA tolerance and facilitation of non-compliant advertising practices prevent a meaningful measurement of the true value and commercial viability of
advertising practices let alone those “that can also safeguard people’s privacy and improve user experience”.
The approach of this call for views turns the relationships between commercial viability and “safeguarding people's privacy and improving user
experience” on its head: it is the duty of the economic actors in the advertising industry to commercialise their services WITHIN the boundaries and IN
COMPLIANCE with the norms that have been established by legislation. The UK GDPR and PECR already require advertising to be done in a manner that
safeguards privacy and our agency. The role of the ICO is to enforce these boundaries, NOT to adapt them to meet the needs of non-compliant
advertising firms or to enable such companies to evade their legal obligations.
In the event of exemptions to cookie consent requirements being adopted, “safeguarding people's privacy” would ultimately depend on the limits and
safeguards in place that underpin those exemptions. The call for views provides some clarifications over what will not be exempted, but does not clarify
what practices are being considered to be covered by those exemptions. Without such details it is impossible to evaluate how the ICO is proposing to
“safeguard people's privacy” while conducting this call for views.
9 Would you anticipate any of the following positive impacts if any of the capabilities referenced were permitted without PECR consent in
circumstances where the ICO considers them to be low risk to people? Please select all that apply:
If other, please specify::
I would anticipate NO positive impacts, in the public interest, of enabling industry to evade or circumvent their legal obligations.
Which positive impacts for which stakeholders, in particular, is the ICO interested in? The interests of citizens and customers are not coincident with the
interests of the ecology of economic actors that make up the advertising industry.
Please provide any evidence on the likely scale of these positive impacts::
I refer you to the Irish Council for Civil Liberties report from 2023, Europe's Hidden Security Crises, on the wider NEGATIVE impacts of RTB which
concludes: RTB is not just a privacy concern but a national security concern:
"Real-Time Bidding (RTB) allows foreign states and non-state actors to obtain compromising sensitive personal data about key European personnel and
leaders.
Key insights:
Our investigation highlights a widespread trade in data about sensitive European personnel and leaders that exposes them to blackmail, hacking and
compromise, and undermines the security of their organisations and institutions.
These data flow from Real-Time Bidding (RTB), an advertising technology that is active on almost all websites and apps. RTB involves the broadcasting of
sensitive data about people using those websites and apps to large numbers of other entities, without security measures to protect the data. This occurs
billions of times a day...
...EU military personnel and political decision makers are targeted using RTB...
...Google and other RTB firms send RTB data about people in the U.S. to Russia and China, where national laws enable security agencies to access the
data. RTB data are also broadcast widely within the EU in a free-for-all, which means that foreign and non-state actors can indirectly obtain them, too.
RTB data often include location data or time-stamps or other identifiers that make it relatively easy for bad actors to link them to specific individuals.
Foreign states and non-state actors can use RTB to spy on target individuals’ financial problems, mental state, and compromising intimate secrets. Even if
target individuals use secure devices, data about them will still flow via RTB from personal devices, their friends, family, and compromising personal
contacts.
In addition, private surveillance companies in foreign countries deploy RTB data for surreptitious surveillance. We reveal “Patternz”, a previously
unreported surveillance tool that uses RTB to profile 5 billion people, including the children of their targets...
Cambridge Analytica style psychological profiling of target individuals’ movements, financial problems, mental health problems and vulnerabilities,
including if they are likely survivors of sexual abuse."
See also ICCL's reports on America's & Australia's hidden security crises from 2023 & 2024 and their 2025 RTB complaint to the FTC.
10 Would you anticipate any of the following negative impacts if any of the capabilities referenced were permitted without PECR consent in
circumstances where the ICO considers them to be low risk to people? Please select all that apply:
Worsened customer experience, Increased risk of privacy harm
If other, please specify::
There will be an increased risk of privacy harm. This privacy harm will be accompanied by what you describe as "worsened customer experience." This
questionnaire gives adtech providers ample freedom to argue in favour of removing consent requirements for a range of purposes, as listed in questions
1-6, questions which themselves seem to be outwith with the duties and responsibilities of the ICO.
The call for views does not provide any proposal whose impact on people’s privacy can be commented upon. Further, the call for views allows industry
players to keep their responses confidential, which could prevent industry submissions in favour of deregulation to be scrutinised publicly.
The “scale of these negative impacts" can only be measured when specific proposals are presented.
The shape and form of this call for views makes it likely that responses of the industry will be over-represented. In turn, the views of those concerned
about significant increased risk of privacy harms, that will undoubtedly arise from providing industry with an ICO license to evade data protection laws,
will be under-represented.
Please provide any evidence on the likely scale of these negative impacts::
I refer you to Cory Doctorow's book, longlisted for the Financial Times and Schroders Business Book of the Year 2025, Enshittification: Why Everything
Suddenly Got Worse and What To Do About It.
Doctorow diagnoses the broader issues with unchecked oligopolistic markets online and the negative impacts already out of control. It is exactly the
opposite of easing the pressure on these industries that Doctorow proposes is the way forward, not the ICO's apparent ideas about giving the advertising
industry more freedoms. From the book description:
"Misogyny, conspiratorialism, surveillance, manipulation, fraud, and AI slop are drowning the internet. For the monopolists who dominate online - X,
TikTok, Amazon, Meta, Apple - this is all part of the playbook. The process is what leading tech critic Cory Doctorow has dubbed 'enshittification'. First, the
platform attracts users with some bait, such as free access; then the activity is monetized, bringing in the business customers and degrading the user
experience; then, once everyone is trapped and competitors eradicated, the platform wrings out all the value and transfers it to their executives and
shareholders.
As a result, online public squares have become places of torment, and online retailers are hellish dumpster fires. The virtual gathering places where we
once imagined the world's problems might be resolved are now a sewer of hatred and abuse - thoroughly enshittified.
Doctorow enumerates the symptoms, lays out the diagnosis, and identifies the best responses to these diseased platforms: the monopolies online must
be shattered. Companies too big to fail or to jail - and much too big to care - must be cut down to size. Only an attack on corporate power will permit
effective regulation and real privacy. Tech unions must protect the workers who should, in turn, defend us against their bosses' sadism and greed."
11 Do you see any challenges in delivering commercially viable advertising if the ICO were to revise its regulatory posture towards regulation
6 PECR requirements for specific advertising purposes?
Unsure / Don't know
Please explain your answer::
"Challenges in delivering commercially viable advertising" should be no part of the concern of the ICO.
Diluting the ICO's "regulatory posture towards regulation 6 PECR" to suit an industry notorious for engaging in systematic and systemic practices
breaching its legal obligations under data protection and privacy regulations would seem the very definition of derogation of duty on the part of the ICO.
Technical safeguards
12 Are you aware of any technical safeguards to reduce data protection and privacy risks of storage and access of information for the
advertising purposes listed above?
Please provide your answer::
Though technical architectures can be configured in privacy enhancing ways, with default settings providing better respect for privacy, there are no sole
technical solutions to reduce data protection and privacy risks on the internet.
Structurally, privacy protection requires a combination of regulations, economic incentives/sanctions, social and technological architecture measures
working in harmony to offer the requisite respect for fundamental rights.
According to Schedule 12(2) of the Data (Use and Access) Act:
(3) [...] the means by which the subscriber or user may signify consent include—
10(a) amending or setting controls on the internet browser which the subscriber or user uses;
(b) using another application or programme.
So, powers to amend exemptions to Regulation 6 PECR, which the ICO is proposing should be amended in favour of industry, could actually be used to
give legal enforceability to technical signals.
Giving legal enforceability to technical signals could allow individuals to express consent for online advertising targeting via browser settings and
communicate them persistently as they browse the Internet. But that is only tinkering at the edges of the need for network architecture, regulatory,
economic incentive and social reforms.
13 Do you currently use any technical safeguards or PETs in your online advertising model?
Please provide your answer::
I don't have an online advertising model.
14 Are you aware of any recent innovations which significantly reduce the data protection and privacy risks of one or more of the capabilities?
Please provide your answer::
No and even if there were, there are no simple tech fixes to complex sociotechnical/economic/tech-architectural systemic problems.
That politicians and media and regulators like to believe there are is a fundamental part of the reason why we keep making the same mistakes in failing
to shape the development and deployment of these technologies in the public interest.
About you and your organisation
15 Are you responding on behalf of an organisation?
I'm not responding on behalf of an organisation
If other please specify::
16 If you are not responding on behalf of an organisation, are you answering as:
An academic
If other, please specify::
Final comments
21 Before completing this call for views, do you have any final comments you have not made elsewhere?
Please provide your comments::
I would just like to repeat my concern that the shape and form of this call for views makes it likely that responses of the adtech industry will be
over-represented. In turn, the views of those concerned about significant increased risk of privacy harms, that will undoubtedly arise from providing
industry with an ICO license to evade data protection laws, will be under-represented.
22 We may wish to contact you for further information on your responses. If you are happy to be contacted, please provide your name and
an email address below.
Please provide your name:
Ray Corrigan
23 We may publish in full the responses received from organisations or a summary of the responses. If so, we would like your permission to
publish your consultation response. Please indicate your publishing preference:
Publish response"
