Skip to content
Chimera readability score 83 out of 100, Specialist reading level.

Open Rights Group response to the ICO call for views on their new approach to regulating online advertising
6 Targeting
What features within targeting are the minimum requirements for a commercially viable advertising model, and why?:
Commercial viability of targeting practices is not a static definition, but is ultimately determined by what practices are tolerated and allowed to be offered withing the online advertising market.
With this in mind, real-time-bidding and behavioural advertising are currently underscored by a free-for-all model where, once consent is given (and oftentimes, even when it’s not) adtech intermediaries process, share and repurpose this data at will. This is illegal under the UK GDPR, which requires data not to be processed beyond the specific, granular purpose for which consent was given.
It follows that the true value and commercial viability of advertising practices cannot be measured, insofar prices are distorted and the market is impacted by the unfair competition of non-compliant advertising practices. In turn, any serious assessment regarding the extent necessary of employing targeting features to attain a “commercially viable advertising model” should be preceded by an effective regulatory sweep to remove illegal advertising from the market, and restore a level playing-field for law-abiding businesses.
7 How significant are the changes in ICO regulatory posture towards PECR regulation 6 consent requirements that would be required to enable delivery of a commercially viable advertising model?
Change needed – Targeting: No change
Please explain your answer:
Firstly, the ability to target individuals based on personal data is the main enabler of harms, discrimination and predatory practices that plague online advertising. Targeting based on personal data exposes women to unjust prosecutions for their attempt to exercise reproductive health rights; problem gamblers to being targeted with gambling ads that are meant to exploit their addiction; anyone to be excluded on the basis of their gender, sexual preferences, ethnicity or other sensitive characteristics; children and those in a more vulnerable status to be targeted and taken advantage of.
These are not unfortunate outcomes, but inherent to the technolopgy being used: behaviour is the only personal data that can be observed and captured by storage and access technologies; however, behaviour is never a reliable proxy for an individuals’ characteristics, preferences or inner desires, but is a reliable mean to identify addiction, health statuses and other syndromes—all of which are, indeed, recognisable by “typical”, “compulsive” behaviours and clearly discernible patterns of behaviour. A system that is inherently bad at guessing your commercial preferences but inherently good at identifying weak spots that can be exploited does, not surprisingly, serve the purpose of exploiting individuals better than it does serve the purpose of delivering legitimate advertising. Advertising systems that target individuals on the basis of personal data should never be considered low-risk or exempted from consent requirements.
For the avoidance of the doubt, contextual advertising may not be considered as targeting on the basis of personal data, insofar targeting is based purely on the context of the website where the ad is being shown. The inclusion of information that either directly or indirectly relates to an individual—for instance, where the IP address was used to guess the geolocation of an individual— should never be considered contextual and thus be treated as targeted advertising.
Finally, we would draw attention to the fact that the call for views includes the following statement:
“We will continue to enforce consent requirements for collecting personal information for ad targeting and personalisation.”
Therefore, we consider a relaxation of consent requirement for ad targeting based on any amount of personal data to be outside of the scope of this call for view, and we expect the ICO to honour this statement.
Impacts of our approach
8 How far do you agree that the approach outlined in our call for views can identify commercially viable solutions that can also safeguard people’s privacy and improve user experience?
Strongly disagree
Please explain your answer::
As mentioned in response to question 6, tolerance toward non-compliant advertising practices prevent a meaningful measurement of the true value and commercial viability of advertising practices “that can also safeguard people’s privacy and improve user experience”.
Adding to those considerations, the approach of the call for views turns the relationships between commercial viability and “safeguarding people’s privacy and improving user experience” on its head: it is for advertising market players to commercialise their services withing the boundaries and in compliance with the norms that have been established by legislation. The UK GDPR and PECR already require advertising to be done in a manner that safeguards privacy and our agency. The role of the ICO is to enforce these boundaries, not to adapt them to meet the needs of non-compliant advertising firms.
Finally, it is worth underscoring that, in the event of exemptions to cookie consent requirements being adopted, “safeguarding people’s privacy” would ultimately depend on the limits and safeguards in place that underpins those exemptions. The call for views provides some, welcome clarifications over what will not be exempted, but does not at any point clarify what practices may or are being considered to be covered by those exemptions. This does not allow to appreciate the approach, and if and in which manner the ICO is managing to “safeguard people’s privacy” while conducting this call for views.
10 Would you anticipate any of the following negative impacts if any of the capabilities referenced were permitted without PECR consent in circumstances where the ICO considers them to be low risk to people? Please select all that apply:
Increased risk of privacy harm
Please provide any evidence on the likely scale of these negative impacts:
This questionnaire give adtech providers ample freedom to argue in favour of removing consent requirements for a range of purposes, as listed in questions 1-6. From the perspective of civil society and independent experts, instead, the call for views does not provide any proposal whose impact on people’s privacy can be commented upon. Further, the call for views allows industry players to keep their responses as confidential, which could prevent evidence in favour of deregulation to be scrutinised publicly.
Notwithstanding that the “scale of these negative impacts“ can only be measured when a proposal will be presented, it is clear that the design of this call for views presents a very high likelihood to over-represent the views of the adtech industry and, in turn, to underweight the increased risk of privacy harm that could result.
Technical safeguards
12 Are you aware of any technical safeguards to reduce data protection and privacy risks of storage and access of information for the advertising purposes listed above?
Giving legal enforceability to technical signals would allow individuals to express consent for online advertising targeting via browser settings and communicate them persistently as they browse the Internet, thus ensuring that meaningful choices can be made and communicated to adtech providers. This solution would also constitute an effective way to allow individuals to object and opt-out of processing, thus ensuring that they retain choice and agency in an opt-out model of online advertising. Finally, such a system could also be relied upon by parents to set consent preferences via parental controls and thus protect their kids from online tracking.
According to Schedule 12(2) of the Data (Use and Access) Act:
(3) […] the means by which the subscriber or user may signify consent include—
10(a) amending or setting controls on the internet browser which the subscriber or user uses; (b) using another application or programme.
Therefore, powers to amend exemptions to Regulation 6 PECR could be used to give legal enforceability to technical signals.
22 We may wish to contact you for further information on your responses. If you are happy to be contacted, please provide your name and an email address below.
Please provide your name: Mariano delli Santi
Please provide your email address: mariano@openrightsgroup.org

Facts Only

The Open Rights Group (ORG) responded to the ICO’s call for views on regulating online advertising.
ORG argues that real-time bidding and behavioral advertising often process data beyond the scope of user consent.
The group states that current practices violate UK GDPR, which requires data processing to align with specific, granular consent.
ORG claims that non-compliant advertising distorts market prices and prevents fair competition.
The response opposes any relaxation of consent requirements for targeted advertising.
ORG highlights risks of targeting, including discrimination, exploitation of vulnerabilities, and privacy harms.
The group proposes technical safeguards, such as browser-based consent signals, to enhance user control.
ORG criticizes the ICO’s approach for potentially favoring industry interests over privacy protections.
The response notes that the ICO’s call for views allows industry submissions to remain confidential.
ORG emphasizes that contextual advertising, without personal data, should not require consent.
The group references Schedule 12(2) of the Data (Use and Access) Act to support browser-based consent mechanisms.
Mariano delli Santi of ORG provided contact information for further discussion.

Executive Summary

The Open Rights Group (ORG) has submitted a response to the UK Information Commissioner’s Office (ICO) regarding its call for views on regulating online advertising. ORG argues that current advertising practices, particularly real-time bidding and behavioral targeting, violate UK GDPR by processing personal data beyond the scope of user consent. They contend that the commercial viability of advertising cannot be accurately assessed while non-compliant practices distort the market. ORG opposes any relaxation of consent requirements for targeted advertising, emphasizing that such practices enable discrimination, exploitation of vulnerabilities, and privacy harms. They propose technical safeguards, such as legally enforceable browser signals, to empower users to control their data. ORG also criticizes the ICO’s approach for potentially prioritizing industry interests over privacy protections and calls for stricter enforcement of existing regulations.
The response highlights concerns about the ICO’s call for views, including the lack of transparency in industry submissions and the risk of overrepresenting adtech perspectives. ORG asserts that any exemptions to consent requirements would increase privacy risks and that the ICO’s role should be to enforce compliance, not adapt regulations to industry demands. The submission underscores the need for a level playing field where lawful advertising practices are not undermined by non-compliant competitors.

Full Take

The ORG’s response to the ICO’s call for views presents a principled critique of online advertising practices, framing the issue as a conflict between commercial interests and fundamental privacy rights. The strongest version of their argument is that current adtech systems are inherently exploitative, designed to identify and target vulnerabilities rather than serve legitimate advertising purposes. This narrative aligns with broader concerns about surveillance capitalism and the ethical implications of data-driven marketing.
Patterns detected: ARC-0024 Ambiguity (lack of clarity on what exemptions might be considered), ARC-0043 Motte-and-Bailey (asserting that any relaxation of consent is outside the scope, despite the call for views explicitly seeking input on this).
The root cause of this tension lies in the structural misalignment between profit-driven adtech models and regulatory frameworks designed to protect individual autonomy. The ORG’s stance reflects a growing recognition that privacy cannot be treated as a secondary consideration in digital markets. However, the response also reveals a deeper paradox: while advocating for stricter enforcement, it acknowledges that the true commercial viability of privacy-respecting advertising remains untested due to the dominance of non-compliant practices.
The implications extend beyond regulatory policy. If the ORG’s concerns are valid, the current advertising ecosystem may be systematically undermining user agency, with marginalized groups bearing disproportionate costs. The proposal for browser-based consent signals is a constructive step toward empowering users, but its effectiveness depends on enforcement mechanisms that have historically been weak.
Bridge questions: What evidence exists that privacy-preserving advertising models can be commercially viable at scale? How might the ICO balance industry innovation with the need for robust privacy protections? What safeguards would prevent technical solutions like browser signals from being circumvented by adtech providers?
Counterstrike scan: A coordinated influence campaign pushing this narrative might amplify fears of surveillance while downplaying the economic dependencies of digital media. However, the ORG’s submission appears genuine, focusing on legal and ethical arguments rather than manipulative framing. No structural alignment with a hypothetical attack playbook is detected.

Sentinel — Human

Confidence

This analysis is a well-structured legal advocacy response, demonstrating expert knowledge of regulatory frameworks and a coherent, human-driven argument regarding online advertising regulation.

Signals Detected
low severity: Varied sentence length and rhythm; strong, specific, and sometimes complex phrasing characteristic of legal/advocacy writing.
low severity: High coherence focused on a specific regulatory argument; transitions are used logically to build a legal case rather than merely connect general ideas.
low severity: The argument follows a clear structure derived from a specific call for views, referencing specific legal mechanisms (GDPR, PECR, Schedule 12(2)) which suggests deep domain knowledge.
low severity: Claims are grounded in real-world legal frameworks and specific organizational positions, making confabulation highly unlikely.
Human Indicators
The text displays a specific, focused voice advocating for a precise legal outcome, integrating specific references to UK GDPR and PECR, which requires domain expertise.
The argument structure is highly tailored to responding to a formal regulatory inquiry, showing a context-aware, human-driven analytical strategy rather than general LLM output.
The tone balances legal precision with moral/societal critique, demonstrating idiosyncratic emphasis typical of advocacy work.
ORG response to ICO call for views on our approach to regulating online advertising — Arc Codex