Digital marketing compliance - spring cleaning tips for 2026

Legal developments and increased fines

Fines for breach of the UK Privacy and Electronic Communications Regulations (“PECR”) increased in February this year to be on par with UK GDPR fines (i.e. the higher of £17.5 million or 4% of annual worldwide turnover) from its previous maximum of £500,000. If the EU Digital Omnibus is implemented in its proposed form, this would also align the maximum fines for e-privacy non-compliance across the EU with the GDPR maximum. In addition, the UK'’s Data (Use and Access) Act (“DUA”) has lowered the threshold at which the Information Commissioner's Office (“ICO”) can impose a fine.

There are also legislative changes in the US, with California for instance requiring a mandatory browser-based ad opt-out option from January 2027.

Enforcement

On the enforcement front, the French data protection authority (“CNIL”) issued record-breaking cookie fines in September 2025 against Shein of €150 million and Google of €325 million (the maximum for e-privacy fines in France already being aligned with GDPR penalties). In the US, whilst federal enforcement in this area has been limited, state enforcement has increased, with the California Privacy Protection Agency fining Honda $632,500 in part due to its cookie banner design and functionality, and Healthline Media reaching a settlement with the Californian Attorney General for $1.55 million in respect of allegations that its use of online tracking technology on its health information website violated the California Consumer Privacy Act (“CCPA”).

Civil actions

Class actions look set to continue in this area in a number of jurisdictions, with this exemplified by the combined $56 million settlement filed in California last September by Google and the developers of the Flo app in respect of the collection and use of certain data for targeted advertising. Given the continuing use of wiretapping laws as the base for many claims, the use of cookie banners is expected to continue, and increase, in the US to seek to protect against such actions.

Regulator focus moves to apps

Organisations’ cookie compliance efforts have historically focused on websites, but apps are rapidly moving up regulators' agendas, in part due to the sensitivity of data accessible on mobile devices, such as real-time location, contacts and photographs.

This new regulatory focus can be seen through the content of the CNIL’s final recommendations on the design and development of mobile apps, released in May 2025, with the CNIL announcing it would begin enforcing against those who did not follow these recommendations.

Similarly, the ICO was clear in its online tracking strategy released last year that it would be looking at online tracking on apps, as well as internet-connected TVs and internet of things devices.

The California Attorney General has also been active, having undertaken a sweep of popular streaming apps and devices to assess compliance with the CCPA. This led to a $530,000 settlement with Sling TV in part for failing to provide an easy-to-use opt-out for consumers to stop the sale of their personal data for marketing purposes.

Interaction with app stores 

An additional compliance challenge is the interplay between app/play store consent prompts and an organisation’s own consent requirements. On iOS, for example, for an organisation to access the Identifier for Advertisers (IDFA), the device user needs to agree to the tracking consent pop up. However, the iOS pop up does not meet the standard for GDPR consent and so the user’s journey also needs to include the organisation’s own consent management platform pop-up. This will appear either before or after the iOS pop up, with there being pros and cons of each from a compliance and user journey perspective.

The iOS tracking consent approach is currently under review by various EU competition authorities. Organisations should monitor these developments and assess if the outcomes affect their customer consent processes on their apps.

Software development kits (SDKs)

SDKs are toolkits that allow developers to easily add features like in-app advertisements, analytics and personalised messaging, enabling platforms to collect user data, connect with ad networks such as Google and Meta and deliver tailored experiences. They are often touted as the “solution” to the need for cookie consent on apps, although practice has not yet fully developed into comprehensive consent models for their usage. However, organisations should be aware that they are essentially licensed trackers that organisations embed into their apps and are still caught by the EU and UK e-privacy consent rules.

Regulatory focus 

A dark pattern is any online choice architecture that undermines an individual's true choice. Organisations are generally familiar with the concept of not bundling consents, and more recently with the requirement for a "Reject All" button on cookie banners so that rejecting is as easy as accepting. However, there are other prevalent practices that may also constitute dark patterns. The ICO offers the following example, of a communication that is one-sided and therefore not compliant.

With businesses wanting to find new ways to encourage users to provide the required consent, there is a greater risk of these straying into dark pattern territory.

The ICO has expressed concern that online choice architecture can manipulate and influence users to make choices about their personal information that do not align with the user’s actual preferences. This can make it unduly difficult for users to choose freely how their data is processed and deprive them of meaningful control over their personal information. Ultimately, this can lead to more extensive processing about individuals' behaviour, preferences and attitudes and, ultimately, unwarranted intrusion such as unwanted targeted advertising or profiling. This undermining of true choice then means that any consent would not meet the required GDPR standard.

Competition authorities, including the UK Competition and Markets Authority, agree and have warned that harmful online choice architecture distorts consumer behaviour, weakens competition by shifting focus from meaningful factors to superficial tactics, and allows businesses to exploit market power to maintain or increase dominance.

EU’s proposed Digital Fairness Act 

The EU Commission plans to put forward legislation to strengthen digital fairness online, with it being proposed that this Digital Fairness Act addresses dark patterns given concerns that EU regulation in this area is fragmented and there is no unified definition of what amounts to a dark pattern. 72% of respondents to the consultation last year on the high-level proposals for this regulation favoured binding rules on dark patterns, whilst digital industry stakeholders have expressed concern that a distinction must be drawn between deceptive practices and legitimate online persuasive methods. The expectation is therefore that provisions on dark patterns will be included in the draft regulation, which is expected to be released later this year.

US approach 

In the US, the Federal Trade Commission views dark patterns as covert consumer manipulation, and in September 2025 imposed a $2.5 billion settlement on Amazon for misleading Prime subscriptions. California and South Carolina have also enacted laws to address deceptive practices.

ICO’s Children’s Code 

In the ICO's progress update on its Children's Code Strategy in December last year, the ICO confirmed that safeguarding children's privacy is a key priority, and this was reiterated in the Information Commissioner's speech at the IAPP London Intensive in February.

The ICO's Age Appropriate Design Code (commonly referred to as the Children's Code) applies to websites which are "likely to be accessed by children", defined as anyone under 18. This threshold is broader than many organisations appreciate – even where children are not the intended target audience, if children are likely to access the website, the organisation must consider and comply with the Children's Code. This includes ensuring that, when children's data is processed, the highest privacy settings are switched on by default, including, therefore, preventing marketing.

ICO guidance highlights that where there is uncertainty as to whether services are being accessed by children, a cautious risk-based approach should be adopted, including putting in place proportionate measures to prevent or deter children from providing their personal data and taking appropriate action to ensure any age restrictions are enforced. Merely stating in website terms and conditions that the website is not intended for children and that they may only access it with parental consent is unlikely to be sufficient in most cases.

This was emphasised in the recent ICO fines against Reddit and Imgur, with a key failure in both cases being that they relied on a prohibition or restriction in their terms and conditions. The ICO determined that this was insufficient to prevent children's access to a service without other measures, such as an effective age assurance mechanism. For further information on these fines, please see our previous blog, noting that Reddit has since filed an appeal against the fine

DUA changes 

DUA has codified aspects of the above. In particular, organisations that provide an online service that is likely to be used by children are explicitly required by law to take children’s ‘higher protection’ needs into account when assessing what are appropriate technical and organisational measures. This includes considering how children can best be protected and supported when using the services, the fact they merit specific protection and that they have different needs at different ages and at different stages of development.

The ICO helpfully confirms that organisations who already conform to the Children’s Code should satisfy this requirement.

EDPB stance 

The EDPB chose children's data as the topic to highlight on Data Protection Day earlier this year and is currently working on guidelines for the processing of children's data.

US approach 

The Children's Online Privacy Protection Act regulates the collection, use and disclosure of personal information from children under 13 and applies to websites and online services that are directed to children, or that have actual knowledge they are collecting personal data from children. It requires websites to obtain verifiable parental consent before collecting, using or disclosing personal information from children and gives parents rights to review personal information collected from a child.

The FTC takes into account numerous factors when determining whether a site is "directed to children", including subject matter, visual content, use of animated characters or child-oriented activities and incentives, music, language, and other characteristics.

Organisations must also consider state laws, with many imposing additional restrictions. For instance, Maryland has introduced an outright prohibition on the sale or processing of personal data for targeted advertising if the organisation knew, or should have known, that the consumer is under 18. Most recently, South Carolina introduced a new law in February this year requiring various privacy and other settings to be set by default for minors. This applies to organisations which exceed certain thresholds relating to revenue or sale of data and whose sites are "reasonably likely to be accessed by children" (i.e. those under 18).

Age assurance

Age assurance techniques present both an opportunity and a challenge. Whilst simply requesting someone input their age is widely recognised as ineffective, more sophisticated technologies using AI collect more data about the individual and so come with their own data protection risks that must be carefully managed.