ANALYSIS

Is Your Telecom Operator a Data Broker? Running the Framework on Utiq

Four of Europe's largest telecoms operators, Deutsche Telekom, Orange, Telefónica and Vodafone, jointly own an advertising-technology company called Utiq. It generates a marketing identifier from your internet connection, the one your mobile or broadband operator gives you, and offers it to websites and advertisers as a replacement for the third-party cookie. By mid-2026 it reached more than 55 million people across six European markets. On 1 June 2026 its telco identity signals were integrated into The Trade Desk, one of the largest advertising platforms in the world.

Utiq describes what it does as "responsible" advertising built on "authentic consent". That framing deserves examination rather than acceptance. In our guide to identifying a data broker in the EU we set out the framework an EDPB study built for exactly this purpose: deciding whether a company is brokering personal data based on what it does, not what it calls itself. Utiq is a good test case. To run it, you first need to see clearly what a cookie does, what Utiq does instead, and where the two differ.

A cookie is a small text file a website stores in your browser. A first-party cookie is set by the site you are visiting and does ordinary things: keeps you logged in, remembers your cart. A third-party cookie is the tracking kind. It is set not by the site you are on but by another domain embedded in the page, usually an advertising network whose code appears on thousands of sites.

Because that same network is present across many sites, it reads its own cookie back on each one. That is how a profile is stitched together: the network sees you on a news site, a retailer, a forum, and links those visits through the shared identifier in the cookie. The mechanism is entirely browser-side. The file sits in your browser, you can see it in developer tools, you can delete it by clearing your browsing data, and you can block it. Safari and Firefox already block third-party cookies by default. The identifier is scoped to a single browser on a single device, so switch to another browser, or another phone, and the cookie does not follow you.

A third-party cookie, in other words, is something you hold and can drop.

What Utiq does instead

Utiq moves the identifier off your device and onto the network. Instead of a file in your browser, the identifier is generated by your telecoms operator from your internet connection, using the IP address the operator assigns you. Utiq calls the result a "telco-powered first-party identifier" and the consent mechanism behind it "authentic consent". When you visit a participating website and agree to the prompt, the operator confirms your connection and a pseudonymous identifier is released to that site.

Three technical consequences follow. They are the whole story.

It is tied to the connection, not the browser. Because the identifier comes from your operator-assigned line rather than a browser file, it works the same in every browser on that connection. Clearing cookies does nothing to it. There is no file in the page to delete.

It is connection-wide, which in practice means household-wide. Anyone using the same internet connection is treated as the same subscriber for these purposes, and shares the same consent state. One person's choice at the router covers everyone behind it.

It is deterministic. A cookie is a disposable token you can reset; the Utiq identifier is anchored to a real, billed telecoms subscription. It does not degrade or rotate away in the manner of the tracking it replaces. Browser tracker-blockers largely do not reach it either, because it is not delivered the way in-page scripts are. To remove it you go to Utiq's consent portal, "consenthub", and withdraw. The withdrawal holds for around a year and the portal is protected by a CAPTCHA.

Set the two mechanisms next to each other and the shift is easy to read.

Third-party cookieUtiq identifier
Where it livesA file in your browserYour operator's network, tied to the connection
What creates itThe tracking domain writes itYour telecoms operator generates it from your IP/connection
ScopeOne browser, one deviceThe whole connection, every device and person on it
How you remove itClear your browsing dataWithdraw at Utiq's consenthub (holds ~1 year)
How you block itBrowser settings, tracker blockers, Safari/Firefox by defaultBlockers largely do not reach it; consent is the only gate
Nature of the IDDisposable, resettableDeterministic, anchored to a billed subscription
ConsentOften bundled into a cookie bannerExplicit opt-in required before the identifier is generated

Read down the two columns and the equation resolves in one direction. The cookie is a token you hold on your own device and can throw away at will. The Utiq identifier moves that token to your operator, spreads it across your whole connection, ties it to your actual subscription, and puts a consent portal between you and its removal. Utiq's answer to that shift is the one genuine improvement in the design: it must be switched on by explicit consent, where cookie tracking often was not. The question is whether that improvement settles the matter.

Applying the data-broker framework to Utiq

The EDPB study's framework judges a company on five behaviours: it collects personal data from multiple sources, processes it into profiles, monetises it, operates without meaningful individual control, and handles personal data as defined by the GDPR. Run Utiq through them, on the public facts.

It handles personal data. A pseudonymous identifier tied to an identifiable subscriber is personal data; the Court of Justice has already held that adtech consent strings of this kind are personal data.

It monetises. Utiq is an advertising business jointly owned by four operators and funded to sell identity signals to advertisers and publishers. That is its purpose.

It combines sources. The point of a shared, deterministic identity layer is to let publishers and advertising platforms join their separate observations of you into one profile. Utiq supplies the join key rather than the profile, but combination across sources is the function it exists to enable.

The remaining two criteria are where Utiq's design speaks back to the framework. On profiling, Utiq provides the identifier and its partners build the profiles, so it enables the processing more than it performs it. On individual control, Utiq's entire pitch is that control exists: nothing happens without opt-in, and you can withdraw. That is a real difference from silent cookie tracking, and it matters.

But notice what it does to the classification rather than removing it. The EDPB typology has a specific category for exactly this shape: a "data broker with user control". The study still ranks that category high-risk, because it still involves individual-level data combined across sources; the consent simply names the type. On the framework's own terms, Utiq reads as telco-operated identity brokerage of the consented variety, sitting alongside the study's "data pool" type where companies collaborate to share and combine data. The consent model places Utiq in a box. It does not put it outside the diagram.

The same framework that classifies an advertising identifier will classify the dozens of brokers and providers holding records on you. Knowing which they are is the work before any removal.

Talk to an Analyst

So, is this privacy-respecting? The honest answer is that "consent" is carrying more weight than it can bear.

Consent under the GDPR has to be freely given, specific, informed and, for something like tracking, genuinely optional. Two things strain that here. First, whether advertising identity generated at the network layer can be justified at all is unsettled: it is difficult to argue that behavioural tracking is necessary to provide you with internet access, and as of June 2026 France's regulator, the CNIL, had not published a position on Utiq. Second, consent tied to a connection is blunt. A single agreement at the household level binds everyone behind the router, including people who never saw the prompt.

Set against that, Utiq is more consent-forward than the cookie ecosystem it wants to replace, and it is not doing anything hidden. Both things are true at once. It is a more transparent design that also concentrates a durable, deterministic identifier where you have less direct technical control over it and more dependence on a portal to switch it off. Whether you call that privacy-respecting depends on whether you read "respect" as asking permission, or as leaving the identifier in your hands. The framework does not answer that for you. It just makes sure the question is asked with the mechanics in view.

How to opt out of Utiq

If you would rather your connection did not carry the identifier, opting out is free and takes a minute. Go to consenthub.utiq.com, review the consent status for your connection, and withdraw. Because the setting is connection-wide, doing it once covers every device in the household on that line, and the withdrawal holds for around a year before you may be asked again. You do not need any of our services to do this, and you should not pay anyone to do it for you.

One identifier is not the whole picture

Utiq is a single, visible example of a pattern that runs much wider. The same behavioural test that places a telco identifier in the typology places the data brokers, people-search platforms and enrichment providers that hold records on you. Switching off one identifier does nothing about the rest, and most of them are not as easy to find or as willing to offer a withdrawal button.

That mapping is the work we do. The Mirror identifies and classifies which brokers and providers actually hold data on you; where you want those records removed, the Eraser handles the removal across the ecosystem. Utiq you can switch off yourself. For everything behind it, the first step is knowing it is there.

Data brokers and telco tracking: common questions

Is Utiq spyware or a hidden tracker?

No. Utiq requires explicit opt-in before its identifier is generated, and it operates openly with a public consent portal. The concern is not that it is hidden; it is that the identifier lives at the network layer, spans your whole connection, and is harder to remove than a cookie.

How is Utiq different from a cookie?

A third-party cookie is a file in your browser that you can see, delete and block, scoped to one browser on one device. Utiq's identifier is generated by your telecoms operator from your internet connection, works across every browser and device on that connection, and can only be switched off through Utiq's consent portal.

Is Utiq a data broker?

Utiq presents itself as a privacy-focused alternative to cookies rather than a data broker. Applying the EDPB data-broker framework, it reads as telco-operated identity brokerage of the consented type: it handles personal data, monetises it, and exists to let others combine data across sources, with user consent as the distinguishing feature.

How do I opt out of Utiq?

Go to consenthub.utiq.com and withdraw consent for your connection. It is free, it covers every device on that connection, and the withdrawal holds for around a year.

Sources

  • Utiq company materials and consent portal (this-is-utiq; consenthub.utiq.com), accessed July 2026.
  • The Drum, "Utiq reaches over 55M people across Europe with its consented, deterministic identifier" (2026).
  • PPC Land, "The Trade Desk integrates Utiq's telco identity signals across EMEA" (1 June 2026).
  • European Data Protection Board, Support Pool of Experts, Data Brokers Market Study (d'Hauwers, 2025): the framework applied here, set out in our guide to identifying a data broker in the EU.
  • Court of Justice of the EU, IAB Europe (C-604/22, 2024): adtech consent strings are personal data.

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.