Logo Logo

The UK is leaving the EU, but the General Data Protection Regulation (GDPR) will still affect how your website may track visitors from the EU.

After Brexit, the Data Protection Act will be in effect with the same requirements for consent as the GDPR.

Try our free compliance test to check if your website’s use of cookies and online tracking is compliant.

ICO and GDPR enforcement: what happens after Brexit to the GDPR in UK?

The United Kingdom is protected by several data privacy laws that dictate how UK companies and websites are able to handle user data and personal information.

One of them is the EU’s General Data Protection Regulation (GDPR).

However, the UK is leaving the EU.

What does this mean for UK data laws? What does it mean for UK websites and their requirements to obtain prior consent before processing or collecting user data?

In this article, we will be looking at the different privacy laws in effect in the UK – the GDPR, PECR and the Data Protection Act of 2018.

What are their differences, how do they overlap... and what happens after Brexit?

Stay with us.

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU law that took effect in May 2018 and is uniformly binding in all 28 EU nations. It controls how companies and organizations are allowed to handle personal data.

Personal data is defined in the GDPR as anything that can be directly or indirectly identified to a natural person, such as names, physical addresses, IP addresses, location data, and information about physical, mental, economic, cultural or social facts.

Sensitive personal data, however, is defined by the GDPR as data about religious convictions, political opinions and/or sexual orientation.

GDPR in the UK is enforced by ICO, GDPR's watchdog on the Isles

The GDPR in the UK remains as binding law until after Brexit.

The GDPR then specifies how these two types of data are supposed to be handled by companies, organizations or websites.

It clarifies in total eight rights for individuals, including the right to request access to one’s data (a so-called Subject Access Request or SAR), as well as to request their personal data deleted.

The most important right that the GDPR empowers EU citizens with is the right to not have their data (personal or sensitive) collected and processed without prior consent.

Prior consent according to the GDPR in the UK

In the UK, the GDPR requires that website owners -

  1. obtain clear and unambiguous consent from its users,
  2. prior to any processing of personal data,
  3. after specifying all types of cookies and other tracking technology present and operating on its pages,
  4. in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
  5. to then be able to safely and confidentially document each user consent,
  6. and to ask for renewed consent every twelve months.

This is the backbone of UK GDPR compliance.

As a member of the EU, the UK is bound by the GDPR, and all UK websites, companies and organizations must follow the GDPR’s requirements for informed and prior consent, including the other requirements listed above.

Two types of consent in the UK under GDPR

There are two types of consent specified in the GDPR: explicit consent and active consent (also known as implied consent or soft opt in).

Explicit consent is mandatory if a website, company or organization processes sensitive data, and means that users must give their affirmative consent for the processing of these data.

Active consent is required for the processing of all other personal information. This type of consent is typically seen as the cookie banner that states that “continued browsing on a website equals valid consent”, i.e. users don’t have to engage with the cookie banner, instead their browsing on the website constitutes consent.

Cookiebot uses its unique scanning technology to map out all the cookies and similar tracking on your website, offers you a full scanning report, cookie declaration and a customizable cookie banner that automatically holds back all tracking from the moment that the user lands on your webpage and until they give their choice of consent from the customizable consent banner, as required by the GDPR.

Try a limited scan of five subpages for free today.

Who enforces the GDPR in the UK?

The responsibility of aligning the General Data Protection Regulation with UK law sits with the Department for Culture, Media and Sport

However, when it comes to actual enforcement of the GDPR on UK soil, it is the Information Commissioner’s Office (ICO) that steps in.

It is the national data protection authorities (the so-called DPAs) of each EU nation that has the responsibility of enforcing the GDPR in their country, although special responsibility and power falls to the Irish DPA for being the lead regulator of the GDPR in EU.

This is because a provision in the GDPR specifies that the law’s lead regulator must be the DPA of the country that houses a tech company’s data controller, which is the case for Ireland when it comes to both Facebook and Google.

ICO is GDPR enforcer in the UK

ICO is the data authority and enforcer of the GDPR in UK.


ICO is the enforcer of the GDPR in the UK with the power to conduct criminal investigations and issue fines.

This was witnessed last year when ICO raided the offices of Cambridge Analytica - the disgraced data firm that abused the personal information of 87 million people from Facebook profiles to construct “psychographic profiles” on voters in order to sway them for the Leave.EU campaign in the Brexit referendum, as well as for the presidential campaigns of Donald Trump and Ted Cruz.

GDPR fines UK

According to the GDPR, UK websites and companies who fail to comply with its requirements can be fined up to €20 million or four percent of a company’s annual global turnover, whichever is greater.

So far the GDPR fines in UK vary a lot in form and strength.

ICO has enforced the GDPR in the UK on numerous occasions already.

A lot of the monetary penalties issued by ICO a year after the date of effect of the GDPR in the UK center around unsolicited direct marketing, which is unlawful according the to GDPR. Prior consent from its customers or users is required before a company or website can undertake direct marketing.

The fines issued by ICO in the last six months range from £40,000 for unsolicited text messages to £400,000 for sharing personal data unlawfully.

However, much bigger fines might be on the way, as ICO recently issued a notice of its intention to fine British Airways £183 million and Marriot International £99 million for data breaches under the GDPR.

ICO conducted extensive investigations into both the latter incident, where approx. 339 million guest records globally were exposed, and the former, where personal information of 500,000 customers were harvested by hackers.

ICO has stated that it prefers to work with organizations to improve their practices, rather than seeking maximum fines.

ICO’s GDPR enforcement has so far taken shape as monetary penalties, but also guidance to companies and organizations in order to improve their practices and sometimes “a stern letter can be enough”, ICO stated.

ICO: GDPR vs. PECR vs. Data Protection Act of 2018

ICO has more than one data law to enforce in the UK though!

In fact, there are three substantial pieces of legislation that the ICO is regulator and enforcer of: the EU’s GDPR and UK’s PECR and Data Protection Act of 2018.


PECR stands for the Privacy and Electronic Communications Regulations. It dates from 2003 and is the UK’s national implementation of the ePrivacy Directive, which is an EU directive, not a regulation – this means that it is not automatic law in all EU countries, but rather an instruction that each country much legislate accordingly to. The ePrivacy Directive has since been updated in 2009, while the PECR has been amended seven times.

The most recent update to the PECR came in June 2019 and is a revision of the section on cookies and similar technologies.

ICO and GDPR: enforcement of PECR, DTA and GDPR in the UK

ICO enforces PECR, DPA and the GDPR in the UK.

These changes have significant impact on website owners and operators in the UK!

ICO and cookies - updated guidelines to PECR in 2019

ICO has updated its guidelines regarding the use of cookies, and hence the processing of user data, according to the PECR. It has done so in order to align it with the consent standards of the GDPR.

ICO has ruled that the active consent (implied consent or soft opt in) is not a valid and lawful type of consent. It does not meet the requirements of the PECR or GDPR in the UK, ICO states.

Check out the new PECR guidelines on ICO’s own website.

Website owners and operators are no longer allowed to collect or process personal information if users simply close a cookie banner or choose to keep browsing on a site after the popping up of a cookie banner.

Instead, users must affirmatively consent to all categories of cookies apart from the strictly necessary ones on which a website functions.

ICO's GDPR enforcement means stronger guidelines for consent to the PECR

This is how a compliant cookie banner in the UK looks, according to the new guidelines by the ICO. Notice: no pre-ticked boxes except strictly necessary cookies

This is a significant update by ICO to the requirements of consent by PECR and GDPR in the UK.

The UK Data Protection Act 2018

The Data Protection Act of 2018 was passed just before the GDPR came into force in May 2018. It replaces the 1998 Data Protection Act.

The Data Protection Act is very close to the GDPR and more or less ensures the same protections and rights for UK citizens as the GDPR does for EU citizens. Most of the processing of personal data is subject to the GDPR in the UK, as long as the UK is still a member.

However, the Data Protection Act supplements the GDPR and “applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply”.

It deals with the same subjects as the GDPR does: personal data, identifiable living individuals, the processing in relation to personal information, data subject, controller and so on.

It is closely modelled after the GDPR with the intention to minimize break ups in UK law, when the UK exits the EU.

The three data laws (GDPR, PECR and DPA) sit alongside each other and complement each other.

They empower UK citizens with privacy rights in relation to electronic communications that the ICO is responsible for enforcing.

Cookiebot enables compliance with all three of them. We scan your website and reveal all and every single cookie and similar tracking technology, first or third party. Then we block and hold back all until your users have given their consent via our customizable cookie banner.

Try for free today.

How to comply with GDPR in the UK

If you have a website in the UK, you must abide by the GDPR, the PECR and the Data Protection Act.

A simple way to do so, is to visit the website of the ICO and read their guides for compliance and the use of cookies on UK websites.

To be GDPR compliant, you can use a compliance and consent solution like Cookiebot that enables you – the website owner and/or operator – to be fully compliant with the GDPR, PECR and Data Protection Act.

Our highly customizable cookie banner enables you to design privacy protection on your website that meets all the requirements of the data laws, including the newest guidelines by the ICO.

GDPR and Brexit - will the GDPR affect the UK after Brexit?

The United Kingdom is leaving the European Union, that much is sure. What is much less certain is how.

What does Brexit mean for the GDPR in the UK?

GDPR in UK: ICO and GDPR will part ways after a hard Brexit.

The GDPR and Brexit means changes for the UK and ICO.

When the UK is no longer a member of the EU, the GDPR does not apply directly to UK websites, companies and organizations.

It will still apply to those UK entities that offer services to European citizens, since the GDPR still protects EU citizens from processing of their personal information by websites, no matter where in the world they are located.

However, the Data Protection Act was passed in the winter of 2018 and modelled extremely close to the GDPR with the intention of making the transition in data privacy law as smooth as possible in the process of Brexit.

The European Union has made it clear that if it deems the UK’s level of personal data protection essentially sufficient to that of the EU’s GDPR, it will make an adequacy decision, allowing for the transfer of personal data to the UK without restrictions.

The EU has a similar agreement with the US called the Privacy Shield.

Summary: the GDPR, UK, ICO, PECR and the Data Protection Act

To sum up –

GDPR and the UK

The GDPR in the UK requires all UK websites to obtain prior consent before processing personal information of users.


The ICO is the UK data protection authority with the power to enforce the GDPR on UK soil. ICO has updated their guidelines to the PECR (the national implementation of the ePrivacy Directive) to meet the standards of consent specified in the GDPR.

ICO and PECR and DPA

The ICO not only enforces the EU's GDPR, but also the national PECR and Data Protection Act. The Data Protection Act will stand regardless of what happens with Brexit.

GDPR and Brexit

Once the UK leaves the EU, the GDPR will no longer apply to UK websites and companies (with exceptions, as described). However, the UK has in place and effective already the Data Protection Act of 2018 that more or less lays the same groundwork for privacy protection that the GDPR does.

The Cookiebot technology enables you to be compliant with both the GDPR in the UK, as well as the PECR and Data Protection Act.


Try Cookiebot for free today

General Data Protection Regulation (GDPR) official law text

ePrivacy Directive 2009 official law text

UK Data Protection Act 2018 official law text

Privacy and Electronic Communications Regulations (PECR)


ICO enforces data laws in the UK

ICO’s updated guidelines

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free