Legal Guidelines for Digital Advertising in the UK

By /

Digital Advertising Law in the UK: A Practical Legal Guide

Published by Legal Foundations. Last reviewed: March 2026.

Digital advertising in the UK is governed by an overlapping patchwork of regulation: the ASA’s CAP Code, UK GDPR and PECR, the Consumer Protection from Unfair Trading Regulations 2008, the Trade Marks Act 1994, and sector-specific rules from the FCA, the Gambling Commission, and the MHRA. Compliance is not optional, and the consequences of getting it wrong range from ASA adjudications that damage brand credibility to ICO fines of up to 4% of global annual turnover.

This guide maps out the key legal requirements for digital advertising in the UK, covering PPC, display, programmatic, native advertising, and influencer campaigns.

The ASA, the CAP Code, and the BCAP Code

Non-broadcast digital advertising: CAP Code

The Committee of Advertising Practice (CAP) Code governs all non-broadcast advertising, including websites, search engine advertisements, banner ads, email marketing, social media, and influencer content. The Advertising Standards Authority (ASA) administers and enforces the Code.

Key principles:

  • Rule 2.1: Marketing communications must be obviously identifiable as advertising. Paid-for content that appears editorial must be labelled (see Native Advertising section below).
  • Rule 3.1: Marketing communications must be legal, decent, honest, and truthful.
  • Rule 3.3: Marketing communications must not materially mislead by omission, ambiguity, or exaggeration of claims.
  • Rule 3.7: Advertisers must hold evidence to support objective claims before making them. This is critical for product claims — “clinically proven,” “number one brand,” and similar superlatives require substantiation.

The ASA can require removal of non-compliant ads and publish its rulings on its website. While the ASA has no power to impose financial fines, non-compliance with ASA rulings can be referred to Trading Standards or the CMA for statutory enforcement.

Broadcast advertising: BCAP Code

The Broadcast Committee of Advertising Practice (BCAP) Code applies to television and radio commercials. Ofcom can sanction broadcasters who air non-compliant ads and has powers to fine licensees. Where a brand’s digital campaign also includes TV or radio elements, both Codes apply to the relevant formats.

ICO, UK GDPR, and PECR: Cookie Consent and Ad Tracking

UK Digital Advertising Legal Guidelines

Why cookies matter for digital advertising

The entire programmatic advertising ecosystem depends on cookies and tracking pixels to identify users, build profiles, and serve targeted ads. This processing requires compliance with both UK GDPR (lawful basis for processing personal data) and the Privacy and Electronic Communications Regulations 2003 (PECR, which implements the EU’s ePrivacy Directive in UK law).

PECR requirements

PECR Regulation 6 prohibits storing or accessing information on a user’s device (including cookies) without:

  1. Clear and comprehensive information about the purposes of the cookie; and
  2. The user’s consent

The consent standard under PECR is the UK GDPR standard: freely given, specific, informed, and unambiguous (an affirmative act). Pre-ticked boxes, “consent by continuing to browse,” and consent buried in terms and conditions do not satisfy the standard.

The ICO has been actively enforcing cookie consent requirements. In 2023 it issued enforcement notices to several large UK websites and gave the adtech sector formal notice that real-time bidding (RTB) and cookie-based profiling must comply with UK GDPR and PECR. The ICO’s cookie guidance is clear: consent must be obtained before any non-essential cookie fires.

UK GDPR requirements

Where advertising cookies or pixels collect personal data (and they almost always do — an IP address is personal data under UK GDPR), the data controller must have a lawful basis for processing. For behavioural advertising, consent is the only appropriate lawful basis — the ICO has confirmed that legitimate interests cannot generally be used to justify processing personal data for third-party behavioural advertising purposes.

Cookie audit and consent management platform (CMP) implementation is not a technical nicety — it is a legal requirement. An ICO investigation into a website’s cookie practices can lead to enforcement action where the cookie consent mechanism does not function correctly or where non-essential cookies fire on page load without consent.

Misleading Advertising: Consumer Protection from Unfair Trading Regulations 2008

The Consumer Protection from Unfair Trading Regulations 2008 (CPR 2008) implement the Unfair Commercial Practices Directive in UK law. They prohibit misleading actions, misleading omissions, aggressive practices, and specific “blacklisted” practices.

For digital advertising, the most relevant provisions are:

Misleading action (Regulation 5): A commercial practice is misleading if it contains false information or is likely to deceive an average consumer about the nature, existence, attributes, or price of a product, and causes or is likely to cause the average consumer to make a transactional decision they would not otherwise have made.

Misleading omission (Regulation 6): Omitting material information that the average consumer needs to make an informed decision is a misleading omission. “Material information” in the context of a commercial offer includes the price, the main characteristics of the product, and the identity of the trader.

Breaches of the CPR 2008 are criminal offences prosecuted by Trading Standards. They also give rise to civil claims by consumers under the Consumer Protection (Amendment) Regulations 2014. The Competition and Markets Authority (CMA) has powers to seek injunctions under the Enterprise Act 2002 for systemic CPR breaches.

Price Advertising Rules

“Was/now” pricing (e.g., “Was £99, now £49”) is subject to specific rules. Under the CPR 2008 and the Pricing Practices Guide (now consolidated into the CMA’s Guidance for Traders on Pricing Practices), a reference price must represent the genuine higher price at which the product was sold for a meaningful period before the discount. The CMA has taken enforcement action against retailers making misleading discount claims online — notably its investigations into mattress and sofa retailers.

For online sales, the price displayed at the top of the funnel must be the total price payable, including VAT and any mandatory charges. Drip pricing — where mandatory charges are added at the checkout stage — is a misleading commercial practice.

Financial Promotions: FCA Regulation

If a digital advertisement promotes an investment, a loan, insurance, a mortgage, a payment service, or any other FCA-regulated financial product or service, it is a “financial promotion” under s.21 of the Financial Services and Markets Act 2000 (FSMA 2000). Financial promotions must be:

  • Communicated by an FCA-authorised firm; or
  • Approved by an FCA-authorised firm before communication

Communicating an unapproved financial promotion is a criminal offence under s.25 FSMA 2000 and can result in prosecution, fines, and imprisonment. The FCA has specifically targeted cryptocurrency promotions — from October 2023, all UK-targeted crypto ads must be communicated or approved by an FCA-authorised firm.

Financial promotions must also be “fair, clear, and not misleading” (FCA Principle 7 and COBS 4). Risk warnings are mandatory for investments, credit products, and other regulated instruments. The FCA’s Financial Promotions sourcebook (COBS 4) contains detailed requirements by product type.

Even platforms that carry financial promotions are at risk — the FCA has warned that platforms hosting unapproved promotions (including social media platforms) may themselves be liable.

Programmatic Advertising and Brand Safety

Programmatic advertising — automated, algorithmic buying and selling of display advertising inventory in real-time — creates brand safety and legal risks that manual ad placements do not.

Brand safety: An advertiser whose ads appear alongside illegal, extremist, or deeply offensive content suffers reputational damage. While this is primarily a commercial concern, it can become a legal one where the advertiser’s presence alongside illegal content (such as CSAM or terrorist material) is used to argue they should have known about and acted on the content.

Ad fraud: Click fraud and impression fraud in programmatic advertising may constitute fraud under the Fraud Act 2006 where perpetrated deliberately. Advertisers who discover they have paid for fraudulent inventory can seek to recover payments from the intermediary chain and should review their contracts for warranties against traffic fraud.

GDPR compliance in RTB: The real-time bidding (RTB) process involves sharing user data across numerous parties in a matter of milliseconds. The IAB’s Transparency and Consent Framework (TCF) was designed to facilitate GDPR compliance in programmatic advertising, but the ICO has found that the TCF alone does not ensure GDPR compliance. Brands using programmatic channels should review their supply chain contracts and demand contractual guarantees of GDPR compliance from their DSPs (Demand Side Platforms) and SSPs.

Comparative Advertising

Comparative advertising — advertising that refers explicitly to a competitor’s trade mark, product name, or service — is permitted under the Trade Marks Act 1994, s.10(6), provided the comparison:

  1. Is not misleading
  2. Compares products meeting the same needs or intended for the same purpose
  3. Objectively compares material, relevant, verifiable, and representative features
  4. Does not create confusion between the advertiser and a competitor
  5. Does not discredit or denigrate a competitor’s trade mark
  6. Does not present the competitor’s product as a replica or imitation

The conditions mirror the Comparative Advertising Directive (2006/114/EC), which remains part of UK law post-Brexit via the Business Protection from Misleading Marketing Regulations 2008.

A comparison that technically refers to a competitor’s trade mark but which is misleading or denigrating is an infringement under s.10(6) TMA 1994 and also a breach of the CPR 2008 and the CAP Code. The ASA has upheld complaints against comparative advertising that misrepresents a competitor’s pricing or features.

Targeting Vulnerable Consumers

Both the ASA and the FCA have specific guidance on advertising to vulnerable consumers. The FCA’s Consumer Duty (effective July 2023) requires FCA-authorised firms to avoid causing foreseeable harm to customers, including through their advertising and marketing. Advertising financial products to consumers who are clearly susceptible to harm — because of mental health issues, financial difficulty, or impulsive behaviour patterns — can breach the Consumer Duty.

The ASA’s CAP Code rules on gambling advertising, food advertising to children, and health products all contain vulnerability-specific requirements. Advertisers using detailed demographic targeting capabilities of social media platforms and programmatic channels must take care not to target groups who are characteristically vulnerable to the product being advertised. Retargeting visitors to debt help websites with high-cost credit ads, for example, would attract regulatory scrutiny.

Native Advertising and Advertorials

“Native advertising” — paid content designed to look like editorial — is one of the most consistently problematic areas in digital advertising compliance. The CAP Code’s Rule 2.1 (ads must be obviously identifiable) applies with full force. The ASA’s guidance is clear:

  • Advertorial content on third-party websites must be clearly labelled as “advertorial,” “sponsored content,” or “advertisement feature”
  • The label must appear before the content is engaged with — at the top of the article, not in small print at the bottom
  • The label must be prominent enough that a typical reader will notice it before reading the content

Native advertising that blurs the line between paid promotion and genuine editorial is a breach of the CAP Code, the CPR 2008, and potentially the Business Protection from Misleading Marketing Regulations 2008.

PPC Advertising: Legal Requirements for Search Campaigns

Pay-per-click advertising on Google, Microsoft Bing, and other search platforms is subject to both platform policies and the CAP Code. Specific legal considerations include:

Trade mark bidding: Bidding on a competitor’s registered trade mark as a keyword is not automatically unlawful under the Trade Marks Act 1994 — the Court of Justice (before Brexit) and UK courts have confirmed that using a competitor’s mark as a keyword may not constitute “use in the course of trade” if the resulting ad does not suggest a commercial connection with the trade mark owner. However, using a competitor’s mark in the ad copy itself — in the headline or description — is more likely to constitute infringement. Each case turns on whether there is likelihood of confusion.

Ad copy claims: All claims in PPC ad copy — whether about price, quality, or features — must be substantiated (CAP Code Rule 3.7) and must not be misleading (CPR 2008). Google and Microsoft have their own advertising policies that overlap with UK law requirements, but compliance with platform policies does not guarantee compliance with law.

Automated bidding and responsibility: Where brands use automated campaign tools or third-party agencies to manage PPC, they remain legally responsible for the ads displayed. Delegating campaign management to an agency does not transfer the brand’s liability to the ASA or Trading Standards. Agency agreements should include warranties that campaigns will comply with applicable law and regulatory codes.

Affiliate Marketing and Disclosure

Affiliate marketing — where publishers earn commission by linking to products and driving sales — is regulated in the same way as any other advertising. Where an affiliate link generates commission, the content containing the link must be labelled as commercial in nature. “#ad,” “affiliate link,” or equivalent must appear at the start of relevant content.

The ASA has confirmed that a general disclaimer on a website’s “about” page or in a footer is insufficient — disclosure must be in-context, adjacent to the commercial content.

For a full treatment of UK affiliate marketing law, see our dedicated guide below.

Further Reading

Free Templates & Documents

Scroll to Top