What a possible move away from GDPR means for marketers

Blog banner

In May, the UK government revealed plans to introduce a Data Reform Bill during the Queen’s Speech. The bill proposes significant changes to the data protection and privacy rules contained in the UK General Data Protection Regulations (GDPR), which currently align with the EU standards for GDPR.

In other words, the Data Reform Bill would see the UK move away from GDPR, making it easier for companies to store user information without consent. Aside from the impact on data protections and privacy rules, the government’s proposals would affect businesses of all sizes in the UK, marketers and advertisers, and how overseas businesses deal with companies and consumers in the UK.

What has the government proposed in its Data Reform Bill?

On June 17, the Department for Digital, Culture, Media & Sport published a press release summarising its intentions for the Data Reform Bill. promising “new data laws to boost British business, protect consumers and seize the benefits of Brexit,” the release says the bill would introduce tougher penalties for nuisance calls “and minimise the number of annoying cookie pop-ups people see on the internet”.

Which could mean less of this for internet users in the UK:

Cookies notification on Gov.uk website

“Tougher fines for firms hounding people with nuisance calls and a clampdown on bureaucracy, red tape and pointless paperwork are part of reforms to transform the UK’s data laws for the digital age and seize the benefits of Brexit.”New data laws to boost British business, protect consumers and seize the benefits of Brexit; Department for Digital, Culture, Media & Sport

We should point out that the bill is simply a proposal and the government is yet to offer up any specific technical information about how any changes would be implemented. So, rather than paraphrase, let’s look at a few key quotes from the same press release:

  • Reducing burdens on businesses: “Remove the UK GDPR’s prescriptive requirements giving organisations little flexibility about how they manage data risks – including the need for certain organisations, such as small businesses, to have a Data Protection Officer (DPO) and to undertake lengthy impact assessments.”
  • Cookie consent: “Cut down on ‘user consent’ pop-ups and banners – the irritating boxes users currently see on every website – when browsing the internet”.
  • Opt-in model: “The government’s new opt-out model for cookies will heavily reduce the need for users to click through consent banners on every website they visit – meaning that people will see far fewer of the frustrating boxes online.”

The Department for Digital, Culture, Media & Sport has also published its response to a consultation on the Data Reform Bill, entitled Data: a new direction – government response to consultation, outlining its immediate and long-term plans in relation to data collection and consent:

“Following consideration of responses, the government intends to legislate to remove the need for websites to display cookie banners to UK residents. In the immediate term, the government will permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, for a small number of other non-intrusive purposes.”

“In the future, the government intends to move to an opt-out model of consent for cookies placed by websites. In practice, this would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out. This would allow the government to realise its ambition to improve the user experience and remove the need for unnecessary cookie consent banners.

That’s a clear indication that the government intends to reduce cookie popups for internet users in the UK while permitting companies to collect data without users’ consent via an opt-out model. However, the proposal is vague in its reference to “non-intrusive” purposes and whether consent would still be required for certain types of data.

In the same document, the government proposes that an opt-out model could be implemented into web browsers so users can set privacy settings once rather than on every site they visit. This sounds good, in theory, but the proposal doesn’t provide any technical detail about how this would actually work.

Does the government expect major browser developers to implement a consent system into their software purely for users in the UK?

We have to keep in mind that any and every aspect of this bill could change before anything is passed into law but it seems the long-term plan is to significantly reduce consent requirements, implement an opt-out model for data collection and, thereby, allow companies to collect data from users in the UK without their consent.

What does the Data Reform Bill mean for businesses in the UK?

Many of the proposals set out in Data: a new direction – government response to consultation are bold but they also lack important specifics in terms of technical implementation or which types of data (ie: identifying, non-identifying, etc.) each proposal applies to.

The current draft of the Data Reform Bill would clearly affect all UK businesses but it’s difficult to predict how significant the impact would be without more information from the government.

At this stage, we can’t confidently say how many of the proposals are even feasible or whether it would be worth UK businesses investing resources into changing their data systems so soon after GDPR.

All we can do is summarise the proposals related to data collection, consent and cookies:

  • Consent no longer required to collect data from users in the UK (which types of data aren’t specified)
  • Opt-out system allows data collection from users in the UK by default
  • A Data Protection Officer (DPO) no longer required for data processing
  • Data protection risk assessments no longer required
  • Companies no longer required to maintain a record of processing activities – ie: what they do with data collected

If all of these changes are passed into law, companies (both domestic and international) would be able to collect and use data from UK users with almost all of the freedoms they had before GDPR. The government says this will make life easier for businesses in the UK but it’s difficult to see how this will materially benefit anyone other than data-guzzling corporate giants.

The vast majority of businesses would have to overhaul their data processes (again) to benefit from the changes, potentially manage separate processes for the UK and EU and require legal consultancy to ensure compliance is met.

Why would we need different data processes for the UK & EU?

If the changes are as major as the proposals, this could threaten the exchange of data between the UK and the EU. This was among the first concerns raised by BCS, the Chartered Institute for IT, and other industry organisations after the initial announcement during the Queen’s Speech in May.

Currently, the EU allows data to flow freely between the EU and its member states because GDPR remains in place here. However, if the UK abandons GDPR with significant changes, it would presumably be treated as any other country outside of the union, in which case the European Commission makes a case-by-case decision on whether each country’s data protection laws are “adequate” – ie: offering a similar level of data protection as member states.

Should the UK lose its adequacy status, the flow of data with member states would become restricted, adding further trade barriers.

The other issue is that companies anywhere in the world have to comply with GDPR if they want to collect data from users in the EU. This means companies in the UK could potentially need to implement two systems to take advantage of the relaxed rules. For companies that have spent the past four years adapting to GDPR compliance, you have to wonder whether it’s making further changes at this point.

What does this mean for marketers & advertisers in the UK?

If the outlook is unclear for UK businesses, it’s even more so for those of us in the marketing and advertising industry. As soon as the government announced plans to reform data laws at the Queen’s Speech in May, the Data and Marketing Association (DMA) and other industry authorities called for clarity and organisations are once again pushing for more details following the proposals published in the government’s response to consultation.

Without more information, it’s difficult to predict what the full impact of these proposals would be on marketing and advertising in the UK, assuming they even pass into legislation.

Simplifying consent or, potentially, even removing cookies from the browsing experience altogether would be welcome, in theory. However, the proposals for an opt-out system that allows businesses to collect data without consent sounds like too much of a departure from EU data regulations to maintain the UK’s adequacy status – at least, until we have specific details about how such as system would maintain the flow of data between the UK and member states.

And this is before we even touch on the data privacy issues with the government’s proposals.

If you read through the government’s response, “the majority of respondents disagreed” is repeated 15 times in relation to government proposals and the phrase “concerns” is mentioned 36 times – including “the government’s consultation recognises that respondents fear a potential lowering of standards”.

Yet, in the vast majority of cases (not all), the government simply says it will carry on and implement its proposals regardless of any concerns raised.

Once again, without further details, it’s difficult to say whether the bill’s proposal for a browser-wide consent system is even workable and whether it would benefit or harm current advertising models. For example, would browsers be required to allow users to opt out indefinitely or would users need to do this manually every week, month or some other time period?

As things stand, the proposal makes bold claims but offers little in substance.

More questions than answers

The information currently available to us on the Data Reform Act raises more questions than it answers. We’re confident most of the marketing and advertising industry would support viable alternatives to the current state of constant consent popups but this doesn’t appear to be the purpose of the Data Reform Bill.

Nothing in the current proposals suggests this is designed to improve the experience for everyday web users or the majority of businesses in the UK. The winners will be the international corporations that’ll regain free access to the personal data of the UK general public with almost none of the accountability established by GDPR.

Need help with your digital marketing?

Contact us on 02392 830281 or send us your details here and we’ll be in touch.

Chris Pitt profile picture
Chris Pitt

Chris is Managing Director at Vertical Leap and has over 25 years' experience in sales and marketing. He is a keynote speaker and frequent blogger, with a particular interest in intelligent automation and data analytics. In his spare time, he enjoys playing the guitar and is a stage manager at the Victorious Festival.

More articles by Chris
Related articles
Data analytics on a screen

Google Consent Mode explained

By Kerry Dye
person pointing pen at a sales funnel

Why bother with SEO if your PPC is doing great?

By Ben Jayston
Google building

Announcements at Google Marketing Live 2022

By Michelle Hill