How do the rules apply to online advertising?

Contents

At a glance

The use of storage and access technologies for online advertising purposes requires consent. This applies both in the context of the technical processes involved in ad selection and delivery, as well as any associated tracking and profiling.
Ad measurement does not require a separate consent, as the collection of information for measuring the effectiveness of campaigns is intrinsically linked to the purpose of online advertising.
In principle, contextual advertising more readily enables you to comply both with the PECR requirements as well as your UK GDPR obligations than other types of targeted advertising.

In detail

Do we need consent for online advertising?
Does ad measurement require consent?
What types of online advertising can we use?
Can we use ‘cookie walls’ or ‘consent or pay’ models?

Do we need consent for online advertising?

Yes. The use of storage and access technologies for online advertising purposes requires consent.

This applies both in the context of the technical processes involved in ad selection and delivery, as well as any associated tracking and profiling.

The use of storage and access technologies for the purposes of online advertising is not strictly necessary to provide a service to the user. This is because on a technical level, the service can be provided without any advertising.

Obviously, service providers also seek to generate revenue from online advertising. But this doesn’t make it “technically unfeasible” to provide the service without it.

If you have process personal data for online advertising purposes based on consent, and then supply the data to third parties, the user’s consent must apply across the chain.

When you ask for consent, you must clearly explain to your users:

who the data will be shared with;
for what purpose; and
how they can exercise control over this processing.

You, and the third parties involved, must ensure you have a process for passing on when a user has withdrawn their consent. In practice, where you have collected the consent, you are responsible for telling the third parties when this consent is no longer valid.

You must obtain consent for the use of storage and access technologies where these are used for analysing or predicting people’s personal preferences, behaviour and attitudes.

Example

A company offering marketing services obtains personal data from a third-party supplier. It combines this information with its own (first-party data) and public databases and processes it to create individual profiles on people.

The data obtained from a third-party supplier was obtained with consent from each person. As the company cannot demonstrate that this processing is fair and lawful without consent, it decides that it cannot rely on the legitimate interests lawful basis to use this data for profiling. Instead, the company goes back to the data supplier to check whether it considers the consent to be valid and that they have a way to find out if a person has withdrawn their consent.

If either of these conditions are not satisfied, they will not use the data.

Data protection law does not stop you from tracking and profiling people for online advertising purposes. However, you must ensure that people:

are made aware of the processing;
are given meaningful control over their data; and
can exercise their rights.

Does ad measurement require consent?

Yes, but this forms part of the consent you obtain for online advertising purposes.

The requirement for consent applies to any storage and access technology used for online advertising purposes. These purposes can include measurement of the effectiveness of ad campaigns.

The measurement does not require a separate consent, as the collection of information for measuring the effectiveness of campaigns is intrinsically linked to the purpose of online advertising.

This means that as long as your use of storage and access technologies is based on the user’s consent, you don’t need additional consent for measurement purposes.

However, if you do group consent requests for purposes which are intrinsically linked, you must provide clear and comprehensive information to your users about these purposes and ensure the consent is valid.

You must still follow the rules for refreshing consent where required, such as where new third parties are involved, or if you plan to use the storage and access technologies for a new purpose. This is particularly important in the context of online advertising, where a large number of third parties may be involved in a complex supply chain.

If the information is used for other purposes that are not intrinsically linked to the original purpose, you must obtain separate consent. For example, this would be the case where third parties are processing information on a user’s interaction with the advert for tracking or profiling people.

What types of online advertising can we use?

This is ultimately a decision for you to take.

There are different types of online advertising. The most common ones involve techniques that target the ads in some way so that a user is more likely to interact with them. For example, ads can be targeted based on:

The content of the page the user is currently viewing. This is usually known as ‘contextual advertising’.
The user’s known or inferred interests, characteristics and behaviours, particularly over time and potentially across different services, locations and devices. This is usually known as ‘behavioural advertising’. It includes a range of targeting techniques that involve profiling the user. For example, observing their online activities.

This means most online advertising is ‘targeted’. The difference is what the ads are targeted on. It may be common to refer to ads targeted on the basis of someone’s personal data as ‘personalised advertising’, but you should be clear about the specific techniques you intend to use and which of these involve profiling.

In principle, contextual advertising more readily enables you to comply with both your PECR and UK GDPR obligations. While it can still involve personal data processing, this is less extensive than with other types of targeted advertising (for example, those that involve profiling, like behavioural advertising). This is because personal data is not used to determine what ad a user sees.

However, any storage and access technologies used for the purposes of online advertising require consent.

Can we use ‘cookie walls’ or ‘consent or pay’ models?

A cookie wall — sometimes called a ‘tracking wall’ — requires users to ‘agree’ or ‘accept’ the setting of storage and access technologies before they can access an online service’s content.

There are different types of these models. Whether they result in valid consent depends on what model the online service uses and the specific choices it makes about the implementation.

One example is a model that requires the user to ‘agree’ to the tracking, otherwise they cannot access the service at all. This is known as the ‘take it or leave it’ approach.

In most cases, the ‘take it or leave it’ approach does not comply with the requirement for consent to be freely given.

This is because you must provide a genuine free choice. You must not bundle consent up as a condition of the service unless it is necessary for that service.

A new model is emerging which gives people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service. This type of access mechanism is typically known as ‘consent or pay’, or ‘pay or okay’.

The issues that ‘consent or pay’ touches on are complex. We are producing specific guidance on this, which will be available on our website in early 2025.