Live facial recognition: new technology, same rules

In a 2021 Opinion, the Information Commissioner’s Office (ICO) looked at the data protection requirements surrounding the use of live facial recognition (LFR) for a number of purposes, including for advertising. Although the use of LFR is not commonplace in advertising, this article summarises key advertising-related parts of the Opinion and signposts potential future issues that might fall to be considered by the ICO and / or the ASA

The Commissioner’s Opinion explains that facial recognition is the process through which a person can be identified or otherwise recognised from a digital facial image. This technology can be used in a variety of contexts from unlocking mobile phones, to setting up a bank account online, or passing through passport control. These uses typically involve a “one-to-one” process. The individual participates directly and is aware of why and how their data is being used. LFR is different and is typically deployed in a similar way to traditional CCTV. It is directed towards everyone in a particular area rather than at specific individuals. It has the ability to capture the biometric data of all individuals passing within range of the camera automatically and indiscriminately. Their data is collected in real-time and potentially on a mass scale. There is often a lack of awareness, choice or control for the individual in this process.

The Opinion notes that LFR can also be used for marketing, to gain marketing insights or to deliver products. Where LFR is used in this context, it tends to be used for categorisation, usually in the digital out-of-home sector. This enables organisations to:

  • estimate footfall for advertising space (audience measurement);
  • measure engagement with advertising space (dwell time at a particular location or other attention measurement);
  • provide interactive experiences (for example, turning on media or inviting customers to respond to it); or
  • serve targeted ads to passing individuals (demographic analytics).

Data protection law requires that the data protection principles be adhered to when processing personal data of individuals. In this context, organisations must ensure first and foremost, that the processing is lawful, fair and transparent. Where biometric data is processed to uniquely identify someone, further safeguards will have to be in place.

The ICO advises that there is a high legal threshold to meet for the use of LFR and organisations will have to justify the use of this technology. They should also be able to demonstrate accountability, such as ensuring governance is in place through the undertaking of Data Protection Impact Assessments (DPIAs).

Some of the advertising purposes listed above fall beyond the remit of the CAP Code, but where the technology involves the processing of personal data to serve ads to consumers, in addition to data protection obligations, this processing would fall within Section 10 of the CAP Code and would be subject to rules relating to the legal basis for processing data for ads and transparency about the use of data. Any ads served via LFR would also have to comply with the rest of the CAP Code.

CAP and the ASA will keep an eye on the emerging use of LFR for marketing purposes, and issue further guidance where appropriate.

For more guidance on how to ensure your non-broadcast ads are problem-free, please contact our Copy Advice Team for free, fast and bespoke advice.


More on


  • Keep up to date

    Sign up to our rulings, newsletters and emargoed access for Press. Subscribe now.