Posted by Mariano delli Santi

https://www.openrightsgroup.org/publications/notes-from-org-adtech-roundtable-on-the-future-of-cookie-consent-requirements-in-the-uk/

https://www.openrightsgroup.org/__preview__/publication/26192

0. ABOUT THIS ROUNDTABLE

The Information Commissioner’s Office run a consultation on a new enforcement approach toward regulating advertising.¹ This call for views is also meant to support the government in developing planned secondary legislation to create a new exception to consent requirements for specific low-risk advertising purposes.

While the stated intention to “unlock privacy-preserving alternatives to the dominant adtech business model” is commendable, the risk surrounding a relaxation of online tracking rules are high. As we outline in the background section (infra, §0.1), the conversation surrounding cookie consent requirements strikes at the heart of the Internet ecosystem: behavioural tracking and profiling represent the perverse incentive that drives online harms, favours tech addiction and promotes disinformation while siphoning revenues away from the free media. If not done right, exempting cookies from consent requirements risks exposing Internet users to online harms, harmful advertising, and predatory targeting based on people’s addictions, vulnerabilities and state of anxiety.

However, and following the passage of the Data (Use and Access) Act in 2025, the Secretary of State was given rule-making (Henry VIII) powers to introduce new exemptions to cookie consent requirements within 28 to 40 days. The process to scrutinise Statutory Instruments involves a debate in Delegated Regulatory Committee which cannot last longer than 90 minutes (and is usually much shorter), before Parliament is asked to vote on the instrument(s) on a different day and without debate.² The impact that getting it wrong could have on UK residents’ privacy and online security, warrants Members of Parliament to take proactive steps and get involved in the debate before a Statutory Instrument is laid before the Houses of Parliament.

To address these concerns, Open Rights Group convened a stakeholder roundtable on the future of adtech and cookie consent requirements in the UK. Officials from relevant government departments and regulatory authorities joined up to discuss these plans with experts from civil society and the industry active in the field of privacy, consumer and children rights, advertising standards, and privacy-preserving tools. The roundtable was held under the Chatham House rule.

0.1 BACKGROUND: ONLINE ADVERTISING AND COOKIE CONSENT RULES

Earlier this year, the UK Department of Science Innovation and Technology reached out to stakeholders to discuss plans to use rule-making powers introduced by the Data (Use and Access) Act 2025 to relax cookie consent requirements. The Information Commissioners Office (ICO) followed suit by announcing a “package of measures to drive economic growth”,³ which includes an “experimentation regime” to grant “comfort from enforcement of certain data protection requirements, starting with consent rules for privacy-preserving advertising models”.

Recently, the ICO run an open call for views on this matter.⁴ In short, the ICO sought evidence to inform a statement, to be made in early 2026, which will identify “advertising activities that are unlikely to trigger enforcement action under PECR”. This statement would then “support the government in developing planned secondary legislation to amend the PECR rules and create a new exception to the PECR consent requirements for specific low-risk advertising purposes”.

The stated intention to “unlock privacy-preserving alternatives to the dominant adtech business model” is commendable. The dominant model of online advertising is underpinned by so-called “behavioural profiling” and “real-time-bidding”. In a nutshell, every time an Internet user visits a website, storage and access technologies are employed to mark that user with a cookie or another piece of information. This allows adtech providers to link browsing activities across different websites and “broadcast” this information into the real-time-bidding ecosystem, a vast network that comprises thousands of adtech intermediaries, publishers and advertisers who will bid to display an advertisement while the user is visiting a website (ie. their “impression”). In turn, browsing habits end up being shared, sold, traded within the real-time-bidding ecosystem for the purpose of drawing a “behavioural profile” of that individual, and target them on the basis of inferred and sometimes sensitive characteristics such as people’s political opinions, health status, sexual preferences, addictions, and vulnerabilities.

This system is also at the root of online addictions and online harms. Behavioural targeting and profiling has been used to: exclude women and BAME individuals from job and housing adverts;⁵ to target problem gamblers with gambling ads;⁶ to prey on vulnerable individuals on the basis of their addictions, anxieties and state of mind; to target mothers who just had stillbirth with baby ads,⁷ or to plain creep people out.⁸ It is also the system that powers the toxic Internet made of rage factories, radicalising content and filter bubbles.⁹

Due to the high risks involved, the law requires affirmative consent for behavioural tracking. However, the adtech industry spams the Internet with thousands of unintelligible and illegal cookie banners, turning online surveillance into an offer you cannot refuse. Against this background, relaxing cookie consent requirements present obvious risks. As ORG latest regulatory complaint against Liveramp has shown,¹⁰ the adtech industry is purporting ever-more pervasive systems of online surveillance as “privacy-preserving”: a further relaxation of cookie consent requirements risks emboldening this shift ever further. Even if only advertising models that respect people privacy were to benefit, questions’ arise over the impact that non-consensual targeted advertising may have on children, minorities and the most vulnerable in our society.

1. NOTES FROM THE ROUNDTABLE

1.1 THERE IS SHARED CONSENSUS THAT ADTECH NEEDS REFORM

There was consensus across the board that online advertising markets are characterised systemic non-compliance, and individuals cannot exercise meaningful choice and control over how they are being tracked and profiled online.

Stress was given to the fact that, once individuals have given consent for the storage of cookies or other tracking technologies, market players throughout the online advertising supply chain tend to favour the most invasive and high-risk forms of online tracking and profiling. According to many, such invasive forms of personal data processing are deployed with little to no regard of data protection rules.

Some drew attention to the fact that storage and access technologies are sometimes deployed to conduct online tracking and profiling before individuals even had the chance to consent. It was also noted that deceptive design interfaces (so-called dark patterns) are commonly deployed to force or deceive individuals into giving their consent, while cookie banners oftentimes provide incomplete or out-of-date information. Even where users were able to exercise their choices meaningfully, the complexity and opacity of the system makes it trivial to disregard such choices at a later stage in the supply chain, and further process personal data in ways that individuals would not expect or have consented to.

1.2 CONCERNS WERE RAISED ABOUT LACK OF CLARITY AND POTENTIAL FOR ABUSE

Several participants expressed dissatisfaction about the lack of clarity concerning the scope of the call for views. In particular, it was pointed out that the call for views does not provide a definition nor any examples of what a “low risk” or “privacy-preserving” advertising system would be, nor how a “less granular” form of online tracking and profiling would look like.

It was pointed out that the consultations are also meant to gather information that can inform decisions over how these terms and exemptions should be defined, or where the boundaries for relaxing enforcement should be drawn. In turn, some participants stressed the importance of adopting narrow and clearly-worded definitions: by drawing a parallel on the abuse of legitimate interest as a legal basis for circumventing consent requirements under the GDPR, it was argued that drawing exemptions within a market that is accustomed to non-compliance does inherently carry the risk of opening the floodgates. In turn, there is a heightened risk that any exemption or relaxation being introduced could be misinterpreted and used beyond its legitimate policy purpose.

Likewise, some participants questioned whether the consultation is giving enough attention or weight to the impact that lowering consent requirements may have for harmful advertising, given the data-driven nature of discriminatory or predatory practices. Concerns were also raised about the impact this would have on those who are already less able to exercise their choices, such as children. There seemed to be shared agreement that relaxation of consent rules should not cover instances where harm does occur in advertising.

1.3 PARTICIPANTS FELT THE ROLE OF ENFORCEMENT WAS BEING UNDERSTATED

Several participants were concerned that the call for views asked respondents to identify the minimum requirements for “a commercially viable advertising model”. In their view, this would characterise commercially viability as a static definition, thus ignoring the role that regulatory enforcement plays in determining the broader shape of the market and selecting what models and practices are viable within it.

As it was pointed out, advertising models that do not require consent to deliver advertisement already exist and are already operating within the market, although under-enforcement of consent rules puts them at a disadvantage.

This was echoed by other interventions: what defines commercial viability ultimately comes down to what regulators define as acceptable, and how they address illegal practices. Tolerance toward non-compliant behaviour leaves market players free to trade illegal advertising impressions on the market. This lowers the potential price which can be asked, and return that can be made, from compliant and more privacy-conscious forms of advertising. Effective enforcement of data protection rules would reduce the impact of illegal advertising on the market, raising commercial value and viability of alternative models of online advertising.

Finally, it was pointed out that assessing the value of “privacy-preserving” advertising is nearly impossible in a market that is acquainted to rely on pervasive forms of online tracking and profiling. Significant distortions that characterise online advertising markets mean that any attempt to measure the commercial value of alternative models would overestimate the value of behavioural profiling, while underestimating more innovative and less privacy-invasive forms of advertising.

1.4 CONSENT RULES AND TECHNICAL LIMITATIONS ARE NOT MAIN BARRIERS TO THE ADOPTION OF PRIVACY-PRESERVING ADVERTISING

Participants questioned the need of more personal data to deliver advertisement online. One participant pointed out that IP addresses are the only piece of information that is always and strictly necessary to deliver an ad. Another participant pointed out that IP addresses can be truncated, and this does not affect the technical ability to deliver ads. In general, the use of personal data was never characterised as a technical necessity, suggesting that their widespread use be the result of discretionary business practices.

Some participants also challenged the notion that consent rules would constitute a barrier to the adoption of less invasive forms of online advertising. Significant focus was given, instead, to the behaviour of market players: requests to sell advertising impressions that lack personal data are oftentimes rejected as a matter of commercial policy by those adtech intermediaries who hold gatekeeping powers over other players in the ecosystem. Even those gatekeepers who do not automatically reject “personal data-less” impressions will default to ignore them as soon as an advertiser puts a frequent cap or a KPI in their bid requests.

Against this background, it was also pointed out that the issue at play has little to do with the technical workability of ads delivery or compliance requirements; rather, the problem would be that market players lack incentive to shift their behaviour and thus remove these non-regulatory barriers.

As the conversation moved toward what pressure points could be used to promote such behavioural change, it was pointed out that adtech intermediaries are generally uninterested or even hostile toward change and innovation, whereas publishers are facing significant pressure on different areas of their revenue streams and thus lack leverage to promote change within the ecosystem. Some participants identified brands as stakeholders that could have the power and commercial incentive to push for behavioural change within the market.

1.5 VIEWS ON FRAUD DETECTION WERE NUANCED

Some participants addressed the proposal, included in the ICO call for views, to include “ad fraud prevention and detection” among the “categories of online advertising capabilities” which could benefit from a relaxation of consent requirements. In particular, it was pointed out that the proposal for an ePrivacy Regulation in the European Union envisioned a narrow exemption for the purpose of enabling fraud detection, and a similar avenue could be explored in the UK as well.

While some participants expressed a welcoming attitude toward this proposal, other questioned the interplay of a change of consent requirements for fraud detection within the UK, which is characterised by high market concentration. It was also pointed out that market players who provide fraud detection services are usually active in a diverse range of commercial domains, thus heightening the risk of data being collected for fraud detection being repurposed for other, unrelated reasons.

2. OPEN RIGHTS GROUP STOCKTAKE

2.1 THE CALL FOR VIEWS HAS SHORTCOMINGS AND RISKS EMBEDDING BIAS

Open Rights Group are grateful for the support given by all participants to the roundtable, including from representatives from the UK government and regulatory authorities. Nevertheless, we encountered flaws that characterised the way stakeholder inputs has being sought throughout the call for views.

Firstly, this consultation was opened on July 7 with an original deadline of August 29, 2025. We welcome the extension of this deadline to September 7, but it is still the case that this call for views is being carried out during the month of August for four out of the nine weeks that comprise its formal consultation period. Carrying out a consultation deep into the holiday season does not facilitate stakeholders engagement, even more so in light of the technical complexity of this topic.

Secondly, the framing and language of the consultation facilitates views addressing commercial aspects of online advertising, leaving little space to discuss the potential impact of advertising practices on privacy and individual’s rights. It follows that opinions of adtech intermediaries and other commercial players will likely be over-represented against civil society and other independent experts.

Thirdly, the call for views mentions that the ICO hosted “an in-person technical workshop with participants from across the online advertising industry”,¹¹ and commissioned a study on public attitudes toward online advertising and consent. ORG welcome efforts to survey public attitudes about such an important issue, but we can only acknowledge that the ICO has proactively sought inputs from the adtech industry, while ORG had to act of their own initiative to bring in the views of civil society and other under-represented stakeholders.

These constitute more than hypothetical concerns: frustration over the complexity of the issue, the framing of the questions in the call for views, and the coincidence of the consultation period with the holiday season has been a recurring opinion expressed by stakeholders ORG have engaged with throughout the preparation of the roundtable. Given the importance of online advertising in shaping the Internet space and its role in enabling privacy violations and online harms, more efforts should have been put in place to promote a wider participation to this consultation.

Finally, the call for views remains silent over what activities and practices may be designated to benefit from the relaxation of consent requirements. At the same time, no working definition has been given for key criteria that are being relied upon to designate such activities, such as “commercially viable”, “privacy-preserving”, “low-risk”, and “less granular”.

Frustration over this choice was voiced throughout the roundtable discussion. In practical terms, this leaves space to guesswork and does not allow stakeholders to provide evidence against lifting consent requirements for a given practice, nor to discuss what legal safeguards would need to underscore a given exemption if it were introduced. ORG believe that, at a bare minimum, any “draft statement” that is produced as a result of this call for views should be subject to a follow up round of public consultations, in order to allow stakeholders to consider and make representations over these proposals before these are adopted as a policy.

2.2 RELAXING CONSENT REQUIREMENTS SHOULD NOT BE THE STARTING POINT

Some participants questioned the approach presented in the call for views, pointing out that it is contradictory to expect that lessening the enforcement of privacy rules would encourage more privacy-preserving advertising practices.

This point resonates with many observations made throughout the roundtable: even though the policy objective being pursued may be legitimate, low enforcement increases confidence in market players who may misinterpret or abuse any exemptions that were introduced in the future. Low enforcement also devalues privacy-preserving models of advertising and increases the commercial viability of privacy invasive and non-compliant advertising practices. Finally, low enforcement reinforces inertia within the online advertising space, and is unlikely to provide an incentive for market players to lower behavioural barriers that were identified as the main obstacle to the commercial viability of more innovative and less data-intensive forms of online advertising.

All of the above points toward the conclusion that a step up in the enforcement efforts against traditional adtech intermediaries is necessary for a relaxation of cookie consent requirements to be successful. The proposal of lowering, or granting comfort from enforcement of, consent requirements for less invasive forms of online advertising can only become attractive in the presence of a serious and realistic regulatory back-threat against those who breach consent and data protection rules.

The call for views seems, however, to propose a different strategy where enforcement is relaxed alongside the introduction of new exemptions. Against the evidence that was brought from the participants to this roundtable, such an approach appears unlikely to promote a behavioural shift within market players, and would likely fail to deliver change within the online advertising space.

2.3 THERE IS A NEED TO DRAW RED LINES, TO NARROWLY DEFINE EXEMPTIONS, AND TO ENSHRINE SUITABLE SAFEGUARDS

Notwithstanding the limited scope to formulate recommendations without sufficient details over what is being proposed (supra, §2.1), valuable guidelines have emerged from the roundtable, whose substance is shared by Open Rights Group.

Firstly, the discussion emphasised the need to exclude, in any case, advertising practices that can produce harms and expose individuals to predatory or discriminatory practices should not benefit from any exemption being introduced.

The call for views states that “there will remain circumstances where online advertising will always require consent. For example, because it involves extensive profiling of people based on their online activity, habits and behaviour”,¹² as well as “We will continue to enforce consent requirements for collecting personal information for ad targeting and personalisation”.¹³ While these passages were welcomed by participants, ORG acknowledge that the language leaves a certain degree of uncertainty. Thus, adherence to these commitments will need to be tested and ascertained once the policy statement has been published.

Likewise, participants emphasised the need to employ narrow definitions and suitable safeguards to prevent misuse from the adtech industry, and in particular to protect individuals from the risk of repurposing and further processing of the data that may be collected under these exemptions. ORG share these concerns, and we believe that any such exemption should be underpinned by an explicit prohibition to further process personal data beyond the narrow scope allowed by the exemption.

2.4 THE POLICY OBJECTIVE IS COMMENDABLE, BUT METHODS REVEAL INTERFERENCE WITH REGULATORY INDEPENDENCE

Open Rights Group cannot ignore the worrisome circumstances which led to this review of the ICO approach to regulating online advertising.

In summary: at the end of December 2024, the Labour government addressed a letter to UK regulators, asking “to remove barriers to growth”.¹⁴ In January 2025, the government ousted the Chair of the Competition and Market Authority for political reasons.¹⁵ Soon afterwards, the ICO acknowledged to be among the recipients of this letter and committed to support the government in their efforts to promote growth.¹⁶ On March 17, “Information Commissioner John Edwards met with Chancellor of the Exchequer Rachel Reeves […] to agree the data protection regulator’s commitments”,¹⁷ thus pledging to conduct a review of cookie consent requirements. These plans have become part of the UK government Action Plan for a “New approach to ensure regulators and regulation support growth”.¹⁸

These facts call into question weather the ICO retains sufficient arms-length from the government to exercise their judgement freely and objectively. For instance, evidence presented in this roundtable suggests that removing consent requirements would be of limited usefulness at best, and that priority would better be given to freeing up the market from non-compliant advertising and driving behavioural change through enforcement. However, it is unclear what degree of freedom the ICO retains to consider de-prioritising a deregulatory initiative the Commissioner pledged to carry out before the Chancellor, and which now constitutes part and parcel of a government Action Plan to promote growth.

Further, it is wholly inappropriate for the Labour government to require the ICO to adopt “pledges” and “commitments” to deregulate the legal framework it oversees in order to support political objectives. These methods are also incompatible with the statutory framework governing the ICO and in particular Article 52 of the UK GDPR, which states that “The Commissioner shall act with complete independence in performing tasks and exercising powers in accordance with [UK data protection law]”. Even accepting at face value the good intentions being purported, these are no substitute for the integrity of public institutions, and cannot become an excuse to undermine regulatory independence and arm-length from the government.

Finally, ORG recall that it is for the government and lawmakers to amend the law within their democratic mandate, and it is a duty of regulatory authorities to enforce the law as it is insofar and until changes have been legitimately introduced. The process envisioned in this review—where the ICO would first relax enforcement, and the government would then amend regulatory requirements to reflect this posture—turns this relationship on its head, and is likely to interfere with foundational principles underpinning the rule of law.

3. CONCLUSION AND RECOMMENDATIONS

The roundtable showed shared agreement about the poor status quo surrounding online advertising and behavioural tracking technologies. Participants, however, challenged the notion that deregulating consent requirements should be the starting point of this conversation, and found non-compliance with consent requirements and data protection standards to be the main factors that contribute to the widespread abuse of personal data in the online advertising sector. They emphasised the role that regulatory oversight plays in shaping the market and defining what advertising practices are commercially viable, and identified regulatory enforcement as an obvious leverage to punish illegal and privacy-invasive online tracking practices, while favouring the adoption and commercial viability of privacy-enhancing advertising technologies.

Recommendation 1: Any relaxation of cookie consent requirements ought to be supported by a step-change of the ICO regulatory enforcement against real-time-bidding and other privacy-intrusive advertising and behavioural profiling practices. An effective and thorough regulatory sweep against illegal advertising ought to be the starting point of any effort to promote the adoption of privacy-enhancing advertising technologies.

The roundtable also exposed blindspots in the way the call for views has been run by the Information Commissioner’s Office. Engagement with the process was made difficult by the framing of the questions and the coincidence of the call for views with the holidays season. Furthermore, lack of clarity over what kind of advertising technologies and practices may benefit from a relaxation of cookie consent requirements did not allow stakeholders to scrutinise and comment on the potential impact of these changes on the rights of Internet users. Likewise, it was not possible to discuss what legal safeguards should be introduced to ensure any change does not harm individuals who are most vulnerable, marginalised or not fully able to exercise their agency—such as children.

Recommendation 2: The ICO ought to publish their statement concerning the new regulatory approach on online advertising as a draft, and seek stakeholders’ views before adopting it as a formal policy. Given the current focus of the call for views on advertising and market practices, this second call for views ought to focus on the potentials impact of this statement on the rights and well-being of Internet users.

Recommendation 3: Any exemption to cookie consent requirements ought be supported by an explicit prohibition to further process personal data beyond the scope of the exemption being introduced.

Finally, this initiative exposes ongoing tension surrounding regulatory independence and the rule of law. By forcing the ICO to make these initiatives a commitment before the government, the Labour party has overstepped their mandate and dealt a severe blow to the integrity and regulatory independence of the ICO. Likewise, the ICO approach to this initiative, where it envisions to first cease to enforce applicable rules and then lobby the government to deregulate them, raises alarming questions over the modus operandi of the ICO as an institution and its adherence to the rule of law. Contributing to these concerns, new powers introduced by the Data Use and Access Act would allow the government to override primary legislation within 28 to 40 days and without appropriate Parliamentary scrutiny.

Recommendation 4: The ICO oughts to withdraw the revision of cookie consent rules from Action Plan for a “New approach to ensure regulators and regulation support growth”.

Recommendation 5: The ICO statement ought not to contradict their duty to enforce cookie consent requirements as currently enshrined in legislation. Any exemption from cookie consent requirements must be preceded by a legitimate change of UK data protection law.

Recommendation 6: Members and Peers of the Houses of Parliament should engage proactively with this issue, and enhance scrutiny both before and during delegated legislative scrutiny toward Statutory Instruments which can significantly alter the balance of rights established by Parliament with primary legislation.

1 Information Commissioner’s Office, ICO call for views on our approach to regulating online advertising, at: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/07/ico-call-for-views-on-our-approach-to-regulating-online-advertising/

2 Institute for Government, Secondary legislation: how is it scrutinised?, at: https://www.instituteforgovernment.org.uk/explainer/secondary-legislation-scrutiny

3 Information Commissioner’s Office, Package of measures unveiled to drive economic growth, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/03/package-of-measures-unveiled-to-drive-economic-growth/

4 Information Commissioner’s Office, ICO opens door to privacy-first advertising models with proposed new enforcement approach, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/07/ico-opens-door-to-privacy-first-advertising-models-with-proposed-new-enforcement-approach/

5 MIT Technology Review, Facebook’s ad algorithms are still excluding women from seeing jobs, at: https://www.technologyreview.com/2021/04/09/1022217/facebook-ad-algorithm-sex-discrimination/

6 The Guardian, UK betting giants under fire for ads targeting at-risk gamblers, at: https://www.theguardian.com/society/2025/feb/01/uk-betting-giants-under-fire-for-ads-targeting-at-risk-gamblers

7 CNBC, A woman shared her tragic story of how social media kept targeting her with baby ads after she had a stillbirth, at: https://www.cnbc.com/2018/12/12/woman-calls-out-tech-companies-for-serving-baby-ads-after-stillbirth.html

8 Forbes, Ad ‘Relevancy’ Is Fiction, And It’s Creepy, at: https://www.forbes.com/sites/augustinefou/2021/04/19/ad-relevancy-is-fiction-and-its-creepy/

9 Open Rights Group, Weakening privacy will fuel online harms, at: https://www.openrightsgroup.org/blog/weakening-privacy-will-fuel-online-harms/

10 Open Rights Group, ORG submits complaints about intrusive LiveRamp adtech system, at: https://www.openrightsgroup.org/press-releases/org-complaint-liveramp-adtech/

11 Information Commissioner’s Office, ICO call for views on our approach to regulating online advertising, at: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/07/ico-call-for-views-on-our-

12 Information Commissioner’s Office, ICO call for views on our approach to regulating online advertising, at: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/07/ico-call-for-views-on-our-

13 Ibid

14 Reuters, UK’s Starmer asks regulators to prioritise economic growth, Sky reports, at: https://www.reuters.com/world/uk/uks-starmer-asks-regulators-prioritise-economic-growth-sky-reports-2024-12-28/

15 BBC, Government ousts UK competition watchdog chair, at: https://www.bbc.co.uk/news/articles/c2d3e6zklxgo

16 Information Commissioner’s Office, Letter from Information Commissioner John Edwards in ICO response to government on economic growth, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/01/ico-response-to-government-on-economic-growth/

17 Information Commissioner’s Office, Package of measures unveiled to drive economic growth, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/03/package-of-measures-unveiled-to-drive-economic-growth/

18 HM Treasury, New approach to ensure regulators and regulation support growth, at: https://www.gov.uk/government/publications/a-new-approach-to-ensure-regulators-and-regulation-support-growth/new-approach-to-ensure-regulators-and-regulation-support-growth-html

https://www.openrightsgroup.org/publications/notes-from-org-adtech-roundtable-on-the-future-of-cookie-consent-requirements-in-the-uk/

https://www.openrightsgroup.org/__preview__/publication/26192