Regulatory Outlook

Data Law | UK Regulatory Outlook March 2024

Published on 27th Mar 2024

ICO collects views on 'consent or pay' business models in relation to advertising cookies | IAB Europe a 'joint controller' for consent in TCF processing for online advertising | ICO guidance on using biometric data

ICO collects views on 'consent or pay' business models in relation to advertising cookies

The UK Information Commissioner's Office (ICO) has launched a call for views on "consent or pay" business models in relation to the use of advertising cookies, setting out its regulatory approach to the model and providing organisations thinking about adopting it with the factors they need to consider. The consultation closes on 17 April 2024.

"Consent or pay" or "pay or okay" models are where businesses give users a choice of either consenting to their personal information being used for personalised advertising and gaining free access to a website, or refusing consent, paying to access the site and not being tracked.

The call for views sets out the different factors that organisations should think about when assessing whether their model will result in valid consent being given for personalised ads, such as:

  • the power balance between the provider and its users;
  • whether the ad-funded and the paid-for services are equivalent;
  • whether the fee is appropriate; and
  • whether the choices are presented fairly and equally.

The ICO cautions that this call for views sets out its initial thinking on "consent or pay" models and should not be interpreted as confirmation that the approach expressed in the document is legally compliant.

This is an interesting development, suggesting that the ICO is now potentially more receptive to a concept that it has specifically warned businesses (including US-based newspapers) was non-compliant in the past.

IAB Europe a 'joint controller' for consent in TCF processing for online advertising

The Court of Justice of the EU has delivered its judgment in Case C-604/22 IAB Europe v Gegevensbeschermingsautoriteit, stating that IAB Europe is a joint controller in collecting a record of consent to online advertising (but not in relation to subsequent processing by the website and app providers) and providing some (arguably confirmatory) direction on the definition of personal data. As a result, businesses relying on IAB's online advertising framework needing to consider (and possibly amend) their policies and user-facing information.

This decision is part of recent EU-level case law demonstrating the broad interpretation of joint controllership under the EU General Data Protection Regulation (GDPR). In this case, the IAB Europe's role as a sector organisation providing a framework and setting technical standards was deemed sufficient to find joint controllership, despite the advertising association not itself accessing the personal data in question. This will undoubtedly be persuasive guidance for UK organisations operating both within the advertising sector (where joint controllership, transparency and consent are all hot topics) and also other sectors where joint controllership may arise.

Please see our more detailed Insight on this topic, and Advertising and marketing.

ICO guidance on using biometric data

The ICO has published new guidance on using biometric data. The guidance explains how data protection law applies when organisations use biometric data in biometric recognition systems and applies to users of such systems alongside vendors and developers.

The guidance explains what biometric data is – namely information which:

  • relates to someone’s physical, physiological or behavioural characteristics (such as your voice, fingerprints, or face);
  • has been processed using specific technologies (for example, an audio recording of someone talking is analysed with specific software to detect qualities like tone, pitch, accents and inflections); and
  • can uniquely identify (recognise) the person it relates to.

The ICO guidance then specifies that biometric data should be treated as special category personal data only when it is actually used to uniquely identify someone (for example, a biometric passport is only treated as special category personal data when scanned using biometric readers to identify an individual) and a scanned copy kept on file (for example, for "know your customer" (KYC) purposes) will not necessarily be special category personal data. This is important due to the additional restrictions around handling special category personal data in the UK.

This guidance is likely to be of wide interest, especially for employers looking to use biometric recognition systems to allow their employees access to facilities or to track attendance which has always been a complex area. Often, the only practical lawful basis for using such systems under UK GDPR is consent.

The guidance stresses the importance of offering employees genuine choice if employers are relying on their consent as their lawful basis (for instance, by offering another means of access such as a PIN or password). It also gives useful practical tips on how to comply with UK GDPR principles when using biometric data, such as how to comply with the accuracy and transparency requirement.

EDPB launches coordinated enforcement framework on the right of access

The European Data Protection Board (EDPB) has launched its Coordinated Enforcement Framework (CEF) action for 2024, focusing on the implementation of the right of access. During the year, 31 Data Protection Authorities (DPAs) across the European Economic Area will take part in the initiative, which aims to enhance cooperation among DPAs.

Last year, the EDPB adopted guidelines on the right of access to help organisations comply with the requirements outlined in the GDPR when responding to data access requests. The CEF aims to assess the level of compliance with the guidelines. Participating DPAs will implement the framework by:

  • sending out questionnaires to organisations;
  • commencing formal investigations if necessary; and/or
  • following-up ongoing investigations.

Although the relevant guidelines are EU level, it will be interesting for both UK and EU businesses to consider how their own internal policies and procedures in relation to data subject access requests measure up against the organisations being investigated.

UK ICO launches second consultation on generative AI

See AI section 


View the full Regulatory Outlook

Interested in hearing more? Expand to read the other articles in our Regulatory Outlook series

View the full Regulatory Outlook

Regulatory law affects all businesses.

Osborne Clarke’s updated Regulatory Outlook provides you with high level summaries of important forthcoming regulatory developments to help in-house lawyers, compliance professionals and directors navigate the fast-moving business compliance landscape in the UK.

Receive Regulatory Outlook each month

A round-up of forthcoming regulatory developments – straight to your inbox

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?