Last week’s introduction to the UK Parliament of the Data Protection and Digital Information Bill (DPDI) spelled out proposed reforms to existing data and privacy legislation (see our summary below) – to introduce clarity over what is and isn’t applicable in law, reduce admin and save UK businesses billions.
The reforms encompass changes to the current UK adoption of the General Data Protection Regulations (GDPR) and the Privacy and Electronic Communications Regulations (PECR).
Key changes proposed in the Bill include definitions of what constitutes legitimate interest for the purpose of data collection for marketing, expanded exemptions to consent for cookies, and extending soft opt-in for email to non-commercial organisations.
There are also proposals for increased fines for nuisance calls and texts and the addition of a statutory board overseeing the Information Commissioner’s Office. All of this is being implemented while adhering to GDPR equivalency, although this is yet to be confirmed by the EU.
The Data and Marketing Association (DMA), one of the organisations working with the Government on the proposals, has welcomed their introduction. Its CEO, Chris Combemale, chaired the Business Advisory Group working with the Secretary and the recently rebranded Department for Science, Innovation and Technology.
He said: “We are confident that the Bill should act as a catalyst for innovation and growth, while maintaining robust privacy protections across the UK – an essential balance which will build consumer trust in the digital economy.”
Ahead of the Bill’s progress through Parliament, and the scrutiny from the EU to ensure the Bill maintains “data adequacy”, PMW spoke to industry experts to get their take on the proposed reforms and what they mean for the industry in the short and long term.
For most, there is cynicism around the achievability of the Government’s forecast of a £4.7bn saving over 10 years to businesses – many have highlighted that the changes will increase costs initially. While others point out that some “grey areas” remain that may become clearer with the passing of the Bill.
For others, while there is acknowledgement over the changes businesses may have to make to deal with UK and EU audiences simultaneously, there is the assertion that the proposals make no significant change to UK protection law, and we ask: is the debate over data collection “well and truly done”?
“Consumers are more expectant of a safe, private open internet than pre-GDPR”
For Paul Thompson, UK Country Manager at Seedtag, the answer is “yes”.
“As always, these government driven initiatives try to please a lot of different vested interests without addressing some of the more obvious flaws in GDPR. The bottom line is that consumers are more expectant of a safe and private open internet than they were pre-GDPR and the debate over data collection has been well and truly been done.”
Thompson goes on to state that the proposals will not change policies introduced by Apple, currently being considered by Google, “which will have a far more widespread impact over the next few years. Marketers need to realise that the old ways of doing digital advertising with the collection of high volumes of unique IDs are being phased out”.
InfoSum’s General Counsel, Lorna Handley, concludes that despite claims that the Bill represents a brand new system, “there are no significant revisions to the previous version proposed and no major changes to current UK data protection law”.
“Simplifying how ‘legitimate interest’ is defined supports plans to develop the UK tech economy”
One point of the Bill widely welcomed is the clarity surrounding what constitutes ‘legitimate interest’ when collecting data for marketing.
Lloyd Davies, Managing Director UK at Making Science, says: “The plan to simplify how a business’s ‘legitimate interest’ is defined for data processing, and the expansion of cookie exemption, certainly supports the government's plans to develop the UK tech economy. Any businesses accelerating their digital footprint and data strategies will require reliable and quality data sources in order to succeed, and this move supports that business need.”
“For the 10% of marketers who remain unsure if GDPR applies to them at all, simplification will be welcomed and could allow them to confidently improve their campaign performance and ROI through making informed marketing decisions as a result of enhanced data collection.” Thompson agrees that the measures to ensure legitimate interest is more explicit “and that consent is more appropriately managed are positive steps”, while Chris Hogg, Chief Revenue Officer at Lotame, is confident that “we'll see continued tweaks to get that balance right for all involved".
DPDI: proposals in summary
Here we outline the core changes to UK data legislation contained within the proposals – and their implications.
Clarity on legitimate interest: Often highlighted as a grey area, the DPDI sets out to clarify when organisations can process personal data without needing explicit consent. Attracting and retaining customers and donors through direct marketing is now identified as a legitimate interest, but as before customers have the right to object to marketing should they not wish to deal with an organisation. This right will now extend to the charity and broader not-for-profit sector.
Exemptions for cookie consent requirements: The DPDI sets out to expand the range of exemptions for cookies, which will reduce the requirement of consent banners and “pop ups”. Those organisations that don’t take advertising are thought to see particular benefit.
Reduced paperwork to demonstrate compliance: The proposals include cuts to the amount of paperwork organisations and marketers need to complete to demonstrate compliance with UK data laws. Only organisations whose processing activities are likely to pose high risks to individual’s rights and freedoms will need to keep processing records. for example, those processing large volumes of sensitive data about people’s health. Commercial organisations will also have the same freedoms as academics for scientific research, such as making it easier to reuse data for research purposes.
Greater fines for nuisance texts and calls: The DPDI will increase fines for nuisance calls and texts to either up to 4% of an organisation’s global turnover, or £17.5m, whichever is greater.
Introduction of a board for the ICO: The ICO will see the creation of a statutory board with a Chair and Chief Executive.
The DMA’s Combemale expressed the association’s “delight” last week that the need for clarity in this area, which it has championed for several years, has been acknowledged. “Attracting and retaining customers and donors is a fundamental legitimate interest of businesses and charities, so we are delighted the government has acknowledged this in the reforms to help drive innovation and growth. It was important to our community that we focused reforms on the needs of both businesses and their customers to ensure the right balance was achieved for all.”
Will the savings come to fruit?
Farhad Divecha, Founder and MD of AccuraCast, expresses concerns about the claims of savings from the Government that the Bill will introduce.
"I think these so-called ‘savings’ will never materialise for most businesses. If you have visitors from Europe or do business with Europe, you still have to comply with GDPR. So if anything, we'll end up having more complicated requirements that differ for your customer base in the UK versus in Europe.
"If you look at the details, the new framework maintains adequacy with the EU; I don't see how this will change anything for most UK businesses. The savings are mostly to the ICO and LEA who will spend less on enforcement over the next 10 years, but businesses still have to do just as much work really to remain compliant for the EU.”
“Revised cookie consent requirements leaves grey areas”
The Government asserts that the Bill will mean reduced paperwork for organisations and marketers to complete to demonstrate their compliance. A more scrutinised change in the proposals surrounds the expansion of cookie consent requirements which among other things will reduce consent banners, seen as a positive move for those businesses who do not take advertising.
The Government bills this move as a step towards “reducing annoying cookie pop ups”, and the DMA pointed to an improved customer experience which cuts red tape for “legitimate website functionality”.
Ben Leet, Chief Executive Officer at Delineate, notes that “businesses must continue to find innovative solutions that respect consumer’s rights; it’s a necessary overhaul as the depreciation of third-party cookies continues.
“By relying on first-party data, marketers can make quick and effective real-time decisions to satiate consumers’ expectation for instant information. Brands relying on outdated, disconnected data fail to accurately reflect the current views of consumers and build distrust. In a cookieless world, this bill can be the beginning of the evolution that performance marketers are long overdue.”
But, says InfoSum’s Handley: “The finer changes that have been noted also leave grey areas — such as the revised cookie consent requirements, where the specifics are yet to be confirmed.
“The need to improve consumer privacy is both urgent and necessary, but there are additional points that the bill has yet to address. There is not much in the way of controls on data subject access requests, for example, which is an important detail for many businesses.”
“Privacy-centric transformation is here to stay”
There are still hoops for the Bill to jump through before being enshrined into law but, says Aviran Edery, SVP and GM Marketplace at Verve Group, the proposals have “provided digital marketers with clarification on the UK’s own data protection laws, confirming the advertising industry’s privacy-centric transformation is here to stay.
“To sustain digital advertising, the ecosystem must focus on developing and testing alternative audience targeting technologies that preserve user privacy. Now, advertisers need to focus on scalable solutions that can support audience expansion. Whether they are able to do this or not, one thing is clear – the safeguarding of users’ privacy is non-negotiable.”
Meanwhile, Acceleration CTO David Spencer notes the nod to the future proposed in the Bill, highlighting the rapid adoption of AI tech in businesses that has, he says, until now outpaced regulation.
“Around 15% of UK businesses have adopted AI technology, rising to 68% for large companies. The buzz around ChatGPT is sure to increase this number, as natural language processing takes AI from the back end to a more customer-facing role through chatbots.
“But adoption has outpaced regulation until now with the DPDI, which includes safeguards where people will be notified when AI makes decisions that affect them in areas of their lives from finances to their jobs. They can then challenge and seek human review when those decisions may be inaccurate or harmful.
He warns however: “Businesses will have to scramble to ensure compliance unless they build and continuously adapt the infrastructure to support such requests. This will be particularly challenging for many players in the finance industry, where automated processing of large volumes of individual profiles is widespread.”
Like many commentators, InfoSum’s Handley is encouraged by a number of the details contained in the proposals. “It’s promising to see that businesses in compliance with the existing UK regime will be compliant with the new one as well. This is a welcome relief for organisations that have already invested time and resources in meeting the requirements of the GDPR.”
She is also positive about the Government’s apparent demonstration that “it understands how crucial the continued data flow between the UK and EU is to businesses by outlining its commitment to maintaining the UK adequacy decision,” but adds that “how well it will be able to do this remains to be seen”.