When the European Union’s General Data Protection Regulation (GDPR) was first introduced in May 2018, it brought with it a host of new data privacy rules for marketers to get to grips. They were warned to ensure their communications were compliant, or risk enormous fines.
Yet, three years on and with the UK having finished its drawn-out exit from the EU, the government has revealed it plans to rethink its data protection policies.
According to the government’s official announcement, the shake-up comes as part of plans to use the power of data to drive growth and create jobs, while keeping “high” data protection standards. It particularly hopes to boost the growth of startups and small firms, speed up scientific discoveries and improve public services.
Digital secretary Oliver Dowden said this would require “reforming” the UK’s data laws so they are based on “common sense, not box-ticking”.
In an interview with The Telegraph, Dowden outlined plans to ditch “endless” cookie pop-ups on websites, which ask consumers for their permission to store a user’s personal information. It’s a compliance tool closely associated with GDPR, although the practice pre-dates it.
There have always been elements of both GDPR and the laws around cookies that the advertising industry has been less than keen on, as Christie Dennehy-Neil, head of policy and regulatory affairs at the Internet Advertising Bureau (IAB), points out.
Asking consumers for their consent to collect personal data creates friction in the customer experience, for example. Moreover, the laws treat all cookies the same, whether they are used for tracking, measurement or analytics.
“There’s always been a feeling that the way the cookie law played out in practice was not really ever what was intended by it,” Dennehy-Neil says.
“If there’s something that can be done to make the consumer experience better when it comes to cookies – something that’s a bit more risk-based and proportionate rather than every single cookie being treated in pretty much the same way – and if users have a more streamlined and less annoying experience online, then that could well be a really good thing for advertising and ad-funded content.
“At the same time, there’s a really important reason why we have all of those controls and why we have GDPR in the first place.”
The introduction of GDPR brought in consistency across platforms, businesses and markets, as well as helping to build consumer trust around data use. Changes to the UK’s policies would put that at risk.
For that reason, Dennehy-Neil doesn’t anticipate a total overhaul of GDPR and a whole new set of laws. Instead, she expects the government to work to identify where businesses feel they are facing blockers and see if they can be changed.
“I think [the government] is trying to think about whether [the law] is skewed too much away from business, and whether it can be rebalanced slightly more in favour of business without undermining consumer protection.”
Help or hindrance?
However, for digital advertisers, agencies, adtech businesses and online platforms, Dennehy-Neil says a GDPR overhaul is “probably not the most helpful thing right now”.
“Businesses like consistency and regulatory certainty, and so knowing that things might change but not quite how is not the most helpful,” she says.
Indeed, research by the Data & Marketing Association (DMA) shows that most marketers and businesses think GDPR was a change for the better.
“There are a lot of different changes going on in the industry so I’m not sure that another one is going to be particularly welcome,” Dennehy-Neil says, pointing towards the other regulatory changes advertisers are facing in areas such as in the advertising of high fat, salt and sugar foods.
“I don’t know that this would be something that [digital advertising] businesses would have high on their priority list. But there might be some benefits to businesses in the longer term, so there could be some positives to come from this.”
Meanwhile, the DMA has called for the government to allow industry associations like itself to establish industry codes of conduct in partnership with the Information Commissioner’s Office (ICO), instead of overhauling GDPR.
“The DMA, and many of the data privacy experts we work with, believe that it is interpretations of the GDPR that are restricting growth in the digital economy – not the GDPR itself,” says the DMA’s director of policy and compliance, John Mitchison.
“Industry codes of conduct can help to apply current data protection legislation to achieve the government’s growth and innovation objectives set out in the National Data Strategy (NDS).
“This will help businesses to innovate while maintaining a high level of privacy protection, the degree necessary to build trust and consumer confidence in the modern digital economy.”
The government has said it plans to launch a consultation with the ICO on changes to the UK’s data regime “shortly”.
Until then, advertisers and businesses in advertising are waiting anxiously to see what changes might be brought in. The IAB, along with the other industry trade bodies Marketing Week reached out to, are in “wait and see” mode.
It will be a long process to implement any changes – GDPR’s inception came after four years of discussion and negotiation, before taking another two years to come into force. With the UK now outside of the EU’s more complex legislative process any changes should be quicker, but the process is still likely to take a few years, even if not a total overhaul.
Crucially, the government must ensure that it does not risk its ‘adequacy status’ with the EU and the benefits that allows businesses across Europe, says Mitchison.
“The DMA agrees with the government’s position that the UK must strive to become a global leader in data, but there has to be a balanced approach from all parties,” he says.
“If the UK government does plan to amend data protection laws then they must remain in consultation with the EU to ensure all parties are happy. The government doesn’t need to go back to the drawing board, but there may need to be revisions to UK data protection laws at some point to facilitate non-EU adequacy agreements.”