The O’Carroll v. Meta case highlights growing regulatory focus on user consent and targeted advertising. Regulators, like the ICO, affirm targeted ads are direct marketing and subject to GDPR. Companies must honor opt-outs, avoid dark patterns, and secure genuine, informed consent to build consumer trust and ensure compliance.
Marketing compliance has never been more contentious, as individuals become more protective of their privacy and act to exercise their right to opt in or out of tracking and targeting based on their online activities and cookie consent. And the legal repercussions are playing out on the global stage, leading everyone in the digital marketing ecosystem as well as the regulatory space to question exactly what consent means and how can it be applied to targeted advertising?
A number of claims testing the strength of GDPR, data privacy regulations and consent have appeared during 2025. Recently the O’Carroll versus Meta case was settled in the UK by the Information Commissioner’s Office (ICO), which indicates how the ICO approaches targeted advertising and consent. In the case, the claimant alleged that Meta continued to collect and process their personal data to serve targeted ads, even though they had explicitly opted out.
In a test of what is considered “personal”, Meta argued that because the ads were not individually targeted, they did not constitute direct marketing. Instead ads were aimed at groups. The ICO rejected this distinction, stating that online targeted advertising should be considered direct marketing and therefore be subject to GDPR restrictions where explicit and informed consent, and the right to opt out of advertising, apply.
The case did not go to trial – it was settled before reaching that stage. And if it is a bellwether of data privacy and consent law interpretations, it indicates that regulators are apt to side with individual consumers.
Ultimately, the settlement of the case, while not legally binding, upholds the central tenets of GDPR and its requirements for direct marketing and user consent. These include:
Targeted ads are direct marketing: The ICO has stated that online targeted advertising should be considered direct marketing and is subject to GDPR restrictions.
Right to object: The ICO emphasized that individuals must be able to object to the use of their personal data for advertising, and organizations are legally required to respect those objections.
Complaints and enforcement: The ICO encouraged individuals to report non-compliance, signaling that regulators are prepared to act if companies fail to stop processing data for targeted ads when asked.
The O’Carroll case highlights systemic issues in the digital advertising ecosystem, where businesses often sidestep and come up with justifications for ignoring data privacy obligations. Some examples include:
Cookie banner “dark patterns”: Many websites use consent banners that steer users toward accepting all cookies through confusing design, hidden “reject” options, or by making it harder to refuse tracking. This undermines the GDPR’s requirement for freely given, informed, and unambiguous consent.
Misuse of “legitimate interest”: Some companies justify tracking for targeted ads under the legal basis of legitimate interest rather than explicit consent, despite regulatory guidance making clear that profiling for marketing requires opt-in consent.
Cross-site tracking and data sharing: Ad networks and data brokers often share user data across multiple platforms without users’ knowledge, creating detailed behavioral profiles. These practices are increasingly challenged under GDPR and the ePrivacy Directive.
Consent or pay models: Platforms like Meta and large publishers are experimenting with “consent or subscription” models, where users must either agree to data tracking or pay for an ad-free service. Regulators are still assessing whether such models meet the GDPR’s standard of “genuine choice.”
While misuse of targeted advertising is widespread, compliance and consumer trust are possible if organizations adopt privacy-first, consent-led approaches. Examples of good practice include:
Genuine opt-in consent: Make cookie banners clear, with equally prominent “accept” and “reject” buttons, and avoid manipulative design.
Transparent communication: Clearly explain what data is collected, how it is used, and who it is shared with—in concise, plain language rather than legal jargon.
Granular choices: Allow users to consent separately to different types of data use (e.g., functional cookies vs. marketing cookies), rather than bundling all tracking together.
Easy opt-out: Honor opt-out requests quickly and free of charge, with simple in-product controls (not hidden in multiple settings menus).
Demonstrable accountability: Maintain records of consent, conduct Data Protection Impact Assessments (DPIAs) for targeted advertising systems, and proactively engage with regulators.
It seems likely that growing regulatory scrutiny over targeted advertising, particularly in how consent and opt-out rights are respected, is firmly on the regulatory agenda. With the European Data Protection Board (EDPB) releasing further guidance on “consent or pay” models, companies should expect clearer rules—and stricter enforcement—in the near future.
For businesses, the opportunity lies in building consumer trust through transparency and choice. Organizations that design ad models with privacy in mind are more likely to avoid enforcement risks, improve customer relationships, and differentiate themselves in an environment where consumer awareness of data rights is rapidly growing and their consent is obtained in an ethical and clear manner.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
