When the United Kingdom leaves the European Union, the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019, will make several amendments to legislation concerning the regulation of the processing of personal data.
These Regulations are made to address failures of retained EU law to operate effectively and other deficiencies arising from the withdrawal of the United Kingdom from the European Union. It does also mean that on the exit day, the European Data Protection Board will no longer ensure the consistent application of the GDPR in the UK.
The GDPR mechanisms also do not apply to the enforcement of the Privacy and Electronic Communications Regulations (PECR), the national UK implementation of the ePrivacy Directive. PECR covers the use of cookies and similar technologies for storing information and accessing information stored, on a user’s equipment such as a computer or mobile device.
The most obvious change
Recently the Information Commissioner’s Office (ICO), the data protection authority for the UK, has issued new guidance that addresses cookies and similar technologies in detail. One of the specific new rules is that consent is necessary for all statistical/analytics cookies. In the EU however, first-party analytics are exempted from obtaining consent.
Most EU members view analytics as ‘functional’ because of the information they provide about how visitors engage with your service. And because it has almost no negative impact on the privacy of website visitors this particular point of view is also part of the new draft e-Privacy Regulation.
However, according to ICO, consent is always required because they feel that analytics cookies or device fingerprinting techniques are not strictly necessary to provide the service that the user requests. For example, the user can access your website, whether analytics cookies are enabled or not. This means cookies like anonymous statistics from Google Analytics are no longer valid to be set before consent, and now in the UK require consent. Only strictly necessary cookies will be allowed before consent, for example, cookies from Complianz which manages cookie consent.
If you are based in the United Kingdom, you will be subject to the requirements of PECR even if your website is hosted overseas (e.g., using cloud services based in the USA or the EU). If your organization is based outside the UK and you offer online services designed for the UK market, you also need to comply with PECR and the UK-GDPR’s requirements in respect of the information you provide to users as well as when, and how, you obtain consent.
Coming soon: Complianz 3.2 The Brexit Edition
In Complianz 3.2 (to be released in a few weeks), we have created the UK as a new region with a specific cookie banner only shown to people that live in the UK. That cookie banner asks for consent before first and third party analytics cookies are set. Our cookie statement also has been changed to comply with the UK-GDPR, DPA, and PECR.
In Premium, we have updated the wizards that create your privacy statement, processing agreements, and the data leak reports. They no longer contain references to the EU or the EU-GDPR. And as a bonus we added a Privacy Statement for children.
With Premium, you can also choose more regions than just the UK. Combine UK Privacy Laws with the European Privacy Laws (GDPR) or vice versa to cover all bases when accepting visitors from both sides of the North Sea. Or you can combine it with the US Privacy Laws such as CCPA and Coppa. With GEO-IP we will make sure that your visitors will get the right cookie banner.