EU and UK Data Protection Regulatory Trends so far in 2024: a focus on consent, adtech and tracking technologies

2024 has seen behavioural advertising and cookies continue to dominate the agenda of data protection authorities (DPAs) in the EU and for the ICO in the UK. Alongside that, DPAs have started to consult about guidance on Artificial Intelligence (AI), particularly Generative AI and Large Language Models (LLMs). After the initial flush of AI enforcement actions in 2023, we have not yet seen clarifying precedent emerge from the DPAs in 2024. We have also seen an increasing focus from DPAs on employee surveillance, particularly use of biometric technologies. We have also seen a sting in the tail of enforcement related to EU-US data transfers, with a major fine issued for breaching GDPR. 

This blog focuses on consent, adtech and tracking technologies.

Cookies and consent – DPAs continue to enforce to ensure a balanced accept/reject approach

Over the last few years DPAs have strengthened their guidance on consent and the use of cookies. Making clear that consent, under the GDPR and national laws implementing the ePrivacy Directive, must be a simple reject or accept, a balanced presentation that means that consent is as easy to withdraw as it is to provide. Many EU DPAs have continued to intervene to require steps to ensure compliance and in some cases have issued fines for cookie consent infringements in 2024 (building on enforcement actions taken in previous years). For example, the Dutch DPA, Autoriteit Persoonsgegevens, fined Kruidvat.nl 600,000 Euro for placing tracking cookies before obtaining consent. The DPA also found that a pre-ticked box for accepting tracking cookies does not constitute freely given, specific, informed and unambiguous consent. 

Automation of the cookie compliance assessment process by DPAs is a notable trend, sending a warning that DPAs will address a wide spectrum of services and companies cannot be confident that they are “off the radar” of the DPAs’ enforcement teams. For example, the Saxon Data Protection and Transparency Commissioner (SDTB) examined around 30,000 websites from Saxony for data protection violations.  This led to contact with 2300 controllers about expected steps to address non-compliance.

In the UK, the Information Commissioner’s Office (ICO) has also sharpened its focus on cookie compliance, running a sweep on the top 100 websites in the UK, and following up with any that are found to be non-compliant. By March the ICO indicated a success rate of around 80% in effecting change from the 53 organisations they wrote to. They also made clear that enforcement action could follow for those who had not implemented a compliant solution. However, at the time of writing no action has been taken. The ICO also indicated that they have now written to the next 100 websites. 

Consent or pay – EDPB Opinion narrows the options 

While some aspects of the consent focused actions from DPAs are not new, the Opinion from the European Data Protection Board (EDPB) on so called “consent or pay” models broke new ground (April 2024). The EDPB’s formal Opinion under Article 64(2) of GDPR made clear that, in most cases, it will not be possible for online platforms to comply with the requirements for valid consent, if they only present users with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee. The EDPB found that only offering a paid alternative to services which involve the processing of personal data for behavioural advertising purposes “should not be the default way forward for controllers.” The Opinion was directed towards “large platforms”  - not a term defined in law but clearly drawing from the concept of the Very Large Online Platforms in the Digital Services Act. 

Numerous industry concerns have been raised about the EDPB Opinion, including the lack of engagement and consultation with stakeholders, on a topic with major commercial implications. Criticisms of the Opinion have centred on an argument that that the Opinion seeks to elevate data protection rights to absolute status and does not allow for consideration of other EU Charter rights, including the freedom to run a business. 

The EDPB’s Opinion has therefore made it difficult for large platforms to use a consent or pay model in relation to behavioural advertising. It is unclear how this Opinion applies to other online services (not large platforms) who also use such as consent or pay, particularly the news media. There are already contradictory indications about how other DPAs may act against such models in the media: the Data Protection Authority of Lower Saxony found a German-language tech news site’s consent or pay mechanism was unlawful under GDPR in 2023 but the Hamburg Data Protection Authority found Der Speigel’s use of pay or consent to be permissible. The NGO, NOYB, are now challenging the Hamburg decision. 

Possibly in response to concerns raised about the lack of consultation and engagement about its consent or pay opinion the EDPB has now launched a consultation approach for their upcoming guidelines on consent or Pay’ models. A stakeholder event will take place on 18 November 2024. The guidelines will cover a broader scope of application than large platforms. 

In July 2024, the European Commission also announced its preliminary findings in an investigation of a leading social media platform, concluding that its ‘pay or consent’ advertising model does not comply with the Digital Markets Act (see this AOS blog for more detail).  While a legal challenge has been launched against the EDPB’s Opinion, the European Commission’s DMA finding makes it clear that the EU is set strongly against consent or pay.

In the UK, the ICO has not set such an unequivocal position on consent or pay. They set out a consultation paper in April 2024 with a range of factors that the ICO will consider when assessing the models; power balance, equivalence, appropriate fee or privacy by design.  We await the outcome of the consultation and the final guidance later in 2024, and whether the ICO’s approach leads to new enforcement action. At present it seems possible that the ICO’s approach will allow for more of a case-by-case approach compared to EDPB, even though several the factors, such as power imbalance, are common across their positions.

The regulatory actions of DPAs in 2024 indicate that companies should focus on a comprehensive governance approach to managing cookies across all parts of the digital operations, assess for compliance risks and identify solutions. 

Not just cookies – DPAs also target other tracking technologies 

There are also signs that DPAs are looking at other tracking technologies embedded in websites and apps. In 2024 the Swedish Data Protection Authority has acted in two different cases involving the use of tracking pixels on websites. 

In the first case, the DPA fined a bank 1.3M Euro for a violation of the data security provisions under Articles 5(1)(f) and 32 GDPR, as the accidental activation of two functions of Meta Pixel led to the unauthorised transfer of personal data to Meta. 

In the second case the DPA acted against two pharmacies for their use of embedded pixels. Fines of 3.2M Euro and 700,000 Euro were served for breaches of GDPR involving the activation of a sub function in that enabled the transfer of personal data on the about special category data such as purchase of over-the-counter medicines. The pharmacies didn’t have the means to detect the data transfer themselves. The violation was only addressed after the companies were alerted of the incident by external parties. The fines were again based on the findings that ineffective security measures were in place.

These cases highlight the importance of organisations keeping a detailed inventory of all tracking technologies used on their digital services and making a full assessment of security risks, as well as wider GDPR compliance, and ensuring that regular audits take place.

Look out for our roundup on AI tomorrow.