There is a particular kind of marketing that tells you what it is by insisting on what it isn't. Utiq does it in one sentence: a deterministic identifier built "without the need for third-party cookies, fingerprinting or other probabilistic techniques."
Read it again. A system that recognizes you across devices, sold by reassuring you it isn't the thing it functionally resembles.
Utiq has surpassed 55 million consentpasses across Germany, Austria, France and Spain, with 26 telco partners feeding the network.
That is not a startup. That is infrastructure.
What it actually does
Utiq generates an identifier from your IP address plus a contract reference held by your telecom operator. The operator creates the signal, Utiq turns it into a marketing identifier, the publisher recognizes you. In September 2025 it moved into TV through a deal with Visoon, and it has extended from mobile into fixed-line and home Wi-Fi signals through carriers like Virgin Media O2 and Vodafone in the UK.
So the recognition no longer lives in your browser. It lives in the network. Clear your cookies, switch browsers, use a fresh device on the same home connection, and the link can survive all of it. That is precisely the property the cookie never had, sold to you as an upgrade.
The technical claim is true: this is not a cookie, and it is not statistical fingerprinting. It is something more stable than both. The connection is the identity.
Where the word "consent" carries the weight
Utiq's entire legal defense rests on consent. Off by default, single-click withdrawal, a consent portal. On paper this is the textbook answer to ePrivacy and GDPR.
The problem is the kind of consent. The European framework says consent must be freely given, specific, informed and unambiguous. "Freely given" is the load-bearing phrase, and it is exactly where network-level identity gets uncomfortable. Consent is not free when the realistic alternative is degraded access or no service. The cookie banner taught the industry that if you make refusal annoying enough, people click yes. Move that mechanism into the carrier layer and the asymmetry only grows, because most users have no idea their operator can mint a marketing ID from their contract.
ePrivacy does not care that there is no cookie. If the function is equivalent to a cookie, recognizing a terminal or connection for advertising, the protection follows the substance, not the format. You do not escape the rulebook by changing the storage location.
Why this matters for your business
If you are a publisher or a brand being pitched Utiq, the appeal is obvious: addressability that survives the death of the cookie, on real authenticated audiences. The risk is just as real and less discussed.
Your telecom operator is not a neutral technical supplier here. It is running a processing operation with its own purpose, which means its own legal basis, its own transparency duty, its own exposure. The 2025 enforcement record should focus the mind: the French CNIL fined SHEIN €150 million and Google €325 million over consent mechanics in a single day. Regulators are no longer auditing the technology. They are auditing the honesty of the yes.
The honest description of Utiq is post-cookie tracking that lives in the network rather than the browser. It can be lawful. It can even be done well, with granular consent and a real alternative. But the scrutiny has to be high, because the recognition is deterministic, persistent, and built on infrastructure most people never agreed to think about.
A fingerprint that signs its own name "privacy" is still a fingerprint. The signature is the part worth reading closely.
— Pan