Birds eye view

The state of data privacy in the UK

By Gabby Krite, Head of Digital Operations.

Despite ‘officially’ withdrawing from the European Union in 2020, many EU laws are still enforced in the UK. There’s even a nifty little interactive dashboard showing which have been retained (created to increase public awareness so that they can complain about them more specifically). Needless to say, our government have had other priorities over the last couple of years, but in recent months we have seen MPs circle their focus back on post Brexit policies – the most crucial for us being General Data Protection Regulations (GDPR) and Privacy and Electronic Communications Regulations (PECR).

Both have led to fundamental changes in our industry, and one could argue that they were the beginning of the end for the Cookie, a change that will transform our industry (eventually). The policies were created in the best interests of people and their data, but there have been some unintended consequences. One consequence that we will all be acutely aware of is the Cookie banner, with all businesses now having to collect consent to use an individual’s data, including Cookie data. To comply, websites now have a banner, and the complexity of these varies based on the businesses’ interpretation of legitimate interest.

Example 1: You opt into cookie tracking by using the site, and there is no option to manage cookies. This is on the lower end of compliance, and some would argue that the lack of a “reject” button is non-compliant.

Example 2: Full control over what types of cookies can be used to track you. This is the gold standard – it gives individuals complete control over their data and how a brand can use it. However, it’s somewhat cumbersome and requires full attention from the person to understand what is being communicated. And because each website belongs to a different brand, you need to repeat this every single time you go to a new website. It’s even more frustrating when you’re on your mobile and just want to find the price of something quickly. If you’ve opted out, you must repeat the process every single time you visit a site because the website does not permit the data to “remember” your opt-out. I firmly believe in having control of your data, but there has got to be a better way to make it happen than this! No one is making genuinely informed decisions with the current setup.

At the time of writing this article, the “Data Protection and Digital Information” bill is in the early stages of review in the House of Commons. It is a 192-page document designed to “update and simplify” our Data Protection regulations whilst theoretically keeping individual privacy at the forefront. Below is a summary of key points for us to be aware of in the industry:

  1. The frustratingly vague and often abused phrase “legitimate interest” is being extended to “recognised legitimate interests” where there is a defined list of what this covers – marketing is not included in that list. The data controller/processor will also now have responsibility for determining if the data collected is identifiable, making the definition of personally identifiable information more nuanced – it’s difficult to quantify the impact of this update at this stage. Still, it seems to add vagueness to the legislation that undermines the rest.
  2. The definition of cookies that require consent will now capture those needed for statistical analysis and to improve services. Our interpretation of this is that this will include web analytics cookies. In addition, there is a suggestion of introducing an infrastructure for accepting/rejecting cookies at a higher level than the website (perhaps the browser?) to remove the frustration of evaluating each site. This is highly likely to reduce the opt-in rate as an individual can apply the setting once – we would anticipate this to have a similar impact as the iOS 14 updates had on Meta in-app opt-ins.
  3. There is a lot of restructuring of processes around Data Protection Impact Assessments and the role of Data Protection Officers that, theoretically, put more of the onus on the business to understand legislation better. However, this could potentially lead to broader interpretations of compliance.

To be clear, this is not an exhaustive list of the impacts of the bill, and we encourage businesses to familiarise themselves with the bill once it has reached the Final Stages to make informed decisions about how it will impact your operations.

Each of these areas is an important consideration for a business, but from the lens of a digital marketer, the second is the most important. This feeds into the ever-present narrative of preparing for a cookieless future. Even if Google is delaying again, 60% of browsing is currently cookieless, and this legislation will likely bring that % further up. You can catch up on our New Era of Measurement event earlier in the year for our thoughts on preparing for this future.