The United Kingdom is protected by several data privacy laws that dictate how UK companies and websites are able to handle user data and personal information.
One of them is the EU’s General Data Protection Regulation (GDPR).
However, the UK is leaving the EU.
What does this mean for UK data laws? What does it mean for UK websites and their requirements to obtain prior consent before processing or collecting user data?
In this article, we will be looking at the different privacy laws in effect in the UK – the GDPR, PECR and the Data Protection Act of 2018.
What are their differences, how do they overlap... and what happens after Brexit?
Stay with us.
The General Data Protection Regulation (GDPR) is an EU law that took effect in May 2018 and is uniformly binding in all 28 EU nations. It controls how companies and organizations are allowed to handle personal data.
Personal data is defined in the GDPR as anything that can be directly or indirectly identified to a natural person, such as names, physical addresses, IP addresses, location data, and information about physical, mental, economic, cultural or social facts.
Sensitive personal data, however, is defined by the GDPR as data about religious convictions, political opinions and/or sexual orientation.
The GDPR in the UK remains as binding law until after Brexit.
The GDPR then specifies how these two types of data are supposed to be handled by companies, organizations or websites.
It clarifies in total eight rights for individuals, including the right to request access to one’s data (a so-called Subject Access Request or SAR), as well as to request their personal data deleted.
The most important right that the GDPR empowers EU citizens with is the right to not have their data (personal or sensitive) collected and processed without prior consent.
In the UK, the GDPR requires that website owners -
This is the backbone of UK GDPR compliance.
As a member of the EU, the UK is bound by the GDPR, and all UK websites, companies and organizations must follow the GDPR’s requirements for informed and prior consent, including the other requirements listed above.
There are two types of consent specified in the GDPR: explicit consent and active consent (also known as implied consent or soft opt in).
Explicit consent is mandatory if a website, company or organization processes sensitive data, and means that users must give their affirmative consent for the processing of these data.
Active consent is required for the processing of all other personal information. This type of consent is typically seen as the cookie banner that states that “continued browsing on a website equals valid consent”, i.e. users don’t have to engage with the cookie banner, instead their browsing on the website constitutes consent.
Cookiebot uses its unique scanning technology to map out all the cookies and similar tracking on your website, offers you a full scanning report, cookie declaration and a customizable cookie banner that automatically holds back all tracking from the moment that the user lands on your webpage and until they give their choice of consent from the customizable consent banner, as required by the GDPR.
The responsibility of aligning the General Data Protection Regulation with UK law sits with the Department for Culture, Media and Sport.
However, when it comes to actual enforcement of the GDPR on UK soil, it is the Information Commissioner’s Office (ICO) that steps in.
It is the national data protection authorities (the so-called DPAs) of each EU nation that has the responsibility of enforcing the GDPR in their country, although special responsibility and power falls to the Irish DPA for being the lead regulator of the GDPR in EU.
This is because a provision in the GDPR specifies that the law’s lead regulator must be the DPA of the country that houses a tech company’s data controller, which is the case for Ireland when it comes to both Facebook and Google.
ICO is the data authority and enforcer of the GDPR in UK.
ICO is the enforcer of the GDPR in the UK with the power to conduct criminal investigations and issue fines.
This was witnessed last year when ICO raided the offices of Cambridge Analytica - the disgraced data firm that abused the personal information of 87 million people from Facebook profiles to construct “psychographic profiles” on voters in order to sway them for the Leave.EU campaign in the Brexit referendum, as well as for the presidential campaigns of Donald Trump and Ted Cruz.
According to the GDPR, UK websites and companies who fail to comply with its requirements can be fined up to €20 million or four percent of a company’s annual global turnover, whichever is greater.
So far the GDPR fines in UK vary a lot in form and strength.
ICO has enforced the GDPR in the UK on numerous occasions already.
A lot of the monetary penalties issued by ICO a year after the date of effect of the GDPR in the UK center around unsolicited direct marketing, which is unlawful according the to GDPR. Prior consent from its customers or users is required before a company or website can undertake direct marketing.
However, much bigger fines might be on the way, as ICO recently issued a notice of its intention to fine British Airways £183 million and Marriot International £99 million for data breaches under the GDPR.
ICO conducted extensive investigations into both the latter incident, where approx. 339 million guest records globally were exposed, and the former, where personal information of 500,000 customers were harvested by hackers.
ICO has stated that it prefers to work with organizations to improve their practices, rather than seeking maximum fines.
ICO’s GDPR enforcement has so far taken shape as monetary penalties, but also guidance to companies and organizations in order to improve their practices and sometimes “a stern letter can be enough”, ICO stated.
ICO has more than one data law to enforce in the UK though!
PECR stands for the Privacy and Electronic Communications Regulations. It dates from 2003 and is the UK’s national implementation of the ePrivacy Directive, which is an EU directive, not a regulation – this means that it is not automatic law in all EU countries, but rather an instruction that each country much legislate accordingly to. The ePrivacy Directive has since been updated in 2009, while the PECR has been amended seven times.
The most recent update to the PECR came in June 2019 and is a revision of the section on cookies and similar technologies.
ICO enforces PECR, DPA and the GDPR in the UK.
These changes have significant impact on website owners and operators in the UK!
ICO has ruled that the active consent (implied consent or soft opt in) is not a valid and lawful type of consent. It does not meet the requirements of the PECR or GDPR in the UK, ICO states.
Website owners and operators are no longer allowed to collect or process personal information if users simply close a cookie banner or choose to keep browsing on a site after the popping up of a cookie banner.
Instead, users must affirmatively consent to all categories of cookies apart from the strictly necessary ones on which a website functions.
This is how a compliant cookie banner in the UK looks, according to the new guidelines by the ICO. Notice: no pre-ticked boxes except strictly necessary cookies
This is a significant update by ICO to the requirements of consent by PECR and GDPR in the UK.
The Data Protection Act of 2018 was passed just before the GDPR came into force in May 2018. It replaces the 1998 Data Protection Act.
The Data Protection Act is very close to the GDPR and more or less ensures the same protections and rights for UK citizens as the GDPR does for EU citizens. Most of the processing of personal data is subject to the GDPR in the UK, as long as the UK is still a member.
However, the Data Protection Act supplements the GDPR and “applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply”.
It deals with the same subjects as the GDPR does: personal data, identifiable living individuals, the processing in relation to personal information, data subject, controller and so on.
It is closely modelled after the GDPR with the intention to minimize break ups in UK law, when the UK exits the EU.
The three data laws (GDPR, PECR and DPA) sit alongside each other and complement each other.
They empower UK citizens with privacy rights in relation to electronic communications that the ICO is responsible for enforcing.
Cookiebot enables compliance with all three of them. We scan your website and reveal all and every single cookie and similar tracking technology, first or third party. Then we block and hold back all until your users have given their consent via our customizable cookie banner.
If you have a website in the UK, you must abide by the GDPR, the PECR and the Data Protection Act.
To be GDPR compliant, you can use a compliance and consent solution like Cookiebot that enables you – the website owner and/or operator – to be fully compliant with the GDPR, PECR and Data Protection Act.
Our highly customizable cookie banner enables you to design privacy protection on your website that meets all the requirements of the data laws, including the newest guidelines by the ICO.
The United Kingdom is leaving the European Union, that much is sure. What is much less certain is how.
What does Brexit mean for the GDPR in the UK?
The GDPR and Brexit means changes for the UK and ICO.
When the UK is no longer a member of the EU, the GDPR does not apply directly to UK websites, companies and organizations.
It will still apply to those UK entities that offer services to European citizens, since the GDPR still protects EU citizens from processing of their personal information by websites, no matter where in the world they are located.
However, the Data Protection Act was passed in the winter of 2018 and modelled extremely close to the GDPR with the intention of making the transition in data privacy law as smooth as possible in the process of Brexit.
The European Union has made it clear that if it deems the UK’s level of personal data protection essentially sufficient to that of the EU’s GDPR, it will make an adequacy decision, allowing for the transfer of personal data to the UK without restrictions.
The EU has a similar agreement with the US called the Privacy Shield.
To sum up –
The GDPR in the UK requires all UK websites to obtain prior consent before processing personal information of users.
The ICO is the UK data protection authority with the power to enforce the GDPR on UK soil. ICO has updated their guidelines to the PECR (the national implementation of the ePrivacy Directive) to meet the standards of consent specified in the GDPR.
The ICO not only enforces the EU's GDPR, but also the national PECR and Data Protection Act. The Data Protection Act will stand regardless of what happens with Brexit.
Once the UK leaves the EU, the GDPR will no longer apply to UK websites and companies (with exceptions, as described). However, the UK has in place and effective already the Data Protection Act of 2018 that more or less lays the same groundwork for privacy protection that the GDPR does.