Why 2025 is the year to refresh your marketing compliance

The Information Commissioner’s Office (ICO) announced earlier this week that it will work with the UK Government on a regulatory review of the UK’s marketing rules to facilitate privacy friendly online advertising, as part of a package of measures to drive economic growth (discussed at the proposal stage, here). With the UK digital marketing spend due to grow from £32 billion in 2024 to £44 billion in 2028[1], it is perhaps not surprising that the regulator and UK Government are focusing on how to support organisations operating in this area to innovate and grow, while mitigating the risks posed to individuals. 

Against this backdrop, the risk profile for organisations’ marketing activities is changing, with law and guidance in this area developing and becoming more certain. Organisations are therefore in an increasingly strong position to refresh their compliance approach and risk-based decisions in this area (although, perhaps not all of them quite yet). This blog provides an overview of some of the key developments in this space.

UK and EU data protection reforms

Significantly, in the UK, the Data (Use and Access) Bill (Data Bill) will increase the maximum fines for breaches of the Privacy and Electronic Communications Regulations (PECR) in relation to electronic direct marketing and the placing of cookies and other storage and access technologies from £500,000 to the higher of £17.5 million or 4% of annual worldwide turnover (to align them with those under the UK General Data Protection Regulation). However, in more favourable news for organisations, the Data Bill also amends some of the relevant rules to:

• reaffirm that processing personal data for direct marketing purposes can amount to a legitimate interest,
• add new exceptions to the general consent requirement for cookies under PECR, 
• give the UK Government new powers to add additional cookie exceptions later (such as those relating to privacy preserving ads), and
• allow charities to rely on the soft opt-in for direct marketing to further their charitable purposes to existing or interested supporters.

In contrast, the European Commission has formally withdrawn the long-awaited e-Privacy Regulation so reform in Europe has been further delayed.

Data protection regulator focus and guidance crystallising 

As we’ve discussed in our previous blogs (see here and here), the ICO has recently published updated cookies guidance (rebranded as “storage and access technologies” guidance) as part of its online tracking strategy for 2025, as well as its final consent or pay guidance. These all provide greater clarity on the ICO’s expectations (such as around consent banners and privacy by design) and potential areas for enforcement action, which can guide organisations on their compliance approach. 

EU data protection authorities (DPAs) are also focusing on digital marketing, with the risk of high fines against those breaching the rules. For example, in October 2024 the Irish DPA issued a €310 million fine against LinkedIn in connection with targeted advertising (currently under appeal) and the French DPA issued a €50 million fine against Orange in December 2024 for displaying adverts in emails without valid consent. 

Overlap in the web of digital regulation

As well as data protection laws, organisations must also consider their digital marketing compliance strategy in light of evolving and overlapping competition and consumer protection laws and advertising standards - particularly following the introduction of the Digital Markets, Competition and Consumers Act 2024 in the UK (see our previous blog). Like the ICO, the UK Competition and Market’s Authority has indicated that online advertising will be an area of focus for competition investigations in 2025 and 2026.

Conclusion

As a result of these (among other) changes, 2025 is the year for organisations to revisit and refresh their approaches to online advertising. 

Our latest briefing, which was first published in the March 2025 issue of the Privacy Laws & Business UK report, delves into these developments (and more) and sets out practical guidance on the steps organisations should take to update their compliance approach, including in relation to cookies, email pixels and consent routes.

[1] According to research by PWC.