Potential reforms to UK data privacy laws will change the way that cookies work on websites - businesses need to prepare now.
One of the key benefits of Brexit, according to the Government and other supporters of the break with the EU, will be that Britain can diverge from the GDPR and draft its own, possibly less burdensome, data protection laws. The UK government wants to balance consumer rights with what it describes as “innovation and economic growth”.
In August, the then culture secretary Oliver Dowden told the Daily Telegraph: “There’s an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people’s privacy but in as light a touch way as possible.” He went on to give an example of churches being prevented from sending parish newsletters which advertised jumble sales because this could be classed as marketing and therefore would require prior consent from recipients.
Mr Dowden also revealed plans to remove, in all but the most sensitive cases, what he described as the “endless” cookie banners that pop up, asking for permission to store personal information about site visitors in order to comply with existing cookie legislation. Already some UK-based sites are developing their own non-standardised pop-ups.
Assuming that the UK Government manages to turn its proposals into law, businesses operating in the UK will have more freedom to establish their own cookie settings. They will be subject to less bureaucracy and should be able to collect more information more easily. The UK Government is also working to sign data privacy agreements with countries including the US, Australia, South Korea and Singapore, with the aim of reducing the red tape required to transfer personal data to those jurisdictions legally.
However, critics of the Government’s proposals argue that they emphasise the interests of businesses and offer too little to protect the privacy of individuals. “God knows there are some areas of privacy law and data protection regulation we could tweak for the better of everyone involved,” Heather Burns, policy manager at Open Rights Group, a UK campaign group protecting digital privacy, told Wired magazine, recently. But she added: “This is deregulating privacy laws and data protection safeguards in the commercial interest of industry.”
The UK’s proposals go further in terms of benefit to businesses than those currently under consideration by the EU. Some commentators believe that this is just the first step in a movement away from the EU data protection regime. Could this result in such a divergence from EU law that the “adequacy” currently granted to the UK for in-bound data transfers from the EU ends up being challenged?
This is a valid concern. When the adequacy deal was agreed, Vera Jourova, the European Commission’s vice-president for values and transparency, said: “We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and, if anything changes on the UK side, we will intervene.”
Confrontation with the EU aside, will consumers be happy to allow analytics cookies to be stored locally, for instance, without their consent and what will their attitude be to marketing cookies? It’s early days but market research on public attitudes offers some clues.
In 2018, almost half of UK adults told a survey by Deloitte that they were “very concerned” about the use of personal data. However, by the middle of last year that number had halved to just 24 per cent. On the other hand, according to a survey published by Ofcom in 2019, 41 per cent of those asked had tried to stop websites from displaying adverts, even those that were relevant to them, and over a third (36 per cent) had actively deleted marketing cookies in order to do so.
Generally, research shows that consumers are especially willing to share their privacy via cookies if they view the product or service in question to be important, for example if it lies within the healthcare or financial services sectors.