Good news for marketers – unless you’re not following the law already 💸
The UK government recently published the outcome of their consultation on the Data Reform Bill (now known as the Data Protection and Digital Information Bill) – a collection of sweeping policy changes “designed to make the UK the best place for businesses and scientific institutes to undertake data-driven activity”.
The reforms aim to shake up the current data protection law regime in the UK which is currently centred around the UK GDPR/Data Protection Act and PECR (The Privacy & Electronic Communications Regulations).
The proposed changes will cover a broad range of data protection issues, and seek to reduce burdens on UK businesses and researchers.
Some of these changes could make life easier for UK marketers, and open up doors for what marketers can do with data. At least in theory.
In this article we’ll look at the three key changes and what they could mean for your marketing strategy. Naturally, to build your enthusiasm for data privacy law we’ve ordered them in terms of fun (bear with us, the third one is juicy).
“Soft opt-in” marketing consent will be extended to non-commercial entities, such as charities and political parties.
Soft-opt-in refers to the ability to opt customers into marketing communications by email, phone and text without the need for them to explicitly opt-in if the customer is purchasing or entering into negotiations to purchase a product or service.
If you are an e-commerce company you can apply this during your checkout process so that customers who buy an item for you are opted in to further communications about similar products unless they choose to opt out.
It’s a great way to increase your marketing list size but it does come with a set of strict requirements which affect whether your implementation of it is legal or not, so make sure you get some advice and/or training before implementing it.
So far the soft-opt-in has been prohibited for use by non-commercial entities, such as charities and political parties. The Data Reform Bill proposals seek to change this, so that charities and political parties can take advantage of this exception.
So if you are marketing for a charity or political party this could be game changing. For example when registering new donors you may no longer need to rely on opt-in consent for marketing communications which could greatly increase the size of your contactable database.
Financial penalties for breaching the Privacy and Electronic Communications Regulations 2003 (PECR) will be increased to bring it in line with the GDPR.
Currently fines under PECR are capped at £500,000. The changes proposed under the Data Protection and Digital Information Bill will mean that breaches of the PECR rules, like the sending of unsolicited marketing communications or non compliant use of cookies and other tracking technologies could attract a fine of up to £17.5 million or 4% of global turnover in the preceding financial year.
Ouch! For marketers who haven’t been following the rules so far this means it’s really time to start taking the PECR rules seriously. And for those already complying it’s a good time to check that your documentation is up to date so that in the case of an accidental breach of the rules you can demonstrate your efforts in complying as mitigating circumstances.
The requirement to obtain consent for cookies will be relaxed (in some cases). Goodbye cookie banners?
In its current form (pre 2nd reading, August 2022) the bill proposes that cookies for audience measurement, for example web analytics will be allowed without specific opt-in consent.
The proposed legal text also clarifies that cookies used for security or fraud prevention will be permitted without opt-in required. Currently this is not 100% clear from the legal text but is generally interpreted by many companies as appropriate.
The proposed rules still require that website users are provided with information about the use of cookies, and the general GDPR rules with regards to data processing purposes, data subject rights and restricted transfers would still apply – so this may not be a green light to start using a tool like Google Analytics without consent unless you have put other compliance work in place.
The rules also specify that users must be given the option to opt-out of the cookies, so in practice you will still want a cookie consent mechanism in place in order to manage “opt-out” requests.
Cookies that are used for advertising purposes are not exempted in the latest rules, so for now it looks like you will still need to provide a cookie consent “opt-in” mechanism for these technologies.
Other changes include that once a technical method for web browsers to accept or reject cookies at the browser level is agreed. For example you would state your cookie preferences for all websites and save this to your browser (Chrome, Safari etc). Then this could be accepted as consent or denial of consent instead of having to interact with a cookie consent banner on every website.
Overall for marketers this could be good news. Cookies that track website visits may be allowed again without consent, meaning you could dramatically increase the amount of web traffic that you are able to analyse.
However there will be some additional complexity for marketers that are promoting their products and services internationally. While you may be able to relax rules for your UK website visitors for example you will not be able to apply these changes to your EU website visitors. You will therefore need to apply some method of distinguishing where visitors are coming from in order to determine which rules to apply to them, and then you will need to be able to apply different rules to how cookies are served to each of these user groups.
What are the chances of the proposals becoming law?
The UK government is committed to data protection law reform, so we can expect that some changes will occur. The biggest hurdle to these changes currently is not disagreement from members of parliament, business leaders and the public. Instead, the main hurdle is that any dramatic changes from the GDPR could lead to the EU commission reevaluating their current “adequacy decision” on the UK. The current adequacy decision allows data to freely flow between the UK and EU without additional safeguards. This is beneficial for UK and EU companies because it reduces administrative work and makes data transfers simple. If the UK weakens its rules too much, the EU may decide to revoke their adequacy decision which would lead to a considerable administrative burden for UK businesses that wish to continue transferring personal data to or from the EU.
It’s not yet clear how this will play out. But the rules affecting PECR are unlikely to affect this, as they do not specifically weaken protections of EU citizens’ data when transferred in and out of the UK.
What happens next and when can I apply these changes?
For now UK GDPR and PECR still apply and you could still be liable for a financial penalty or criminal prosecution for non-compliance. So don’t drop your compliance efforts just yet.
A draft legal text has now been introduced to the House of Commons. The legal text will now pass through the parliamentary process for legal ascent.
It’s scheduled for its 2nd reading on the 5th of September 2022.
The second reading is the first opportunity for MPs to debate the main principles of the Bill. At the end of the debate the commons will decide by voting whether the bill can progress.
The following stage is the committee stage – where each part and any proposed amendments to the Bill will be debated.
We’ll be keeping an eager eye on developments and will be communicating them online via our blog and to our email subscribers. GDPR and PECR training customers will also get access to regular updates to training materials to cover the changes. (relevant to your course access or subscription period).
We would expect there to be a transition period for any new requirements, however because many legal requirements will in effect be relaxed, we can expect the bill to come into force quickly.