2024: A year of divergence – what to expect from the Data Protection and Digital Information (No. 2) Bill.

The first substantive reforms to the UK data protection regime since Brexit are looking set to take effect in 2024 with the Data Protection and Digital Information (No. 2) Bill due to complete its long march through parliament this year - subject to the timing of the General Election.

The government’s stated intention is to update and simplify UK data protection law, which to date has continued to be closely aligned with the EU GDPR framework. In doing so, it aims to strike a balance between moving away from the ‘one-size-fits-all’ approach of the EU GDPR while ensuring that increased divergence from the EU GDPR does not threaten the UK’s crucial “adequacy” status with the EU.

In a series of short articles we examine some of the most important changes to prepare for should the bill enter the statute books in its current form.

Changes to the Privacy and Electronic Communications Regulations (PECR)

Cookies Crumble – changes to rules on prior consent

Under current PECR rules only “strictly necessary” cookies can be set without prior consent. However, in a move designed to cut down on ‘user consent’ pop-ups and banners, the bill amends PECR to remove the existing requirement for prior consent to be obtained from users in respect of certain lower risk categories of cookies. Specifically, under the new bill it will no longer be necessary to obtain prior consent from users where cookies are used for the following purposes:

• Solely for the purpose of analytics, carried out with a view to improving the website or service.
• To improve the appearance or functionality of the website or service. This may include situations where, for example, users wish to adjust content to fit the screen of the particular device they are using.
• Where necessary solely to update software, or where necessary for security purposes, with the proviso that user privacy settings must not be altered and the user is given clear information about the purpose of the update. This must also include the opportunity to postpone the update before it takes effect.

Electronic Marketing – “soft opt-in” extended to charities

Under the current rules, charities and other non-commercial organisations who engage in electronic marketing, are disadvantaged compared to their commercial counterparts because they cannot rely on the so-called “soft opt in”. This is a limited exception in the PECR rules that allows commercial organisations to send electronic marketing messages to individuals without obtaining specific consent. The bill levels the playing field by removing this anomaly, allowing charities to rely on the “soft opt-in” where they have obtained contact details in the context of an individual expressing interest in the charity’s objectives or offering support.

Regulatory Fines

In less good news for electronic marketers, the ICO’s enforcement powers under PECR will be significantly increased. The financial limit of any fine under PECR was previously capped at £500,000 but this limit has now been aligned with the provisions of the UK GDPR meaning that the maximum fine for some infringements will now be as much as £17.5 million or 4% of worldwide turnover, whichever is greater.

Please contact our Data Privacy team for further information.