For years, advertisers have relied on third-party cookies (small text files that are stored on your browser when you visit websites) to track your behavior across different websites, so they can serve you with ever more personalized ads. The problem for advertisers is that even deeply non tech-savvy people are increasingly aware of cookies and are taking steps to actively block them.
Utiq is a fairly new (2023) advertising technology company, jointly founded by four of Europe’s most powerful telecoms companies: Deutsche Telekom, Orange, Telefónica, and Vodafone. Leveraging their combined power, Utiq aims to replace cookies with something that it claims will “give consumers real control and choice over their privacy, whilst facilitating more relevant digital marketing experiences”.
By June 2025, Utiq claimed(jendela baru) 26 telecom operator partners (many of whom are smaller companies who lease connections from “the big four”), and more than 55 million unique ConsentPass tokens (see below) across Europe. Utiq now operates in Germany, Austria, Spain, France, the UK, and Italy.
How does Utiq work?
Instead of using cookies to track and profile you across different websites so that you can be served with ever more personalized ads, Utiq works at the ISP level. Here’s how it works:
1. You visit a participating website
If your IP address also belongs to a participating ISP (including your mobile provider), the site displays a clear consent banner asking if you agree to be identified via your network connection. If you’re not on a participating operator’s network, Utiq won’t be activated at all.
If you click Accept, Utiq sends a secure request to your ISP or mobile provider.
2. Your ISP generates a “ConsentPass” token
Your provider matches your connection (often using your phone number or broadband account ID as the seed) to generate a unique, random, anonymized token called a ConsentPass.
- This token proves that you (or specifically, your device on this connection) have given consent
- Crucially, it doesn’t reveal who you are, only that you are an anonymous user who opted in
3. The ConsentPass is shared with Utiq
From the ConsentPass token, Utiq generates two additional encrypted tokens:
- MartechPass: Sent to advertisers and publishers. This allows them to recognize you as a consenting user across different websites without seeing your personal identity. They can use this for personalized ads or content, but they cannot link it back to your real-world identity.
- AdtechPass: Used for measuring ad performance (e.g., did an ad lead to a sale?) without tracking your browsing history across the entire web.
4. User Control
A key selling point of Utiq is that you maintain control over who can track you. In addition to consent being required when you first visit a website, you can visit the Utiq ConsentHub(jendela baru) (a dedicated portal) at any time to see which companies have received your tokens.
From there, you can easily withdraw consent. Once withdrawn, your tokens are invalidated, and participating advertisers and websites must stop using them.
What Utiq means for your privacy
Thanks to the need for explicit consent to be given, and the ability to withdraw consent at any time, Utiq is keen to promote itself as a as “privacy-by-design” solution that balances the needs of advertisers with the privacy needs of internet users.
It also claims GDPR(jendela baru) compliance and presents itself as a European alternative to US adtech giants. However, privacy advocates are skeptical.
Utiq is potentially worse than cookies
A peer-reviewed paper(jendela baru) by researchers at the Universitat Politècnica de Catalunya concluded that ConsentPass tokens were functionally similar to third-party cookies aimed at identifying internet users consistently over time.
Critically, the researchers found that Utiq may actually be more intrusive than regular cookies, because the tokens are based on completely unique parameters, and cannot be cleared the way browser cookies can.
Also deeply concerning is its finding that 100% of the 10,000 websites it surveyed that used Utiq also used more intrusive tracking methods alongside it, including fingerprinting(jendela baru). The researchers concluded that Utiq doesn’t represent a genuine privacy improvement over third-party cookies, as its simply being added to the arsenal of tracking technologies used by websites, not replacing them.
Your phone number is used
A great deal has been made of the fact that your phone number is used as the cryptographic “seed” for your ConsentPass token. However, your phone number itself is never revealed to the websites, ad networks, or data brokers.
There is a potential risk that if Utiq’s hashing algorithm was ever compromised, or if a carrier leaks the mapping table between your phone number and ConsentPass, then every advertiser in possession of your tokens could link your online activity back to your real phone number.
To help counter this threat, Utiq uses cryptographic salt(jendela baru) in its one-way hashing technique that’s only known to Utiq and the carrier. In theory, this makes reversing the process to reveal your phone number impossible without the collusion of both parties. However, a state actor with legal authority over both Utiq and a carrier could force the “collusion” of both parties with a simple court order.
Dark patterns
A probably greater concern for most is that many people will blithely click through the consent dialog without giving it much thought (as is common for cookie consent requests). This problem is compounded by the fact that while the ConsentHub portal exists, few people know about it, let alone check it regularly.
Can a VPN help? How to deactivate Utiq
Yes. The Utiq consent dialog is only activated if your IP address belongs to an Utiq partner. A virtual private network (VPN) hides your real IP address so that the website only sees the IP address of the VPN server. Not your real IP address.
So even if you are a partner provider customer, the consent dialog simply won’t activate. And since consent is never assumed, this Utiq will never be activated as lonf as you’re using a VPN.
Should you be worried about Utiq?
Utiq presents itself as a privacy improvement on cookies. And in narrow technical terms, such as the need for explicit consent, a dedicated opt-out portal, and no direct sharing of personal data, it succeeds. But its still a technology developed in the interest of advertisers, rather than out of a genuine desire to protect ordinary internet users.
The reality is that Utiq is a tracking system built deeper into the infrastructure of the internet than cookies ever were, operated by companies that already hold more data about you than any advertiser. This data is tied to your real-world identity via your phone number. The practical reality is also that its being used by websites to supplement more traditional tracking methods, rather than replace them.
The good news is that a VPN is a very effective countermeasure. Far more effective, in fact, than traditional anti-tracking tactics such as blocking third-party cookies and using browser extensions to block DNS queries to advertising domains.
For now, Utiq is only of concern to Europeans. But the underlying technology has no inherent geographic limits, so success in Europe will likely lead to more global adoption.
