Why Bending EU Data Regulation Could Lead the UK Into Wild West Chaos

Britain is looking to tap into more data opportunities after slashing ties with the European Union. But veering too far from the GDPR could land it in a chaotic, Wild West situation.

Britain is looking to tap into more data opportunities after slashing ties with the European Union. But veering too far from the GDPR could land it in a chaotic, Wild West situation.

Just as we were settling into the idea of retiring third-party cookies, the UK government threw us another curveball. While recently unveiled plans to take a new regulatory path aren’t surprising given its clear intentions about “doing things differently” following Brexit, they also mean life in the digital space is about to get even more complicated, again.

Navigating multiple data privacy laws and restrictions was already hard enough, including the newly introduced ban on web advertising featuring high-fat and sugar products. Now, moves to match UK legislation with ultra-free-trade policies mean that ad tech players, marketers, agencies, and online platforms will soon have to tackle a whole new range of reforms.

Mapping the likely fallout might seem like an impossible feat of crystal-ball gazing, but looking closer at the proposed changes gives a strong indication of where authorities want to be and the risks they will face. Here is our view on the hazards ahead and how to avoid them.

What’s behind the data re-route?

While you might think this change feels like the legislative equivalent of a post-break-up transformation, there is more going on than simply an image refresh. Motivations are also driven by the belief that lifting limitations will unleash greater data power. According to UK Culture Secretary Oliver Dowden, this counts as a major prize for leaving the EU, and the ability to cut bureaucracy and “box-ticking” will allow organizations of all sizes to grow.

The idea is not to entirely scrap EU regulation, currently mirrored in local law via the UK GDPR, but to tweak it for a better custom fit.

By adding more flexibility to requirements that it sees as overly restrictive, the changes hope to show how privacy protections can work for both businesses and consumers while attracting higher investment from those keen to grapple with less red tape. It’s no coincidence the government has included estimates predicting reforms will deliver net gains of more than £1 billion over 10 years within its outline of potential adjustments.

Are the regulatory changes needed?

Some recommendations have logical roots. For instance, narrowing legitimate interest to a specific list might address confusion about whether certain data purposes need consent or not.

It’s easy to see why consent issues have been spotlighted. Getting the green light for data collection without disrupting the online experience or hounding consumers can be tough. And as recent studies illustrate, there is arguably too much room for misinterpretation, accidental and deliberate, about the way to ask for consent. As a marketer, you may also feel Elizabeth Denham, the outgoing head of the UK Information Commissioner’s Office (ICO), has a point about consent given through frustration rather than choice.

“I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like."

Elizabeth Denham, Head of the UK Information Commissioner’s Office (ICO)

Amid a barrage of pop-ups from every site, it is likely many consumers will click “I Agree” to requests so that they can get on with what they want to do, which doesn’t match up with the original GDPR goals or help publishers and brands build positive relationships.

It’s true that reducing consent banners could be beneficial. For example, sending out requests monthly, or enabling individuals to change their preferences manually, would help cut down user admin and frustration, while still keeping them in the driving seat on data choices. But the ICO is suggesting a more drastic option: implementing master browser or device-level controls that can be flipped one way or the other, automatically. In one fell swoop, any website visited by opted-out users loses the ability to ask for direct consent.

You’ll be relieved to hear we’re not running through the rest of the UK’s data reform proposal now, but there are several potentially thorny changes worth noting, including:

  • Moving analytics cookies into the strictly necessary category, which doesn’t require consent.
  • Adding activities to the legitimate interest list that previously needed an opt-in, such as using measurement cookies for bias monitoring, detection, and correction in relation to AI systems.
  • Allowing use of solely automated AI processing; effectively removing the right not to be subject to exclusively machine-led decisions that have a legal impact on individuals.

You might have guessed the ultimate conclusion here: drastic reforms aren’t a good idea, for anyone. Although some benefits could come from tweaking aspects of the GDPR that haven’t panned out as they were meant to, especially data consent requests, the very real risks of damaging hard-won consumer trust, putting cross-market data accessibility in jeopardy, and rendering the UK an unsafe business zone considerably outweigh these potential positives.

Urging regulators to retain law and order, and stay away from Wild West territory, is the most sensible option for the digital media ecosystem.