Explore the best creative works

Adtech execs weigh up pros and cons of UK plans to diverge from GDPR

Can the UK improve on GDPR, a regulation that’s had years of thought and countless resources invested in it?

UK culture secretary Oliver Dowden last week outlined that he is keen to reform UK data laws and diverge from EU-enacted GDPR, which the nation has been adhering to since May 2018. The Drum explores how the proposed change could impact user privacy and digital advertising.

The proposal

Dowden announced in a paywalled interview in The Telegraph his intent to diverge from GDPR. “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK.”

He promised “common sense, not box-ticking”. Some have branded this as a vague line of politicking difficult to apply to the world of adtech, while others have taken it literally.

To the well-informed European web user, GDPR is to blame for all the box-ticking bureaucracy on the internet. To protect user privacy, it has littered box-ticking consent forms everywhere.

Before GDPR was implemented, a website could authorise tens of advertising intermediaries to plant a third-party tracking cookie on a user’s browser as to deliver relevant advertising. Now the user has to grant permission for such tracking.

It wasn’t always smooth sailing, however. These forms were tricky to navigate. Many enacted tricks or added friction to make an opting out almost impossible, although the IAB as early as November 2019 believed that most were compliant with good practices.

With the UK officially leaving the EU on January 31 2020, among the many bartering points was data sharing between the two blocks.

The UK negotivated a four-year adequacy deal with the EU. It concludes in 2025, but could be brought to a close earlier if MEPs argue that any UK divergence or its new deals beyond the EU could threaten a leak of EU members’ personal data.

There are further concerns that the UK will pursue a policy of deregulation (at a time when even the USA and China are strengthening consumer privacy policies). Any real fork in the road in practice will jeopardize other nations’ willingness to share consumer data with the UK. And brands could do without further complications making it harder to reach some 70 million people in the UK.

Any coming change will likely be steered by John Edwards, who will replace information commissioner Elizabeth Denham.

What the advertising industry says

GDPR was developed to protect consumer privacy across the EU. For publishers, adtech firms and agencies, there was a whole new slew of challenges that arose.

Theoretically, the life of any marketer intent on web-based tracking would be easier if they were to erode these protections. But even then, the world has moved on. Google is imminently phasing out the third-party cookies we’ve all been consenting to on these forms, and other browsers have already done this. If GDPR was retracted tomorrow, marketers still couldn’t rely on cookies to find their customers.

There’s one worry on IAB UK chief marketing officer James Chandler’s mind. He welcomes improving international data transfers through data adequacy partnerships with other countries, but worries that “any exploration of this by the government must be careful not to endanger the UK’s data adequacy with the EU”. Wired reports that the free flow of data to the EU is worth £85bn to the UK – that’s 13% of UK GDP. New deals could jeopardize existing EU trade, although the UK has already shown a willingness to do this.

For the web user, there are many considerations too. Julie Rubash, chief privacy counsel at Sourcepoint, highlights that consumers are frustatrated with the cookie banners and marketers could improve them within current frameworks. This is less about policy and more about how it is executed.

In France, the CNIL has insisted upon a ‘reject all’ cookies button as standard – something data controllers are reluctant to implement. Additional friction equals greater permissions.

Rubash thinks that the UK will merely “evaluate whether existing requirements are achieving the goal of protecting privacy and adjusting them to have a more meaningful impact”. It could be a positive move, although some worry about the tech literacy of governments making these decisions.

Dominic Tillson, marketing director at Inskin Media, is all for a “silver bullet” solution that is better than the “incomprehensible and interruptive GDPR notices and cookie banners”, but believes it will take time.

“It may well be that there is room for divergence from EU data protection law while still retaining the GDPR as a framework. Throwing the baby out with the bathwater is rarely the best idea.”

Steph Miller, UK commercial director, Adnami, admits that the GDPR has been “widely criticized for being too bureaucratic, not to mention costly ... but let’s not throw away all the hard work of the past three years since the regulations were introduced”.

She points out that businesses have already sank a lot of time and money into meeting GDPR compliance, and to change that could bring more trouble. Any changes should “stick to the spirit of the GDPR”.

Meanwhile, Bedir Aydemir, head of audience and data, commercial, for News UK, has seen the impact of the ‘box-ticking’ first hand. The well-meaning regulations have left publishers with an “undeniable mess” in the short term.

“I strongly believe the intentions behind it were correct, and that the requirements (many of which are yet to be actioned in any meaningful way) could lead to a better digital advertising ecosystem.”

But Aydemir is critical of the execution of both GDPR and the IAB Europe’s Transparency and Consent Framework. “We have to give people control and transparency. These have provided neither.

“Quality, free-to-consume content needs to be able to better monetize via an RTB ecosystem.”

And finally, James Leonard, director of digital activation at TMWI, concludes: “Whether this is indeed good news will depend on whether the UK’s revamped data legislation can stand up to scrutiny while also boosting growth and increasing innovation and trade, as is the plan.”

Can the UK improve on GDPR, a regulation that’s had years of thought and countless resources invested in it? Should the UK make fine adjustments to improve consent-gathering and cut down on the box-ticking? And is a post-Brexit government bartering every detail with EU bureaucrats in the best place to reinvent the wheel?

These will all be answered once the newly-installed information commissioner starts laying down his agenda.

Additional reporting from Chris Sutcliffe.

By continuing to use The Drum, I accept the use of cookies as per The Drum's privacy policy