In 2021, the ICO looked at the data protection requirements surrounding the use of live facial recognition (LFR) for various purposes, including for advertising. Although the use of LFR is not commonplace in advertising, CAP have published an article summarising key advertising-related parts of the Opinion and signposting potential future issues that might fall to be considered by the ICO and/or the ASA.

The ICO Opinion explains that facial recognition is the process through which a person can be identified or otherwise recognised from a digital facial image, e.g. when unlocking mobile phones. This usually involves a “one-to-one” process where the individual participates directly and is aware of why and how their data is being used. LFR is different and is typically deployed in a similar way to traditional CCTV. It is directed towards everyone in a particular area rather than at specific individuals. It can capture the biometric data of all individuals passing within range of the camera automatically and indiscriminately. Their data is collected in real-time and potentially on a mass scale. There is often a lack of awareness, choice or control for the individual in this process.

The ICO Opinion notes that LFR can also be used for marketing, to gain marketing insights or to deliver products. Where LFR is used in this context, it tends to be used for categorisation, usually in the digital out-of-home sector. This enables organisations to:

• estimate footfall for advertising space (audience measurement);
• measure engagement with advertising space (dwell time at a particular location or other attention measurement);
• provide interactive experiences (e.g. turning on media or inviting customers to respond to it); or
• serve targeted ads to passing individuals (demographic analytics).

CAP notes that some of the advertising purposes listed above fall beyond the remit of the CAP Code. However, the regulator explains, where the technology involves the processing of personal data to serve ads to consumers, in addition to data protection obligations, this processing falls within Section 10 of the CAP Code and would be subject to rules relating to the legal basis for processing data for ads and transparency about the use of data. Any ads served via LFR would also have to comply with the rest of the CAP Code.

CAP says that it and the ASA will keep an eye on the emerging use of LFR for marketing purposes, and issue further guidance where appropriate. To read CAP’s article in full, click here.