UK Data Privacy Regulator to 'Relax' GDPR Enforcement Stance
The U.K. Information Commissioner’s Office (ICO) plans to “relax” its enforcement approach under the General Data Protection Regulation (GDPR) by year's end, Executive Director-Regulatory Risk Stephen Almond told us Thursday at the IAPP Global Privacy Summit in Washington.
Sign up for a free preview to unlock the rest of this article
Almond said the U.K. data regulator will look to loosen enforcement standards for companies collecting consumer data and processing it for behavioral advertising purposes. One potential change is to allow the removal of cookie banners when users enter websites and to let companies collect data when there’s a “basis of legitimate interest” under the U.K. GDPR, said Almond.
Members of the U.K. Parliament since 2023 have been pursuing legislation to allow businesses greater freedom in processing personal data, to expand the definition of legitimate interest and lower thresholds for international data transfers. U.K. lawmakers are considering the Data Bill, which would create more flexibility for companies collecting personal data and new definitions for legitimate interests.
The ICO in November 2023 warned companies about potential penalties for not giving consumers “fair choice” in opting out of targeted advertising. ICO guidance requires that companies let consumers easily reject or accept all advertising cookies. The ICO followed up in January 2024, noting the compliance response from the U.K.’s most-frequented websites.
Almond said companies may be collecting personal data for legitimate reasons without sharing personal characteristics in “intrusive” ways. Privacy rules currently require consent for collecting this information to track advertising activity.
“That’s a high bar,” he said. “We think there’s potential there to relax our enforcement posture around that to enable” organizations that want to pursue business models that preserve privacy. The ICO’s plan is to issue an “altered enforcement posture” before the end of 2025, he said.
Legitimate interest is one of six lawful bases for companies processing data under the GDPR. Companies must balance “legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual,” according to the ICO.
Almond said the U.K. Parliament is considering legislative updates to create GDPR exemptions for contextual advertising and allow “industry to thrive.” The ICO can’t change the law, but it can be clear about what’s permissible in terms of enforcement, he said.
The ICO will engage openly on these potential changes and its examination of “low-risk and high-risk” data processing. He said the ICO is looking at how companies use data for contextual advertising and determining if organizations are collecting data in ways that aren’t likely to “cause damage or distress for people.”
“We think there is a real opportunity here,” he said: Many organizations aren’t “really happy with having to target and profile their customers very intensively. It’s not the relationship they want to have with their customers, but they see themselves in a difficult position where if they switch to something that is more contextual they will potentially end up losing revenue.”