Press releases

Press releases

Data Regulator pushes ahead with age gates

The ICO's Age Appropriate Design Code released today includes changes which lessen the risk of widespread age gates, but retains strong incentives towards greater 'age gating' of content.


Over 280 ORG supporters wrote to the ICO about the previous draft code, to express concerns with compulsory age checks for websites, which could lead to restrictions on content.

Under the code, companies must establish the age of users, or restrict their use of data. ORG is concerned that this will mean that adults only access websites when 'age verified' creating severe restrictions on access to information.

The ICO's changes to the Code in response to ORG's concerns suggest that different strategies to establish age may be used, attempting to reduce the risk of forcing compulsory age verification of users.

However, the ICO has not published any assessment to understand whether these strategies are practical or what their actual impact would be.

The Code could easily lead to Age Verification through the backdoor as it creates the threat of fines if sites have not established the age of their users.

While the Code has many useful ideas and important protections for children, this should not come at the cost of pushing all websites to undergo age verification of users. Age Verification could extend through social media, games and news publications.

Jim Killock, Executive Director of Open Rights Group said:

"The ICO has made some useful changes to their code, which make it clear that age verification is not the only method to determine age.

"However, the ICO don't know how their code will change adults access to content in practice. The new code published today does not include an Impact Assessment. Parliament must produce one and assess implications for free expression before agreeing to the code.

"Age Verification demands could become a barrier to adults reaching legal content, including news, opinion and social media. This would severely impact free expression.

"The public and Parliament deserve a thorough discussion of the implications, rather than sneaking in a change via parliamentary rubber stamping with potentially huge implications for the way we access Internet content."



Jim Killock


ICO Age Appropriate Design Code, section 3:

[Read more]

Age Verification Judicial Review endangers UK citizens' privacy

Judicial Review launched by Tech companies to force Age Verification for adult content under the Digital Economy Act 2016 to start would endanger privacy.

Reacting to the Judicial Review launched by Tech companies to force Age Verification for adult content to be implemented (1) Jim Killock, Executive Director of the Open Rights Group said: 

"These companies are asking us to trust them with records of millions of people's sexual preferences, with huge commercial reasons to use that data for profiling and advertising. 

"The adult industry has a terrible record on data security. We're being asked to hope they don't repeat the many, many times they have lost personal data, with the result that blackmail scams and worse proliferates. (2)

"The government did the responsible thing when it admitted its plans were not ready to proceed. Age Verification must not be pushed forward until there is compulsory privacy regulation put in place."

The companies behind the legal action are not subject to tight privacy regulations. Instead, the government can only ask for 'voluntary' privacy commitments.

General data protection law is not sufficient for this industry as data breaches of this nature cannot be fixed by fines. They need to be prevented by the toughest and most specific regulation available.

Examples of sector specific privacy regulation include bank payments governed by PCI DSS, which specifies exactly how privacy and security must be implemented (3).

The BBFC, when acting as regulator, created a voluntary privacy code. This was however rushed, created without public consultation, and was criticised by ORG as too weak. (4) Additionally, at least one company 18PlusApp refused to comply with it. (5)


Jim Killock +442070961079 /


(1) Tech companies launch legal action to force Government to bring in under 18s porn ban:

(2) List of MindGeek data breaches:

(3) Compulsory banking standards for privacy and security, PCI DSS:

(4) Analysis of BBFC Age Verification Certificate Standard, June 2019:

(5) 18PlusApp opts out of BBFC privacy regulation, June 2019:


[Read more]

Data regulator ICO fails to enforce the law

Responding to ICO's announcement today that the regulator is taking minimal steps to enforce the law against massive data breaches taking place in the online ad industry through "Real-Time Bidding", complainants Jim Killock and Michael Veale have called on the regulator to enforce the law.

The complainants are considering taking legal action against the regulator. Legal action could be taken against the ICO for failure to enforce, or against the companies themselves for their breaches of Data Protection law.

The "Real-Time Bidding" data breach at the heart of RTB market exposes every person in the UK to mass profiling, and the attendant risks of manipulation and discrimination.

As the evidence submitted by the complainants notes, the real-time bidding systems designed by Google and the IAB broadcast what virtually all Internet users read, watch, and listen to online to thousands of companies, without protection of the data once broadcast. Now, sixteen months after the initial complaint, the ICO has failed to act.

Jim Killock, Executive Director of the Open Rights Group said:

"The ICO is a regulator, so needs to enforce the law. It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance.

"Last year the ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally entitled to.

"The ICO must take enforcement action against IAB members.

"We are considering our position, including whether to take legal action against the regulator for failing to act, or individual companies for their breach of data protection law."

Dr Michael Veale said: "When an industry is premised and profiting from clear and entrenched illegality that breach individuals' fundamental rights, engagement is not a suitable remedy. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now".

Ravi Naik, solicitor acting for the complainants, said "There is no dispute about the underlying illiegality at the heart of RTB that our clients have complained about. The ICO have agreed with those concerns yet the companies have not taken adequate steps to address those conerns. Nevertheless, the ICO has failed to take direct enforcement action needed to remedy these breaches. 

"Regulatory ambivalence cannot continue. The ICO is not a silo but is subject to judicial oversight. Indeed, the ICO's failure to act raises a question about the adequacy of the UK Data Protection Act. Is there proper judicial oversight of the ICO? This is a critical question after Brexit, when the UK needs to agree data transfer arrangements with the EU that cover all industries."

Dr Johnny Ryan of Brave said "the RTB system broadcasts what everyone is reading and watching online, hundreds of billions of times a day, to thousands of companies. It is by far the largest data breach ever recorded. The risks are profound. Brave will support ORG to ensure that the ICO discharges its responsibilities."

Jim Killock and Michael Veale complained about the Adtech industry and "Real Time Bidding" to the UK's ICO in September 2018. Johnny Ryan of Brave submitted a parallel complaint against Google about their Adtech system to the Irish Data Protection Authority. 



Jim Killock +442070961079

Notes to the editor 

ICO Blog:


[Read more]

NEWS RELEASE: Open Rights Group and Privacy International statement on Police Scotland's announcement to roll-out cyber kiosks

Following Police Scotland’s announcement that they will be rolling out cyber kiosks to police stations across Scotland. Open Rights Group and Privacy International have released a statement:

"Open Rights Group and Privacy International called on Police Scotland to prevent rolling out until the Scottish Government reformed the law to provide an overarching framework for the seizure of electronic devices in Scotland in line with human rights standards. That recommendation has not been heeded by the Government and as a result we will shortly have intrusive technology available for use by Police in Scotland under laws that don’t meet fundamental standards of accessibility and foreseeability for the individual.

Our mobile phones are unlike any other piece of personal property. Access to our devices means access to our photos, videos, contacts, messages, even messages we have not sent, our notes, our calendars, our browsing history, even our locations. These searches are deeply intrusive and our legal system in Scotland is not fit to respond to that level of intrusion.

Victims and witnesses are being offered to “consent” to have their phones collected and searched, but they will have no right to retract that consent for retaining and examining the data on the device. It is not fair for Police Scotland to present this as consent. This could be deeply confusing and harmful for those individuals to learn that handing over their device voluntarily does not mean they are empowered to have their device returned and the information held on that device not examined."


Police Scotland confirmed phased roll-out on a post on their website:


[Read more]

NEWS RELEASE Mobile Adtech "out of control"

A report released today shows that Adtech in mobile apps is sharing user data far and wide, through adtech systems that include sensitive information such as sexuality, drug use, political views.

The applications investigated include dating apps Grindr and OkCupid.

The report from the Norwegian Consumer Council calls for action to ensure that sensitive personal data is kept securely, and not shared widely without user consent.

As many of these applications are UK based, the Open Rights Group has written to the UK’s Information Commissioner Elizabeth Denham to ask her to investigate. The Adtech industry is already the subject of complaints filed by the Open Rights Group and Michael Veale.

The report concludes that:

"The adtech industry is operating with out of control data sharing and processing, despite that should limit most, if not all, of the practices identified."

Jim Killock, Executive Director of the Open Rights Group said:

“This report shows that the most sensitive facts about people’s personal lives are being shared in irresponsible and unlawful ways through people’s mobile phones. Yet the regulators have the power to investigate and protect people’s privacy. 

"The UK’s Information Commissioner is absolutely key, as many mobile apps are businesses based in the UK. That is why we have called on her to investigate today."

Detailed findings from the report include that:

  • The dating app Grindr shared detailed user data with a large number of third parties that are involved in advertising and profiling. This data included IP address, Advertising ID, GPS location, age, and gender. Twitter’s adtech subsidiary MoPub was used as a mediator for much of this data sharing, and was observed passing personal data to a number of other advertising third parties including the major adtech companies AppNexus and OpenX. Many of these third parties reserve the right to share the data they collect with a very large number of partners.

  • The makeup app Perfect365 shared user data with more than 70 third parties. This data included the Advertising ID, IP address, and GPS location. Many of the third parties that were receiving this data are in the business of collecting, using and selling location data for various commercial purposes.

  • The period tracker app MyDays shared the user’s GPS location with numerous third parties involved in behavioural advertising and profiling.

  • The dating app OkCupid shared highly personal data about sexuality, drug use, political views, and more with the analytics company Braze.

  • Google’s advertising service DoubleClick was receiving data from eight of the apps, while Facebook was receiving data from nine apps.

More Information 


Jim Killock 07894498127


About Open Rights Group

Open Rights Group is the UK's leading voice defending freedom of expression, privacy, innovation, creativity and consumer rights on the Internet.

We challenge mass government surveillance, protect free expression online and the right to privacy online. We campaign, lobby, talk to the media, go to court — whatever it takes to build and support a movement for freedom in the digital age.

Founded in 2005, we have over 3000 paying supporters and a movement of 45,000 activists.

Open Rights Group is a non-profit company limited by Guarantee (05581537) based in London and Edinburgh.

You can unsubscribe from this list from this page.


org-press mailing list

[Read more]

Public are kept in the dark over data driven political campaigning, poll finds

A poll commissioned by civil society organisation Open Rights Group has highlighted a worrying lack of national awareness around nefarious online campaigning activities.

Open Rights Group commissioned YouGov, a polling company, to conduct two polls to gauge public attitudes towards data driven campaigning practices. One poll was nationally representative and another sampled a selection of the most marginal constituencies in Britain - and therefore some of the constituents most likely to experience these activities. The fieldwork for both polls took place the week after the election. 

The nationally representative sample demonstrated a worrying lack of awareness of these issues. 42% of those polled were aware of undeclared spending donations (‘dark money’). Similarly, 44% of the national sample were aware of ‘dark ads’ (online adverts only seen by the recipient). Just half (54%) of those in the national sample were aware of the practice of targeting or tailoring adverts (political microtargeting). When asked however, a majority of the national sample were against these practices occurring during an election. The strongest opposition was to dark money (69%). 

Whilst there was strong support for a range of policy responses, tougher punishments was the most popular remedy (78%). This was replicated in the results from the marginal constituencies (85%). The marginal constituencies polled were more strongly in favour of policy remedies on the whole. In addition, they tended to have much higher awareness of data driven campaigning practices than the national sample, particularly with regards to political microtargeting (63%). 

On a positive note, the polls suggest that the more people are aware of the data driven campaigning practices that dictate our politics, the stronger the support for policy interventions. Comparing the national results to the targeted constituency results, awareness of campaigning practices was greater in marginal constituencies, as was support for intervention policies generally. However, the lack of national awareness of these practices after the ‘most digital election, ever’ is problematic for electoral reform. 

Pascal Crowe, Data and Democracy Project Officer at Open Rights Group said: 

Political microtargeting, astroturf ads and unnaccountable money are upending our electoral system. Despite this, citizens remain in the dark. The onus is now on politicians to take the initiative and push electoral reform up the legislative agenda. The time to act is now.  

Notes to Editors

Open Rights Group have developed a tool that allows you to discover the data that political parties hold on you. Find out more here:

All figures, unless otherwise stated, are from YouGov Plc. Sample size for targeted constituency poll was 1098 adults and figures have been weighted to be representative of a selection of 28 marginal constituencies in GB. Fieldwork for this took place 16th-24th December 2019. Sample size for nationally representative sample was 1664 adults and figures have been weighted and are representative of all GB adults (aged 18+). Fieldwork for this took place 16th-17th December 2019. Both surveys were carried out online. 

A full breakdown of results can be found here: 



For further information please contact Federica Dadone, Communication Officer for Open Rights Group, at or 0207 0961079.


[Read more]


[Read more]

Open Rights Group joins international outcry over UK government calls to access private messages



Open Rights Group has joined dozens of other organizations signing an open letter to the UK government to express significant concerns raised by their recent statements against encryption.

The UK Home Secretary, Priti Patel, has joined her US counterparts in demanding weaker encryption and asking internet companies to design digital “back doors” into their messaging services. The UK government suggests stronger capabilities to monitor private messages will aid inf fighting terrorism and child abuse. ORG disagrees, arguing that  alternative approaches must be used as the proposed measures will weaken the security of every internet user.

ORG is concerned that this attack on encryption forms a pattern of attacks on digital privacy and security by the UK government. Only last week leaked documents showed that the UK wants to give the US access to NHS records and other personal information, in a ”free flow of data” between the two countries. 

The open letter was also addressed to US and Australian authorities, and was coordinated by the US-based Open Technology Institute and was signed, among others, by Amnesty International, Article 19, Index on Censorship, Privacy International and Reporters Without Borders.

Javier Ruiz Diaz, Policy Director for Open Rights Group, said: 

“The Home Secretary wants to be able to access our private messages in WhatsApp and similar apps, demanding that companies remove the technical protections that keep out fraudsters and other criminals. This is wrong and will make the internet less safe. Surveillance measures should be targeted and not built into the apps used by millions of people to talk to their friends and family.”

Notes to Editors

You can find the letter here.

If you want more information about encryption, you can read more on our blog here:

For further information please contact Federica Dadone, Communication Officer for Open Rights Group, at or 0207 0961079.


[Read more]

Campaigners demand answers over parties use of personal data in General Election



Directors, staff, and members of the Open Rights Group have demanded that the Liberal Democrats, the Conservatives, and Labour cease the processing of their data and to have their profiled data created about them erased. The claimants are concerned that these political parties may have breached data protection law through their profiling activities.

Open Rights Group have written pre-action letters to the political parties laying out their concerns about the lawfulness of the processing that has been undertaken on their personal data. The claimants are seeking clarity on the use of their data.

These political parties had created individualised scores such as their age, whether they support Brexit, and their social status, such as “metropolitan elite” or “soft Tory”. This often but not exclusively relied upon third party data brokers such as Experian, a credit reference company. The parties have also been accused of failing to be transparent about who they have shared this data with, including political campaigning consultancies.

The legal action is a political and non partisan, although the facts differ in the case of each party.

The Labour Party, inter alia, provided scores based on individuals’ personal data that was unintelligible. They also failed to respond to their initial SARs within the statutory time limit.

The Conservative Party, inter alia, had been using personal names and addresses to guess the age of one claimant, without prior consent or a clear explanation of their legal justification.

The Liberal Democrats, inter alia, had failed to provide the sources of third party data used to profile those individuals that sent SARs.

At least two of the parties appear to have incorporated email addresses from local election registers. The claimants believe that the parties are not entitled to this data, obtained when people use online voter registration tools. It is unclear how many authorities have given personal emails of residents to political parties.

Pascal Crowe, Data and Democracy Project Officer, Open Rights Group said:

The abuse of personal data is now a systemic issue in our politics. No one comes out of this well.

We are concerned about the lawfulness of these activities and have put these concerns to the parties. Further, we are concerned what this means for democracy. Faith in democratic outcomes rests on a shared democratic process and profiling voters to create micro-targeted audiences undermines that.

It’s use is even more baffling given that we often don’t recognise our profiles. They are not even profiling accurately. But political parties are seemingly unquestioning of the authority of numbers.

These techniques should not be used to determine political activity and engagement. They are dishonest, inaccurate, and anti-democratic.

Ravi Naik, Partner, ITN Solicitors representing the claimants from Open Rights Group said:

Political parties must be accountable for their use of data.Our clients requested their information from the Parties and were presented with unclear and incomplete responses. We have therefore written to the parties, outlining our clients concerns about the use of their data. This includes a challenge to the legality of the wider processing activities.

Parties seem to consider themselves as having a free pass to do as they want with personal data as they consider this in the demoratic interest. However, the data protection regime exists to limit data use to prevent abuses. The democratic interest is best served by all Parties respecting the law.

Notes to editors
Pre Action letters have been sent to the Conservatives, the Liberal Democrats and the Labour Party raising questions about their processing activities.

The activities were revealed through subject access requests (SARs) to the political parties.

Open Rights Group have developed a tool that allows for members of the public to exercise their right of subject access:

For further information please contact Federica Dadone, Communication Officer for Open Rights Group, at or 0207 0961079.


[Read more]

Campaigners release tool for the public to discover the extent of political party profiling during general election.

WEDNESDAY 4 DECEMBER 2019                                                                                                        

Open Rights Group (ORG) have released a tool to help UK voters turn the tables on political parties, by seeing what personal data they hold on them.

Using rights under the General Data Protection Regulation, ORG has developed a tool that allows everyone to easily email the main political parties to find out what data they hold on them using their right of Subject Access. Normally, the bureaucratic process of submitting a Subject Access Request (SAR) and getting the correct wording for the request is extremely off-putting. Now, all a person needs is a photo ID that shows their identity and current voting address.

Up until now, most of the focus and blame when it comes to commercial use of data has been on companies, like Cambridge Analytica and Facebook. Political parties however, in their role as data controllers, are engaging in similar practices by trading and grading our personal data.

Facebook ads are just the end of a production line that begins with political parties buying electoral register datasets and then mixing them with commercial datasets and other forms of data.

ORG’s goal is for as many people as possible to submit requests in order to research what kind of information parties are holding about us. In addition, ORG intends this campaign will act as a deterrent: that getting a large number of SARs will put parties off from this practice.  

Pascal Crowe, Data and Democracy Project Officer for Open Rights Group, said: 

“In recent years our national politics has become increasingly focused on returning power to the people from politicians. This tool allows individuals to do just that in an effective, simple, non-partisan manner. 

During our own requests to political parties we have found that the parties have been buying up commercial datasets and using those to profile the political opinions of the electorate. This includes guessing where we stand on Brexit, taxation, housing, austerity; whether we are a pragmatic liberal, or our likelihood of swinging from one party to another. 

This is also based on demographic data that is deeply inaccurate. These inaccuracies may lead to whole sections of the population being excluded from democratic engagement by the political parties.

The use of data in politics creates a severe power imbalance between the public and those who govern them. Retrieving the data held on us goes some way to addressing that.”

Notes to Editors

You can find the tool here.

The tool sends a subject access request to every political party that has a sitting elected representative in a national or regional parliament or assembly. 

This means parties represented in the House of Commons, Scottish Parliament, Welsh Assembly and Northern Irish Assembly.

Information on what Open Rights Group staff has  found as a result of their requests for personal data can be accessed here.

The right of access is a right for all individuals under Article 15 of the General Data Protection Regulation to obtain information from data controllers. The specific wording of the Article is found below:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a)    the purposes of the processing;

(b)    the categories of personal data concerned;

(c)    the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d)    where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e)    the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f)    the right to lodge a complaint with a supervisory authority;

(g)    where the personal data are not collected from the data subject, any available information as to their source;

(h)    the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

For further information please contact Federica Dadone, Communication Officer for Open Rights Group, at or 0207 0961079.



[Read more]