Ad Industry Responds to UK GDPR and ‘Annoying Pop-Ups’ Focus

The revised, watered-down, post-Brexit alternative to GDPR is working its way through the U.K. parliament. If it passes into law, it will put U.K. businesses at odds with the European Union, potentially causing headaches for international data collection processes.

While the government claims the new bill could create 4.7 billion pounds ($5.6 billion) in savings for businesses over the next decade, it’s causing concern in the advertising industry because of changes to the cookie consent process and user experience.

The Data Protection and Digital Information Bill, which was first introduced last summer but paused to offer more time for discussion with the business and data communities, promises to be “a simple, clear and business-friendly” framework in comparison to the European Union’s GDPR regulation, while also providing “more flexibility” to businesses.

The new bill aims to reduce paperwork around compliance and support international trade, as well as offer organizations “greater confidence” around users’ consent over how their data is used and introduce artificial intelligence (AI) safeguards.

But most concerning to advertisers is that the bill will also aim to reduce the volume of consent pop-ups users receive, which enables data collection. It will also create a framework of digital verification services to confirm digital identities.

“The proposals to expand the list of cookies falling outside the consent requirement focus on basic analytics and functional cookies,” said Husna Grimes, vp of global privacy for ad-tech firm Permutive. “It would be helpful to see some ad measurement cookies included in this list so that ads that are served without processing personal data—for example, contextual ads—can be accurately measured and billed for.”

Grimes also questions how changes would factor for companies working on a global scale, while pointing out that even if cookie pop-ups are reduced in the U.K. they will still be necessary across the EU. This adds complexity for privacy teams aiming for compliance across both markets.

However, one executive within a major global advertiser pointed out that having different standards across regions is less of an issue since much regulation overlaps with GDPR, a de facto standard, than the U.S. and its “problematic” state-by-state privacy regulations.

Further new regulations

The bill proposes an increase in fines for nuisance calls and texts from companies up to 4% of a company’s global revenue or 17.5 million pounds ($20.8 million), whichever is greater. The previous fine was a maximum of 500,000 pounds ($596,000).

A framework of verification processes to allow people to prove their identity digitally will also roll out. This certification should then make it easier and quicker for people to prove their identity.

However, the proposal hopes to let businesses continue using existing international data transfer mechanisms to share personal data overseas, if already compliant with U.K. laws. The Department for Science, Innovation and Technology (SIT) will also consider supporting the growing adoption of AI and quantum computing, which rely on automated decision-making without human involvement or profiling.

The Information Commissioner’s Office (ICO) will also be given more power through a statutory board to allow it to remain an independent data regulation and support company compliance.

Industry concerns

However, advertising bodies are cautious about creating more confusion around the already complicated digital advertising space, with companies keen to avoid having to manage “different data regimes” from international markets, explained Rob Newman, director of public affairs at ISBA.

“When it comes to data, advertisers need to balance concerns about privacy with being able to deliver ad campaigns that don’t impede the consumer experience. Essential to that task is removing unnecessary burdens and enabling brands to measure the reach and effectiveness of their ads,” outlined Newman.

The Advertising Association, while welcoming the new DPDI Bill, hopes for further amends around areas of non-intrusive cooks including “increased clarity and flexibility” on audience measurement for ad performance.

The U.K. arm of the Internet Advertising Bureau (IAB) is imploring lawmakers to improve online user experience through the extension of cookie consent exemptions for advertising and measurement, describing those as “non-intrusive functions.”

According to Christie Dennehy-Neil, head of policy and regulatory affairs for IAB U.K. such an extension would “achieve the risk-based and proportionate approach to cookie consent that the government wants. In its current form, the bill doesn’t make the most of this opportunity for meaningful change.”

She added that the bill continued to “cause concern” around any potential future change to cookie consent mechanisms.

“Appropriate checks and balances need to be in place to ensure that such changes will actually improve the user experience, avoid the risk of negative impacts on competition in the market, and protect the viability of the ad-funded business model our open web relies on,” said Dennehy-Neil.