On February 28, 2024, the UK’s Information Commissioner (commissioner) confirmed that the regulator’s focus areas in 2024 will include artificial intelligence (AI), cookies, biometrics, and children’s privacy.
Focus Areas
- AI. AI will be a major focus of the Information Commissioner’s Office’s (ICO) work in 2024. The commissioner stated that the ICO is exploring how data protection law applies to emerging AI models. For instance, the ICO recently launched two chapters in a consultation on generative AI and data protection. The first chapter examines the lawful bases used for web scraping to train generative AI models. The second chapter looks at how the purpose limitation principle should be applied at different stages of the AI lifecycle. Future chapters of the consultation will outline compliance with other areas of data protection law, such as the accuracy principle, accountability and controllership. The ICO’s approach to AI derives from the UK Government’s AI White Paper, which sets out how UK regulators will apply cross-sectoral principles to regulate AI.
- Cookies. The ICO’s work on advertising technology and cookie rules has been a focus in recent years, and 2024 will be no different. In 2023, the ICO assessed the cookie banners of the top 100 websites in the UK and sent enforcement notices to those that were deemed to be noncompliant. The commissioner announced that it plans to use automated tools at scale to check other websites for cookie compliance. He stressed that it must be as easy to reject all nonessential cookies in a cookie banner, as it is to accept them. Potential penalties for noncompliance with the UK’s cookie rules will increase if the Data Protection and Digital Information (No. 2) Bill (the DPDI Bill) is enacted, as is expected later in 2024, such that companies could be fined up to £17.5m, or up to four percent of annual worldwide turnover. On March 6, 2024, the ICO launched a consultation on “consent or pay” business models. These models give people the choice to access online services for free if they consent to the processing of their personal data for personalized advertising or, if they refuse this consent, having to pay to access that service. The consultation closes on April 17, 2024.
- Biometrics. The use of biometric technology will also be one of the ICO’s focus areas in 2024. The commissioner noted this is an area of developing interest and discussed its recent enforcement action against a company which used biometrics to record workers’ attendance. As the company did not offer workers a clear alternative, the ICO found the processing was unlawful and ordered the company to stop all processing of workers’ biometric data. The ICO also recently published guidance on biometrics and data protection, which companies should consider if they are planning to deploy biometric technology.
- Children’s privacy. The commissioner announced that children’s privacy will form a large part of the work of the ICO in 2024. The ICO has focused on children’s privacy in recent years, in particular since the adoption of the ICO’s Age Appropriate Design Code (AADC) in 2020. The AADC outlines how providers of online services should set data protection safeguards to protect children that access their service. The ICO recently published an updated Opinion on age assurance for the AADC, which discusses how providers of online services can implement age assurance on their services in a way that protects children’s privacy. The protection of children online is also an area of focus given the recently enacted Online Safety Act 2023 (OSA), which introduces obligations for companies to protect children from certain harmful online content. The ICO will collaborate with Ofcom, the UK’s online safety regulator, as obligations under the OSA come into force. More information on the OSA can be found here.
Next Steps
Companies should determine if their activities involve the ICO’s enforcement focus areas and exercise caution when offering goods or services in the UK since the risk of an enforcement action is high. Companies should also clearly map processing activities to identify compliance gaps that need to be addressed, with careful consideration given to the ICO’s priority enforcement areas.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex digital regulation and privacy compliance in the UK and EU. For more information, please contact Cédric Burton, Laura De Boel, Yann Padova, Nikolaos Theodorakis, or Tom Evans.
Laura Brodahl and Matthew Nuding contributed to the preparation of this blog post.