In addition to the UK GDPR and the Data Protection Act 2018, the current legislative framework for the protection of personal data also includes the ePrivacy rules set out in the Privacy and Electronics Communications (EC Directive) Regulations 2003 (PECR). The Data (Use and Access) Bill (DUA) includes a number of reforms relating to ePrivacy. These include enhanced enforcement powers, the relaxation of consent requirements in relation to low-risk cookies and provisions for representative bodies to produce sectoral codes of conduct.
The DUA Bill represents the government's desire to balance user-friendly and innovative advancements while maintaining a robust framework for the protection of personal data, particularly in relation to ePrivacy.
Personal data breach reporting
The DUA Bill looks to align the personal data breach reporting regime under PECR with that found in the UK GDPR. The existing obligation under PECR is for personal data breaches to be reported "without undue delay". Clause 110 of the Bill will adjust the time period within which the Information Commissioner's Office (which will become the Information Commission) must be notified of a personal data breach under PECR. The timeframe will be amended to require communications service providers to report breaches within 72 hours of becoming aware of said breach, mirroring the timeframes for reporting personal data breaches under the UK GDPR. Where the notification is not made within the 72 hour timeframe, it must be accompanied with an explanation of the reasons for delay. Communications service providers will be able to provide the information about the breach "in phases, without undue further delay" where the information is not available in its entirety at the time of notification.
Consent for low-risk purpose cookies
Currently, cookie rules in the UK require that user consent is obtained before any cookie (or similar tracking technology) is dropped on a user device. One of the two exemptions to this consent requirement is where a cookie is "strictly necessary" (meaning the cookie is essential to the provision of the service that is requested by the user e.g. cookies that authenticate access to a secure area of a site). The other exemption relates to technical communications purposes.
Rules relating to consent collection in relation to cookies have been a challenge for some organisations to comply with, particularly for those operating in tracking-heavy areas such as digital advertising. In an attempt to balance innovation and strong privacy protections, the DUA Bill will relax consent requirements for non-intrusive cookies.
Clause 111 of the Bill amends the consent collection requirements included in PECR by introducing Schedule 12 of the Bill which creates new exceptions to consent requirements. The exceptions extend to cookies used for:
- collecting statistical information about how an organisation's service or website is being used with a view to making improvements (analytics purposes)
- optimisation of content display or to reflect user preferences about content display (eg saving user preferences in relation to font or adapting the display to the size of the user's device) (website appearance), and
- geographical tracking for the provision of assistance in response to an emergency communication from the user's device (emergency assistance).
In relation to cookies used for analytics and website appearance purposes, transparency and opt-out requirements remain. In both these cases, clear information must be given about the processing and users must be given an ability to opt out easily and without incurring any cost.
The DUA Bill provides that cookie consent rules will now also apply to anyone that "instigates" the storage or access to stored data. This means that the ICO could theoretically take enforcement action against website publishers, rather than the adtech vendors with whom the publisher works.
It is thought that these reforms will reduce consent fatigue due to the frequency of cookie banner pop-ups for UK users and will allow organisations to more easily collect information for statistical purposes with a view to improving their websites.
Enforcement powers
One of the most significant and noteworthy changes introduced by the Bill is the increase in fines for breaches of ePrivacy rules. Currently PECR fines are capped at £500,000. The Bill will increase these fines to align with the Data Protection Act 2018 and UK GDPR, meaning organisations could face fines of up to £17.5 million for the most serious infringements. Clause 113 of the Bill introduces Schedule 13 (to replace Schedule 1 of PECR) which extends the application of the enforcement regime in the Data Protection Act 2018 and UK GDPR so that it can be applied to PECR. It is hoped that this will create consistency for organisations as well as operational efficiency for the regulator but at the same time this is a helpful reminder to organisations to ensure PECR compliance is prioritised to avoid exposure to greater fines.
Codes of conduct
The government has also extended the code of conduct-making provisions to PECR. Clause 114 of the Bill requires the ICO to encourage representative bodies to design codes of conduct to assist with guidance on PECR compliance which is specific to certain processing activities that are prevalent in particular sectors. The ICO will also be able to accredit bodies for the purpose of monitoring compliance with a code of conduct. Accredited bodies will be able to take appropriate action where the relevant code has been infringed. This reform has already been welcomed by trade associations such as the Data and Marketing Association (DMA), noting this enables the DMA to resume its work on the Direct Marketing Code of Conduct. These codes of conduct will be particularly useful for organisations whose activities take place under UK the GDPR and PECR.
How does this compare with the EU regime?
PECR is derived from the EU ePrivacy Directive. The EU published a proposal to revise the ePrivacy Directive in the form of the ePrivacy Regulation way back in 2017. The intention was to harmonise the provisions across the EU and introduce GDPR-level fines for breaches of PECR (as the DUA Bill similarly proposes). There has also been a great deal of discussion around cookie notices, consent through browsers, and exemptions to the consent requirement. Progress on the legislation has almost completely stalled. It's unclear whether or not it will be dropped and/or replaced once the new European Commission is appointed.
Key takeaway
The key takeaway for clients in terms of changes to the PECR regime is the enhanced enforcement ability of the regulator in relation to PECR violations. This reflects the continued focus of the ICO on organisations' compliance with cookies rules under PECR and its interest in the adtech sector. Businesses operating in digital advertising (or any tracking-heavy sector) should be mindful of these reforms and prioritise compliance with ePrivacy rules to avoid heightened penalties and regulator attention.