2025 continues to prove to be a year of considerable change for marketing compliance. We’ve previously covered new guidance in this area and UK and EU data protection reforms, and in this blog we’re providing a roundup of recent regulatory action on targeted ads.
O’Carroll v Meta
The recently settled case of O’Carroll v Meta sheds some light on the UK Information Commissioner’s Office’s (ICO) stance on targeted advertising on social media under the General Data Protection Regulation (GDPR). This case was brought by an individual against Meta for breach of the UK GDPR on the basis that Meta failed to stop collecting and processing their data to deliver targeted ads following an opt-out request.
The ICO published submissions it made to assist the court on the interpretation of UK data protection law and issued a statement supporting the outcome. We have drawn out a couple of key takeaways from this:
- Meta argued that its targeted advertising did not constitute “direct marketing” as ads are targeted at groups of people rather than individuals. The ICO disagreed, explaining that “online targeted advertising should be considered as direct marketing” as the “UK GDPR applies in a technologically neutral manner, including to online activity”. Therefore, the ICO concluded that organisations must allow individuals to object to their data being used in this way.
- The ICO encourages individuals to file a complaint with it if an organisation does not comply with their request to stop processing their data (and that it will continue to engage with Meta on the same). This could therefore increase the likelihood that more individuals will come forward to exercise their right to object to the collection and processing of their data for targeted ads.
The case was settled before reaching trial, with Meta reportedly agreeing to stop targeting ads at the individual and stop processing the individual’s data for such purpose. Whilst the ICO’s comments demonstrate its view and the approach it will take to enforcement, the settlement means that we still lack legal certainty in this area.
Interaction of pay or consent and opt-out rights
The ICO’s stance on the ability to opt-out of processing of data for targeted ads gives rise to uncertainty about how this works in conjunction with pay or consent models, and particularly whether individuals can exercise opt-out rights free of charge. The ICO’s consent or pay guidance expressly states organisations must allow people to exercise their Art 21 opt-out rights free of charge but in the context of consent or pay says “the right to object to direct marketing can operate in the same way as withdrawing consent to personalised advertising.” It therefore appears that an individual’s right to exercise its opt-out free of charge may disappear with consent or pay models. However, this will only be confirmed as market practice emerges and the ICO responds.
Following the O’Carroll case, Meta is believed to be considering introducing a pay or consent model in the UK, and the ICO has previously stated it expects Meta to consider any data protection concerns raised by it prior to its introduction. Meta’s believed plans may however be thrown into question given the European Commission has recently announced a fine under the Digital Markets Act for its EU pay or consent model.
The European Data Protection Board (EDPB) is soon to publish more general guidance on consent or pay models (following its Opinion on consent or pay models offered by large online platforms last year).
Amazon loses appeal against Luxembourg fine
On 19 March, it was announced that the Luxembourg court had rejected Amazon’s appeal of the €746 million fine levied by the Luxembourg data protection authority (DPA) for EU GDPR violations relating to targeted advertising. Amazon is reportedly considering a further appeal, and the DPA has said that it will not release further details of its enforcement action until all court action has concluded. Further clarity on this can therefore be expected in due course.
Dutch regulator takes further action on cookies
The Dutch DPA constantly monitors 10,000 Dutch websites and, as a result, on 15 April, the Dutch DPA announced that it had sent the first of 500 warnings to organisations about misleading cookie banners, requiring them to change their banner or to change their tracking practices within 3 months. Failing change, the DPA says it will start an investigation and the organisations run a high risk of fines. The first 50 letters went to webshops, media companies and insurers, among others.
Don’t forget apps!
Following the ICO’s statement in its online tracking strategy that it will take action against non-compliant targeted advertising practices on apps and connected TVs, the French DPA has also now announced that it will begin bringing enforcement against companies who fail to comply with cookie consent requirements on mobile apps. This serves as a useful reminder to businesses that apps are within scope just as much as websites.
Outlook
Overall, regulatory scrutiny of targeted advertising is clearly ever-increasing. As we have said previously, businesses should therefore take the time this year to reconsider their approaches to marketing compliance to ensure that the increased risks and regulator expectations are correctly reflected in internal decision-making, particularly given the risk of parallel enforcement as there is no one-stop shop for actions brought under e-privacy legislation unlike the GDPR.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-24-18-10-44-441-680a7ea41f52562e734a36af.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-16-10-45-05-782-67ff8a314a50fd9adb173a92.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-16-10-18-08-213-67ff83e0b34a593b4ea48aee.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-16-08-46-37-205-67ff6e6d3048bb4711b336b6.jpg)