In its response, the ICO criticized Google’s decision to permit device fingerprinting for advertising purposes as “irresponsible” and emphasised that device fingerprinting:

1. Requires Consent: device fingerprinting enables devices to be identified even where cookies are blocked or the location is disguised, hence its common use for fraud prevention purposes, but the ICO reinforced that it is subject to the usual consent requirements.
2. Reduces User Control: Despite various browsers now offering “enhanced” tracking protection, the ICO stated that device fingerprinting is not a fair means of tracking users online as it diminishes people’s choice and control over how their information is collected.

This statement echoes concerns previously voiced by Google who had stated that device fingerprinting “subverts user choice and is wrong”.

With the potential for fingerprinting to replace the long-debated third-party (3P) cookie functionality, this statement forms part of a shift in regulatory focus to technologies beyond cookies. Various technologies have recently received greater scrutiny, both in the ICO’s Draft Guidance on the use of storage and access technologies | ICO (“ICO’s Draft Guidance“) – interestingly issued in December 2024 to coincide with the Google update – and the European Data Protection Board (EDPB) Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive.

ICO Draft Guidance: Key Takeaways

The ICO’s Draft Guidance explores the practical application of the Privacy and Electronic Communications Regulations (PECR) requirement that consent must be obtained by the user for any storage or access of information on/from a device (‘terminal equipment’), unless such storage/access is strictly necessary for the purposes of a communication or to provide a service requested by the user.

In particular, the Draft Guidance addresses the following areas which are explored further in their respective sections below:

Technologies

The ICO’s Draft Guidance looks at how and why the rules relating to storage and access of device information apply to various types of technologies used in web browsers, mobile apps or connected devices, namely: Cookies; Tracking Pixels, Link Decoration and Navigational Tracking, Web Storage, Scripts and tags, and Fingerprinting techniques. The technologies focused on by the ICO overlap to a large extent with those examples used by the EDPB in their guidelines. However, taking the analysis on pixels as an example, the EDPB suggests that any distribution of tracking links/pixels to the user’s device (whether via websites, emails, or text messaging systems) is subject to Regulation 5(3) of the ePrivacy Directive as it constitutes ‘storage’ even if only temporarily via client-side caching.  The ICO’s guidance is less clear, suggesting that tracking pixels are only subject to Regulation 6 Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) when they store information on the user’s device. This might imply a less expansive view compared to the EDPB, highlighting the importance of remaining alive to jurisdictional nuances for any global tracking campaigns.

Detailed Consent Requirements

The ICO reiterates that for a PECR consent to be valid, it must meet UK GDPR standards (freely given, specific, informed and unambiguous statement of the individual’s wishes indicated by a clear affirmative action).

The ICO highlights the fact that the consent must be provided by the data subject where personal data is processed (this contrasts with the PECR user/subscriber consent requirement) – this tension is an existing issue, but quite how the party collecting the cookie consent for personal data processed via cookies (or a similar technology) is supposed to know whether the user of a device has changed, without either requiring re-consent or user identification on each visit (or carrying out background identification using user fingerprinting or similar, which means more data processing and may be intrusive) is unclear.

In line with recent ICO statements in relation to the lack of ‘reject all’ options, the ICO emphasises that subscribers/users must be able to refuse the use of storage and access technologies as easily as they can consent. Additional points of interest for controllers include:

• That users must have control over any use of non-essential storage and access technologies. While this could, on a conservative reading, be interpreted as needing US-style granular per-cookie consent, the examples provided suggest high-level consent mechanisms expressed per category (e.g., analytics, social media tracking, marketing) are still acceptable;
  
• Clarification that you must specifically name any third parties whose technologies you are requesting consent to (this information can be provided in a layered fashion provided this is very clear). However, if controls are not required at an individual cookie level, which seems to be the case, then this becomes less meaningful for data subjects who cannot act on this additional information as they only have the choice of rejecting all storage and access technologies for each purpose category (e.g. all analytics cookies/technologies) rather than a relevant third party; and
  
• Clarification that users must be provided with controls over any use of storage and access technologies for non-essential purposes (albeit this was arguably already required in order to facilitate withdrawal of consent/changing of preferences on an ongoing basis).

Exemptions to consent: Strictly Necessary

Leaving aside technologies necessary for communications, the ICO emphasises that the “strictly necessary” exemption applies when the purpose of the storage or access is essential to provide the service the subscriber or user requests. Helpfully, the ICO Draft Guidance clarifies that technologies used to comply with applicable law e.g. meeting security requirements, can be regarded as “strictly necessary”, such that no consent is required. This will not apply if there are other ways that you can comply with this legislation without using cookies or similar technologies.

Other examples of activities likely to meet the exemption include: (i) ensuring the security of terminal equipment; (ii) preventing or detecting fraud; (iii) preventing or detecting technical faults; (iv) authenticating the subscriber or user; and (v) recording information or selections made on an online service.

One area of ambiguity remains in relation to fraud prevention and detection. In the financial services sector, websites/apps often use third-party fingerprinting for fraud detection (in order to meet legal obligations to ensure the security of their services).  ‘Preventing or detecting fraud’ is listed as an example of an activity likely to meet the exemption, whilst third party fingerprinting for fraud prevention is used by the ICO as an example of an activity subject to Article 6 PECR, with the implication that consent is needed (albeit this is not stated). However, the DUA Bill (if passed in its current form) provides some helpful clarity here, as it states that use of such technologies should be regarded as “strictly necessary” where used to protect information, for security purposes, to prevent or detect fraud or technical faults, to facilitate automatic authentication, or to maintain a record of selections made by the user.

Interestingly, the guidance suggests that the use of social media plugins/tools by logged-in users might be strictly necessary, though this does not extend to logged-out users, users who are not a member of that network, or any associated tracking.

Governance and compliance

A number of the ICO’s clarifications are likely to impact day to day resourcing and operations for any organisation using material numbers of storage and access technologies:

• Governance: the ICO emphasises what it expects in respect of governance of storage and access requirements, including an audit checklist, emphasising the need to regularly audit the use of such technologies and ensure that the rest of the consent ecosystem (including transparency, consent, data sharing, and subsequent processing) is consistent and up to date. This is likely to be resource intensive, and few organisations will be set up for this level of assurance.
  
• Transparency:  The ICO guidance reinforces the need for transparency around whether any third parties will store/access information on the user’s device or receive this information, making clear that all third parties providing cookies or receiving data must be named (avoiding ambiguous references to “partners” or “third parties.”), and that specific information must be provided about each, taking into account UK GDPR considerations where personal data is processed. This will be a considerable challenge for complex ecosystems, most notably in the context of online advertising (albeit this has been a known challenge for some time).
  
• Consent Ecosystem: The guidance makes very clear that a process must be in place for passing on when a user withdraws their consent. In practice, the entity collecting the consent is responsible for informing third parties when consent is no longer valid. This is crucial but challenging to comply with, and is again perhaps most relevant in the context of online advertising. 
  
• Subsequent Processing: as it has done in the past, the ICO continues to strongly suggests that any subsequent processing of personal data obtained via storage/access technologies on the basis of consent should also be based on consent, going as far as to suggest that reliance on an alternative lawful basis (e.g. legitimate interest) may invalidate any initial consent received.

Conclusion

As device fingerprinting and other technologies evolve, it is crucial for organisations to stay informed and ensure compliance with the latest guidance and consider that there may be nuance between regulation in EU / UK.

The ICO’s Draft Guidance provides helpful clarity on existing rules in the UK, including detailed examples of how to conduct cookie audits, but does not otherwise provide practical guidance on how to overcome many of the operational privacy challenges faced by controllers (such as monitoring changing users and managing consent withdrawals within online advertising ecosystems).

With increasing regulatory commentary and action in this space, including the ICO’s most recent announcement regarding its focus on reviewing cookie usage on the biggest UK sites, now is the time to take stock of your tracking technologies and ensure compliance!

The ICO’s Draft Guidance is currently open for consultation, with input sought by 5pm on Friday 14^th March 2025. If you have any questions or would like to know more, please get in touch with your usual DLA contact.

Identifiability; what can amount to personal data; and joint controllership are some of the issues addressed by the Court of Justice of the European Union (CJEU) in its recent judgment in the IAB Europe case (C-604/22). This case concerned the use of personal data for online advertising purposes and the use of real time bidding technology.

The CJEU’s judgment, delivered on 7 March 2024, is a result of IAB Europe’s appeal of a decision of the Belgian Data Protection Authority (Belgian DPA) regarding the Transparency and Consent Framework (TCF) and the IAB Europe’s role within it.

Background

IAB Europe is a non-profit association representing undertakings in the digital marketing and advertising sector at European level. It developed the TCF, which is an operational framework of rules intended to enable online publishers, data brokers and advertisers to obtain users’ consent and lawfully process their personal data.

The TCF is widely applied in the context of a real time auctioning system used to acquire advertising space for the display of targeted advertisements online. A key component of the TCF is the Transparency and Consent String (TC String).

The TC String is a combination of letters and characters which encodes and records user preferences through consent management platforms (CMPs), when they visit a website or app. The TC String is then shared with ad platforms and other participants of the ad-tech ecosystem; the CMP also places a specific cookie on the user device. When combined, the TC String and this cookie can be linked to the user’s IP address.

On 2 February 2022, the Belgian DPA held that the TC String amounts to personal data, that the IAB Europe qualifies as a data controller under the GDPR and that IAB Europe is in non-compliance with certain requirements of the GDPR as a result (for details see our blogpost at Belgian DPA decision on IAB Transparency and Consent Framework | Privacy Matters (dlapiper.com)).

IAB Europe contested the Belgian DPA decision, and the Brussels Court of Appeal referred two questions to the CJEU for a preliminary ruling:

1. Whether a character string capturing user preferences in connection to the processing of their personal data constitutes personal data.
   
2. Whether an organisation which proposes to its members a framework relating to the consent to the processing of personal data containing rules setting out how such personal data is to be stored or disseminated must be classified as a controller within the meaning of the GDPR.

The ruling

First question

Drawing from its previous rulings, the CJEU stated that the concept of personal data under Article 4(1) of the GDPR includes information resulting from the processing of personal data relating to an identified or identifiable person. It was noted that a string such as the TC String contains individual preferences of an individual user in relation to the processing of their personal data.

The CJEU concluded that, if the combination of a TC String with additional data, such as the user’s IP address, allows the user to be identified, then the TC String contains information concerning an identifiable user and constitutes personal data within the meaning of Article 4(1) of the GDPR.

The fact that IAB Europe cannot itself combine the TC String with the user’s IP address and does not have direct access to the data processed by its member does not change that conclusion.

The CJEU took the view that, subject to the verifications that are for the Brussels Court of Appeal to carry out, IAB Europe under the TCF has reasonable means allowing to identify an individual from a TC String by requesting its members to provide it with all information allowing it to identify the users whose data are subject of a TC String.

It follows from this that a TC String can constitute personal data within the meaning of Article 4(1) of the GDPR.

Second question

To address the second question, the CJEU built upon its previous judgments and stated that a natural or legal person exerting influence over the processing of personal data and, as result, participating in the determination of the purposes and means of the processing may be regarded as a controller within the meaning of Article 4(7) of the GDPR.

The CJEU confirmed again that the concept of joint controllership does not necessarily imply equal responsibility and does not require each joint controller to have access to the personal data concerned.

The CJEU took the view that IAB Europe as a sectoral organisation which makes available to its members a standard, appears to exert influence over the personal data processing operations when the consent preferences are recorded in a TC String and jointly determines, with IAB members, the purposes and means of those operations.

It follows that IAB Europe can, in certain instances, be regarded as a controller within the meaning of Article 4(7) of the GDPR.

The court clarified this point further, adding that a distinction must be drawn between the processing of personal data carried out by the members of IAB Europe, when the consent preferences of the users concerned are recorded in a TC String in accordance with the framework of rules established in the TCF, compared with the subsequent processing of personal data by operators and third parties on the basis of those preferences. Accordingly, the court was of the view that IAB Europe cannot be automatically regarded as controller in respect of subsequent data processing operations carried out by the third parties based on the preferences contained in the TC String, such as digital advertising or content personalisation, if IAB Europe does not exert an influence in the determination of either the purposes or the means of the processing.

Conclusion / implications

While not necessarily seismic or revelatory, the CJEU decision does bring welcome clarity on some longstanding data protection and e-privacy issues in the ad-tech space, in particular on the question of identifiability of individuals, the breadth of what can amount to personal data and the reach of joint controllership.

IAB Europe has welcomed the decision that “provides well-needed clarity over the concepts of personal data and (joint) controllership, which will allow a serene completion of the remaining legal proceedings“.

Next steps are for the matter to be assessed by the Brussels Court of Appeal and to issue a final determination. Until then, the Belgian DPA’s decision continues to remain suspended.

Despite all the prophecies of doom, we believe that the TCF will emerge stronger from this decision. This is because neither the questions submitted to the court nor the CJEU’s answers call the TCF into question. On the contrary, IAB Europe should be able to resolve the issue of joint controllership for the participants in the TCF at a technical level, especially since, according to the CJEU, joint controllership cannot automatically be assumed for subsequent processing operations on the basis of the preferences articulated via the TC String. Organisations should assess whether and how they are using the TCF and continue to keep developments in this judgment under review.

The UK Government has published its long-awaited ‘Data Protection and Digital Information Bill’. The Bill will reform areas of UK data protection and electronic privacy law, and will also introduce new regulatory frameworks, most notably in the field of digital identity verification. By amending the UK GDPR, the Data Protection Act 2018 (“DPA 2018”) and the Privacy and Electronic Communications Regulations 2003 (“PECR”), the Bill realises the Government’s ambition to recalibrate its approach to data protection and privacy following the UK’s withdrawal from the EU.

In this post, we provide a high-level overview of key areas of reform. In subsequent posts, we will do a deeper dive on specific areas as the Bill makes its way through the legislative process.  At this stage, it is important to note that the Bill is receiving its first reading in the House of Commons, and the text will change – to a greater or lesser extent – before the Bill passes into law.

Definitions

The Bill expands upon certain key definitions. These expanded definitions draw on a combination of existing GDPR recitals (‘promoting’ these into the operative provisions of the legislation) and established ICO guidance / case law.  The overall aim appears to be to provide additional clarity, on the face of the law, about how important certain terms should be interpreted. For example:

• Section 1 expands on and qualifies the definition of ‘personal data’ depending on whether additional information is or is not used to identify an individual. This provision looks to reflect ICO guidance around the standard for anonymisation and reflects a ‘subjective’ approach to the question of identifiability.
• Section 2 creates a statutory definition of scientific research and statistical purposes, by drawing on the existing recitals.

Legal Basis and Principles

More novel is the creation of a new concept of ‘recognised legitimate interests’ – i.e. processing activities that are deemed to automatically satisfy the legitimate interests balancing test, providing greater certainty to controllers looking to rely on this legal basis (s. 5; Schedule 1).

A number of these mirror the exemptions set out in Schedule 2 of the Data Protection Act 2018, e.g. ‘the detection, investigation and prevention of crime’. As Schedule 2 DPA 2018 currently exempts controllers from most of the principles other than lawfulness / lawful basis, this can be seen in part as a logical extension of existing data protection exemptions for activities seen as being squarely in the public interest.

Similarly, the Bill creates specified new exemptions from the ‘purpose limitation’ principle, including for example, the disclosure of personal data to a public authority that is relying on the ‘public task’ legal basis (s. 6; Schedule 2).

Obligations of Controllers / Processors

The role of the Data Protection Officer is to be replaced by a new role, with the title ‘Senior Responsible Individual’ (s. 14).

The threshold for appointment of a Senior Responsible Individual is slightly different to the existing threshold for appointment of a DPO with the new requirement applying to public bodies and organisations undertaking high risk processing. The designated individual must be a senior member of management, rather than simply reporting to senior management. However, the day-to-day tasks of the SRI look to be largely similar to those of the DPO, such as monitoring compliance of the organisation, advising the organisation on data protection issues, taking steps to ensure compliance and acting as contact point for the Commissioner.

Under the proposed new regime, the requirement to carry out Data Protection Impact Assessments is replaced by a requirement to undertake ‘Assessments of High Risk Processing’ (s. 17). It is worth noting that the general criteria for triggering a requirement to carry out a DPIA that are currently set out in Article 35(3) of the UK GDPR are to be removed. In their absence, we expect the ICO’s specific list of criteria (created under Article 35(5) UK GDPR) to be the relevant reference point.

Despite the name change, the substantive nature of what should be considered as part of these assessments looks largely the same as under current law.

It is also worthy of note that there is a proposed removal of the current obligation under Article 27 for organisations which operate outside of the UK but are caught by the UK GDPR’s extra-territoriality provisions to appoint a representative.

Data Subject Rights

Key changes in this area include the following:

• Controllers will be able to refuse data subject access requests that are ‘vexatious or excessive’ (s. 7). In this context, ‘vexatious’ is to be understood as requests which are ‘intended to cause distress, ‘not made in good faith’ or amount to ‘an abuse of process’.
• When collecting information directly from a data subject, a controller is excused from the requirement to provide fair processing information under Article 13 UK GDPR where data is collected for “scientific research or statistical processing”. Where data is collected indirectly (Article 14 UK GDPR), we now have criteria on the face of the law to help determine when the ‘disproportionate effort’ exemption applies, and the implication that this should be limited primarily to scientific research is, for Article 14 purposes, removed (s. 9).

The Information Commissioner

Reform to the ICO (which will henceforth be an Information Commission, rather than a Commissioner) is relatively wide ranging, and covers a number of themes. For example, there are  changes which look to bring the work of the ICO under a higher degree of Government supervision:

• the Commission is to be subject to express duties to have regard to promoting innovation and competition, and safeguarding public and national security (s. 27);
• the Secretary of State can set ‘strategic priorities’ for the Commission (s. 28);
• the Commission must assess its own performance on an annual basis using KPIs (s. 33).

However, at the same time, the Commission is granted several new powers designed to support its investigatory and enforcement activities, including powers to:

• require controllers or processors to arrange for the preparation of a report at the controller or processor’s expense (s. 35);
• require persons to attend at a place and answer questions (referred to as an ‘interview notice’) (s. 36).

International transfers

The Bill will introduce amendments in relation to both international transfers and the UK’s approach to adequacy assessments (Schedule 5).

First, Article 44 of UK GDPR is set to be removed.  This is the over-arching requirement that “All provisions in this Chapter [V] shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”. Removing this should, in theory, make data transfers less onerous and give greater flexibility to UK exporters of personal data.

The previous adequacy assessment criteria are to be replaced by a new ‘data protection test’ for which the required standard is now “not materially lower than”, which looks to be a step away from the EU doctrine of ‘essential equivalence’.

The requirement to carry out transfer impact assessments remains but the exporter must now consider whether “acting reasonably and proportionately […] the data protection test is met in relation to the transfer or that type of transfer”.

Cookies

The Bill seeks to relax cookie consent requirements in tightly defined circumstances and add clarity as to what comes within the “strictly necessary” exemption (s. 79):

• Statistics and preference cookies are to move from a consent / ‘opt-in’ requirement to an ‘opt-out’ standard, subject to strict criteria.
• The amended law will set out certain activities considered to fall within the “strictly necessary” exemption, including for example, to ensure the security of the user’s device is not adversely affected by the service, to prevent or detect fraud, and to authenticate a user.

PECR Enforcement Regime

The Bill also brings the PECR enforcement regime into line with that of the UK GDPR and the DPA, the most notable change here being the increase of potential fines to UK GDPR levels.

Conclusion

Whilst many parts of the Bill look to reflect the Government’s stated ambition to encourage innovation and responsibly ease the burden of compliance for businesses, it should be noted that the Bill does balance a softening of the rules in certain areas with enhanced regulation in others – the new investigatory and enforcement powers for the ICO and the increase in PECR fines being the obvious examples. There are also many examples of changes which are subtle – some of these are simply about reflecting established principles or guidance on the face of the law, others are about tweaking around the edges of existing governance requirements without overhauling them completely.

The Bill runs to 192 pages, and so necessarily this article provides a snapshot the changes introduced by the Bill which are likely to be of most interest to our readers.  Additional parts of the Bill address areas including Digital Verification Services, Customer Data and Business Data, and we will look at these in subsequent posts.