For a decade, online advertising consent rules only ever tightened and addressable inventory only ever shrank. What started in Europe has gone global, leaving a trail of confusion and dubious legal standing. However in May the ICO quietly proposed the first reversal in what has been an endless tightening cycle. For B2B, whose buyers are anonymous, out-of-market and company-level by nature, it may be the most consequential regulatory shift since GDPR. Here is the mechanics, the signals, and what it tells us about where privacy is actually heading.

Here is a fact most marketers get backwards. When a visitor clicks “Reject all” on a cookie banner today, the ads do not stop. The publisher can still fill the slot. What stops is the signal. The programmatic machinery that decides what the impression is worth goes dark, the bid request arrives stripped of almost everything that gives it value, and a piece of premium inventory that should clear at a healthy price gets sold for pennies or goes unsold entirely.

Everybody loses in this scenario;

1. Publishers and media creators go unpaid - with independent content getting defunded and let down by the operating model of the internet being rug pulled. This leads to publishers setting more ad placements, which are more detrimental to the user experience, which in turn puts more people off going to their site/s and creates a vortex like vicious circle of decline

2. Advertisers miss the chance to buy high value account based impressions in premium content environments, where intent is forged and fortified. These are the exact environments which command the upper end of B2B CPMs, and they go un-auctioned

3. End users, with our B2B lens on, often buying committee members in global accounts see garbage bottom-filler ads which detract from the user experience and are a distracting irrelevance, pushing them away from premium sites and spending less time in the open internet.

That distinction, between full-throttle data enabled monetisation and blocked signal, matters because it explains the slow bleed that premium publishers have lived through since regulators forced “Reject all” to sit level with “Accept all”. The audience did not disappear. The ability to monetise it did.

Privacy and AI have been the bedfellows of doom for the publishing world, so any walk-back on the incredibly stringent rules is potentially the most significant development since privacy rules were introduced with GDPR - because it is the first signs of a reversal in its direction of travel.

On 18 May 2026 the Information Commissioner’s Office published formal advice to government proposing that a defined set of low-risk advertising functions could run without consent under PECR. Of all the privacy laws, PECR is the most arduous, and a strict interpretation of it would essentially render programmatic advertising as an industry as illegal.

This new formal advice went out, unglamorously, in a letter to a digital minister and a Treasury secretary, and most of the trade press filed it under compliance housekeeping. I think that is a mistake. Strip away the legalese and this is the first time in roughly a decade that a major Western privacy regulator has moved deliberately to widen, rather than narrow, what addressable advertising is allowed to do. The ratchet that only ever turned one way just slipped a tooth.

This piece is about why that slip is a bigger deal for B2B than for anyone else, and what it signals about the direction of travel for privacy itself.

What you’ll learn in this article

• Why premium publishers, the lifeblood of the open web, have been squeezed from two directions at once, and the numbers behind the squeeze

• Exactly what the ICO has proposed, the seven functions it would exempt, and the narrow set of signals that could flow without consent

• The category error at the heart of PECR: why the rules taxed anonymous context and individual surveillance at the same rate

• Why B2B has the most to gain, given an audience that is overwhelmingly anonymous, out-of-market and company-level

• Which specific B2B-relevant signals could become addressable without consent, and where the hard limits sit

• What the move tells us about a privacy movement that, until now, has only known one direction

The two-front squeeze on the open web

Premium content publishers are the substrate the open web is built on. They are also the part of the ecosystem that has taken the heaviest fire over the last five years, from two directions that arrived more or less simultaneously.

The first front is privacy compliance. Once cookie banners were forced to offer a genuine, equally weighted rejection, people used it. The exact rejection rate is contested and varies wildly by banner design and sector, which is itself telling, but the direction is not in doubt.

UK publisher data collected by Press Gazette puts consent rates somewhere around 70 to 80 percent when accept and reject are presented evenly, so a fifth to a third of visitors opting out.

Rhe above is for the UK only, and the data I have seen, aggregated across billions of B2B vendor and publisher page loads captured by the FunnelFuel analytics, makes for much bleaker reading. My data is more in-line with broader academic and industry reviews find that with a properly presented “Reject all” button, something closer to half to two-thirds of users now decline, and that a compliant banner can mean 40 to 70 percent fewer tracking data points. German analytics firm etracker reports that a legally compliant design sees consent refused on around 60 percent of visits. Whatever the precise figure on a given site, a large and growing slice of premium audience became, in programmatic terms, invisible.

The industry’s workaround, consent or pay, tells you how acute the pain became. Sixteen of the fifty biggest UK news sites now ask users to either accept tracking or pay a subscription, and once that choice is introduced almost everyone accepts. It creates 2 problems though; one - according to Content Ignite, this creates a negative sentiment amongst users, and more concerningly, the ICO has confirmed those models can be lawful there’s clearly an interpretation that it is in-fact unlawful to do this. It is a revealing fix. Publishers were effectively charging users for the privilege of declining to be tracked, because the alternative was watching half their inventory lose its value. I am all for it, and 76% of users agree with me that publishers deserve to get paid for their work (see Content Ignite link above)

The second front that publishers are fighting is the collapse of the referral economy itself. While privacy rules were thinning the value of each impression, AI-driven search was thinning the number of impressions. Zero-click search, where a user gets the answer and never leaves the results page, now accounts for roughly 60 percent of Google queries, and on news-related searches Similarweb data puts it at 69 percent in the year after AI Overviews launched. The same analysis found Google search traffic to publishers fell about a third globally in the year to November 2025. Pew Research found that when an AI Overview appears, only 8 percent of users click a traditional result, against 15 percent when it does not, and barely 1 percent click the sources cited inside the answer. Ahrefs measured a 58 percent fall in click-through for top-ranking pages on queries that trigger an Overview. Publishers have been unusually candid about losing 20, 30, in some cases 90 percent of their traffic, and some have already closed.

Now hold those two fronts next to a third structural fact: the money was already concentrating elsewhere. Walled gardens capture 70 to 80 percent of programmatic spend and around 78 percent of global digital ad revenue, a share Statista expects to reach 83 percent by 2027. Yet people spend more than half their online time on the open web - and I have long sinced argued that advertising investments over-value walled gardens and under-value the cheaper and more plentiful attention that still exists in the open web environments, all the more so when you factor new facets of it, from podcasts to TV. Advertisers put only 20 to 30 percent of budget where audiences spend 55 to 60 percent of their attention. The squeeze on premium publishers, in other words, is not a market correcting. It is a market being pushed further out of balance by rules that made the open web harder to monetise at exactly the moment AI made it harder to reach.

That is the backdrop against which the ICO’s letter should be read.

What the ICO actually proposed

The advice concerns regulation 6 of PECR, the rule that requires consent before anything is stored on, or read from, a user’s device for advertising. It is the legal basis for the cookie banner. The ICO’s central argument, set out across its report and cost-benefit analysis, is that regulation 6 applies a single, blunt standard across a vast spectrum of activity, from behavioural profiling that follows an individual across dozens of sites, to a contextual ad that shows a cycling product to someone reading about cycling. Treating those as equivalent, the regulator now says, may be suppressing investment in the lower-risk approaches everyone claims to want.

So the ICO proposes what it calls a first-party framework. Under it, as the legal analysis from Lewis Silkin sets out, a publisher could store and access limited information on a device, without consent, for seven defined purposes:

1. Ad delivery

2. Targeting, in a limited form

3. Measurement and billing

4. Attribution

5. Frequency capping

6. Brand safety

7. Ad fraud prevention and detection

The word doing the heavy lifting is “limited” and probably really ‘too limiting’, and the targeting boundary is where the real thinking lives. Without consent, targeting could draw only on high-level device and platform information such as device type, operating system and browser but not browser version; geolocation abstracted to city or region level; the date and time of day; and contextual information, meaning the content the user is looking at right now mapped to a broad taxonomy like “sports” or “cycling”. Everything that constitutes following a person stays behind the consent wall. ID-based targeting that reaches the same user across sites or devices, demographic and interest-based segmentation, and behavioural profiling of any kind would all still require opt-in. For B2B we’re probably talking context and location together to form some signal

Three things are worth being honest about. First, nothing has changed yet. This is the ICO’s independent advice to support possible secondary legislation under the Data (Use and Access) Act 2025. The existing rules still apply, and will until Parliament acts. Second, the ICO itself is modest about the scale, conceding the approach would not revolutionise the ecosystem and that the benefit would be strongest for the mid- and base-tier publishers most constrained by consent rejection, and close to neutral for the large platforms already swimming in consented data. Third, the review was not a back-room favour to adtech. It ran from January 2025, took in a public call for views, citizen juries and user research, and the user research found that contextual approaches actually align with what people expect and are comfortable with. That last point is the centre of gravity. The regulator is not loosening rules against the public mood. It is arguing that the rules drifted out of step with it.

The category error at the heart of the rules

Here is the thing the trade-press housekeeping framing misses. Regulation 6 was never really a rule about privacy outcomes. It is a rule about a mechanism, the act of writing to or reading from a device, and it is almost completely agnostic about what that act is in service of. Drop a cookie to follow someone across the web and build a behavioural dossier, and you need consent. Read a signal to cap how many times an ad shows so you do not annoy the same reader six times, and you need the same consent. The law taxed surveillance and good housekeeping at an identical rate to the heaviest data enabled targeting possible

That is a category error, and the ICO has effectively just admitted it. Privacy risk is not a property of touching the device. It is a property of what you do with what you learn. Reaching a person you have profiled across the open web is high risk. Showing a relevant ad based on the article in front of them, capping its frequency and checking it is not fraudulent, is not. For most of the last decade we have regulated those as if they were the same act, and then expressed surprise that the privacy-preserving alternatives never got built. They never got built because the rules gave them no advantage. Why invest in contextual when contextual needs consent too, and consent is the scarce resource? if you have consent then you will unleash the full gambit of targeting, and contextual footprint and past behaviour is already priced in (assuming you know what you’re doing with B2B programmatic, and doing it optimally).

This is the part that should make B2B marketers sit up, because B2B has been collateral damage in a war that was largely aimed at consumer surveillance. The privacy regime was designed around the individual data subject, the named person whose behaviour is tracked, profiled and sold. That is a coherent target in a consumer context. It maps very poorly onto how B2B advertising actually works, where the unit that matters is not a person at all. It is an account.

Why B2B has the most to gain

Step back and look at what the B2B audience really is. It is, structurally, anonymous, out-of-market and collective.

Anonymous, because the modern B2B buyer does almost everything before they will identify themselves. Across the research the pattern is remarkably stable: buyers complete somewhere between 60 and 70 percent of their journey before they ever contact a vendor, McKinsey puts two-thirds of the process in digital self-service, and Gartner finds most buyers now prefer a rep-free experience and spend only around 17 percent of their buying time with any potential supplier at all. The dark funnel is not a marketing metaphor. It is the literal majority of the buying journey, conducted anonymously, on exactly the premium open-web content that consent rejection turned dark.

Out-of-market, because of the 95:5 rule drawn from the Ehrenberg-Bass Institute’s work for the LinkedIn B2B Institute: at any given moment up to 95 percent of your potential buyers are not in the market, with perhaps 5 percent active in a given quarter given multi-year purchase cycles. Effective B2B advertising therefore spends most of its life reaching people who will not buy for months or years, building the memory structures that pay off later. That is a reach-and-context game, not a chase-the-individual game.

And collective, because B2B decisions are made by buying groups, not buyers. Estimates of group size have crept up to ten, fifteen or more stakeholders on a serious purchase, with security, finance and operations all running in parallel. Forrester’s work suggests most buyers have effectively chosen a winner before talking to sales, and that the great majority of purchases stall in the process. You cannot win a fifteen-person committee by retargeting one cookie. You win it by being present, in relevant context, across the whole account, for a long time.

Now read that back against the signals the ICO would free up without consent: the content someone is reading, the broad category it sits in, the region they are in, the device they are on, the time of day, plus the ability to cap frequency, measure and attribute. For a consumer brand chasing a named individual, that is a thin gruel, which is exactly why the ICO says it will not revolutionise things for the big platforms. For B2B, it is close to the whole meal. We often are not trying to identify the person. We were trying to reach the right kind of organisation, in the right context, often enough to be remembered, and prove it moved pipeline. The permitted signals map almost perfectly onto the way good B2B media already thinks.

This is the inversion worth sitting with. The exemption looks minor through a consumer lens and transformational through a B2B one, precisely because B2B addressability was already built on context and the account rather than the surveilled individual. The rules squeezed us anyway, because they could not tell the difference.

Which B2B signals could become addressable without consent

Let me get concrete, because this is where strategy lives. Translate the ICO’s permitted signals into B2B terms and you get a usable layer for reaching the anonymous, non-consented majority.

Contextual taxonomy as a proxy for category intent. The content a reader is consuming, mapped to a broad taxonomy, is the single most useful permitted signal for B2B. Someone reading a deep piece on data warehousing, supply chain risk or martech consolidation is signalling category relevance regardless of who they are. Contextual was always the most under-rated B2B tactic. A framework that lets it run on the half of premium audiences who reject consent changes its reach maths entirely.

Region as a proxy for market and footprint. Geolocation abstracted to city or region will not name an account, but it lets you weight toward the markets, territories and economic clusters that matter, the financial districts, the tech corridors, the industrial regions, without touching anyone’s identity.

Device, platform and time as workday context. Device type, operating system and time of day are mundane on their own. In aggregate they describe behaviour that is recognisably professional: desktop and managed-device traffic, in working hours, in business contexts. It is a coarse filter, but coarse filters applied to the right inventory are how B2B reach has always been built efficiently.

Frequency capping across the committee. This one is quietly important. If you are trying to build presence across a ten-person buying group over months, the ability to manage exposure without consent means you can be consistently present without being a nuisance, on the very audience that previously fell out of the addressable pool the moment they opted out.

Measurement and attribution on the dark funnel. Perhaps the most valuable permission of all is the boring-sounding pair, measurement and attribution. The hardest problem in B2B is proving that anonymous, top-of-funnel, out-of-market activity actually built the pipeline that closed two quarters later. Being able to measure and attribute exposure on non-consented inventory, without consent, starts to close the gap between what we know works and what we can show works.

Now the limits, stated plainly so nobody overclaims. None of this reaches a named individual, and it should not pretend to. It does not bring back cross-site identity, person-level retargeting or behavioural segments without consent. It does not directly bless every B2B identity technique. Note in particular that company-level identification by resolving an IP address to an organisation, the engine behind a lot of account-based display and visitor identification, sits in its own legal lane. It typically runs server-side on network metadata under a legitimate-interest basis rather than through device storage, and operates at the organisation level rather than the individual. The ICO’s proposal is not primarily about that, and conflating the two would be sloppy. What the proposal does is validate the underlying principle that account-level and contextual approaches deserve to be treated differently from individual surveillance. That principle is the foundation the whole B2B addressability case rests on.

It is worth saying that activating non-consented, context-and-account inventory through curated deal IDs rather than user-level tracking is not a future hypothetical. It is the daily work for those of us who build B2B media on a signal layer rather than a cookie layer, which is why a re-balancing like this reads less as a workaround and more as the rules finally catching up with where good practice already was.

What this signals about the direction of privacy

The specific exemption matters. What it signals matters more.

For about a decade, privacy regulation has behaved like a ratchet: it only ever tightened. GDPR set the template, ePrivacy enforcement hardened the cookie banner, “Reject all” was forced level with “Accept all”, and the screws kept turning. The United States, long the laggard, has been catching up fast. As of early 2026 around twenty US states have comprehensive privacy laws covering more than half the population, and a dozen now require websites to honour the Global Privacy Control, a browser-level universal opt-out that sits upstream of any consent banner. Enforcement has teeth: reported US privacy penalties reached an estimated 1.4 billion dollars in 2025, and France’s regulator hit Google with a 325 million euro fine the same year. For anyone running addressable advertising at scale, the lived experience of the last decade has been a one-way tightening, the open web getting harder to use, and the programmatic toolkit getting steadily confiscated.

Against that, the ICO’s move is genuinely notable, not because it is large but because it points the other way. It is the first time a serious regulator has framed online advertising privacy as a spectrum of risk to be priced proportionately, rather than a single bright line to be defended ever more aggressively. The framing is the story. The ICO is effectively saying that risk-blind maximalism has costs of its own: it starves the privacy-preserving alternatives, it pushes spend into the very walled gardens that hold the most data, and it can drift away from what the public actually wants, which the citizen-jury work suggests is closer to relevant context than to either surveillance or a barren web.

I would not over-read it. This is one regulator, in one small jurisdiction, acting under an explicit growth mandate, on advice that is not yet law. There are real tensions even within it. As Lewis Silkin notes, the coherence question is awkward: having only just blessed consent-or-pay as a route to gather consent for the most intrusive advertising, the regulator is now carving out a consent-free lane for the least intrusive, and the interaction between the two is not fully mapped. The proposal also leans heavily on first-party structures and quietly raises the stakes on how publishers govern fingerprinting, which is harder to police than cookies precisely because it is harder to see. None of this is settled.

But direction of travel is set by inflection points, not by straight lines, and this looks like one. If the principle holds, that privacy should be regulated by the risk of the outcome rather than the mechanism of the touch, it travels well beyond one regulation. It is the argument that could, in time, distinguish anonymous context and account-level reach from individual surveillance across the whole regime, in the EU’s eventual ePrivacy settlement and in the maturing US frameworks alike. That is the version of privacy reform that B2B should be lobbying for in the open, because it is the version under which addressable B2B marketing is not collateral damage in a consumer fight.

What to do about it now

Three moves, none of which require waiting for legislation.

Build the contextual and account-level layer now, on the assumption that it is about to get materially more reach. The advertisers who already think in terms of context, taxonomy and the account rather than the cookie are the ones positioned to absorb a sudden expansion of addressable non-consented inventory the moment any exemption lands. The ones still wiring everything to user-level identifiers will be re-platforming under time pressure.

Get serious about measuring the anonymous majority. If the most valuable permission in the proposal is measurement and attribution on non-consented inventory, then the teams that already have a credible way to connect anonymous, out-of-market exposure to downstream pipeline will extract far more from it than the teams still counting last-click form fills. The infrastructure to prove dark-funnel impact is the infrastructure that turns this from a compliance footnote into a budget argument.

And engage with the direction, not just the detail. This is a rare moment where the regulatory wind is, briefly, at the industry’s back rather than in its face. The case for proportionate, risk-tiered privacy, privacy that protects people from being surveilled while letting the open web monetise anonymous context, is one B2B is unusually well placed to make, because our entire model already lives on the right side of that line. The worst outcome would be to treat a genuine opening as paperwork.

The audience that rejected your cookie never left. They are still out there, mostly out-of-market, mostly anonymous, doing the long quiet research that decides who makes the shortlist, on the premium open web that has been bleeding out for five years. For the first time in a long time, the rules might be about to let you reach them again, on terms that never required knowing their name in the first place. That is worth more than a compliance memo. It might be the moment the open web stops being something B2B marketers apologise for and starts being the thing they build on.

The B2B Stack is written by Mike Harty, a fifteen-year veteran of B2B programmatic advertising and founder of FunnelFuel.io. FunnelFuel runs B2B media on a raw signal layer rather than a cookie layer, activating context and account-level intent across the open web. If you are rebuilding addressability for the anonymous majority, that is the conversation we have every day.

Sources

• ICO, Our advice to government on potential changes to online advertising rules, 18 May 2026

• Lewis Silkin, ICO advises government on consent-free route for low-risk online advertising, 21 May 2026

• Hunton, UK ICO Recommends Targeted Changes to PECR Rules for Online Advertising, May 2026

• PPC Land, UK’s ICO tells government to cut consent rules for low-risk ads, May 2026

• Press Gazette, More UK news publishers are adopting ‘consent or pay’, August 2025

• ignite.video, 26 Studies on Cookie Banners, Consent Rates, Compliance

• etracker, Cookie consent benchmarks

• Similarweb / BigGo Finance, Google AI search and zero-click, May 2026

• Pew Research via seo-kreativ, Google AI Overviews study, 2025 to 2026

• Ahrefs via ALM Corp, AI Overviews and publisher traffic, February 2026

• AdExchanger, The AI Search Reckoning Is Dismantling Open Web Traffic, January 2026

• Redseer, Walled Gardens vs Open Internet: The $1T Digital Ad Mismatch, 2026

• Statista, Walled gardens vs open internet share of digital ad revenue

• 6sense, When Do B2B Buyers Reach Out to Sales?

• Gartner, 61% of B2B Buyers Prefer a Rep-Free Buying Experience, June 2025

• Summit Partners / Ehrenberg-Bass, The 95:5 Rule, 2026

• Intentsify, How B2B Buying Groups Are Evolving, December 2025

• Leadfeeder, Why IP Targeting Is The Future of B2B Advertising

• Leadinfo, IP tracking and GDPR, December 2025

• O’Melveny, 2026 Data Security and Privacy Compliance Checklist, April 2026

• Secure Privacy, US State Privacy Law Tracker 2026