Legislation update

The DUA Bill.

The Data (Use and Access) Bill, aka the DUA Bill, marks a positive step for data privacy. But what's changed and what are the implications for the marketing industry?

What is it?

The DUA Bill is new legislation that provides guidance on data privacy and processing. The bill has recently passed Royal Assent and will officially become law in the coming months.

It reforms elements of the UK GDPR and PECR legislation but should be seen as an enhancement not a replacement. Many of the pre-existing frameworks remains the same, but there has been a relaxation, and increased clarity, on areas of data collection and processing that are seen as low risk within the scope of the bill.

Key objectives on the DUA Bill:

Drive economic growth
Streamline compliance
Modernise data usage
Support innovation

It represents a positive step for marketers and customer data. But with all new legislation, it has varying applications for different businesses. We’ve outlined key considerations below.

Consent and permissions.

Legitimate Interest.

Since its introduction under UK GDPR, Legitimate Interest as a basis for processing has brought a degree of confusion, misunderstanding and caution, with marketers and legal teams deciding on their on their own interpretations and scope. The DUA Bill seeks to clarify this further, and includes amendments to the pre-existing Legitimate Interest lawful basis to provide clarity on processing activities that still require an Legitimate Interest Assessments (LIA) – direct marketing, network security and intra-group administrative transfers.

Recognised Legitimate Interest (RLI) is a new lawful basis for processing data, it builds upon the existing basis from GDPR. The new basis removes the need for businesses to conduct LIA, if data is being processed for specific purposes defined in the bill. The processes covered under this basis include safeguarding, emergency response and national security.

How it affects cookies.

The bill introduces several changes to cookie consent, with the view of reducing the burden of cookie consent banners for users and websites and in some cases, removing them altogether. The biggest beneficiaries of the changes are sites that might not reply on advertising cookies or trackers e.g. public sector organisations, associations and informational sites.

Strictly necessary cookies and tracking technology now covers a more exhaustive list of purposes, including security and fraud detections, which in practice will mean more cookie uses will be exempt from requiring consent if using Legitimate Interest as a basis, nor will they need to include opt-out options for users.

Certain non-essential cookies and tracking used for statistical data also no longer require opt-in from UK users – provided the data collected is anonymised and used for analysis of site performance and improvements. For example, data used to measure what pages are visited most and how long users stay. Losing statistical data where there is no opt-in has been a significant challenge for marketers and this change will allow a wider range of data to be outside of the consent model, increasing data fidelity and depth.

Furthermore, for instances where consent is still required, consent banners may also be simplified, making it easier for both businesses and users to manage their choices.

The impact on reporting.

Sam, Head of Data

The potential of increased statistical data accuracy of UK users sounds appealing but there needs to be care in the set up and a deep understanding of how this could affect reporting.

Will I need to update my cookie banner?

You may now be able to amend your cookie policy to start serving statistical tracking by default (without user opt-in) for UK users, depending on your data stack and policies. This may also involve changing the wording from ‘Decline all’ to ‘Decline Additional Cookies’, for instance.

As this is UK-only, it’s worth checking your cookie management platform (CMP) regionalisation settings to avoid non-compliance in other countries.

Do I need to change my tracking settings?

The main change you'd need to make is to update your cookie management platform (CMP) to track statistical data without user opt-in by default.

Tracking and setting of cookies handled outside of a CMP, e.g. Google Tag Manager (GTM), may require more detailed changes to load in tracking for statistical purposes in line with CMP regionalisation updates.

Remember, this is only applicable to users in the UK; regionalisation settings should follow each country's guidance.

Will there be changes to consent states?

Whilst the change for tracking statistical website data may bring benefits to data collection from UK users, it will be important to ensure that data being sent with analytics/statistics platforms doesn’t share data with advertising platforms unless users have opted in to this level of tracking.

Typically, this is managed through consent states, commonly used by Google products.

Application in charitable giving.

The charity sector has been granted a special exemption from opt-in policies following intervention by the DMA. The DUA Bill restores the ‘soft opt-in’ for charities, meaning they can assume consent to SMS and email marketing where supporters have already provided their details

Having access to more data under the revised bill should reenable marketers to make effective targeting decisions. The Salocin Group and Wood for Trees found that annual charitable donations could increase by up to £290 million nationwide if email contact was enabled.

Clear opt-out options are still required at the moment of data capture and any subsequent communications. The likely route will be a wording change, e.g. a tick box for users to select if they do not want to receive communications.

Don't look back.

Hollie, Head of Client Partnerships

It’s important to note that the soft opt-in doesn’t apply to historical data. User opt-in choices collected prior to the bill will still need to be adhered to.

Non-compliance.

Despite this update being more permissive and providing more clarity than previous legislation, it’s important to note that the severity of breaching rules related to this and UK GDPR remains significant.

The DUA Bill updates and aligns enforcement powers under PECR with those of the UK GDPR, which the Information Commissioners Office (ICO) is responsible for enforcing. This includes significantly increased potential fines for breaches, which is now up to £17.5 million or 4% of global turnover.

It’s worth noting though that the ICO, who enforced previous legislation will transition to become the Information Commission, and with that comes a change to how complaints are managed. Businesses will now be the first point of contact for individuals to raise complaints. The ICO will only handle complaints if they haven’t been dealt with in a satisfactory way.

In summary.

It is worth noting that while this bill is often referred to as being law, it doesn't come into effect immediately and still requires secondary legislation to provide guidance on the implementation and fill in the finer details. The complete process is expected to take around 12 months, with amendments to GDPR and PECR happening within 6 months.

Overall though it is a step towards more clarity for marketers and hopefully instils more confidence when it comes to collecting and processing data.

Like many new pieces of legislation, the DUA Bill leaves room for interpretation on specific applications and scenarios that will emerge as more time passes. It’s also important to understand how it applies to your own brand and operations, particularly if you operate internationally.

However, we view the DUA bill as a positive step forward in the UK for responsible, effective, data usage for marketers and users alike.

Any Questions?

Need more guidance on cookies, consent or next steps? Our Data team are here to help.

The information submitted here is used and stored for the purpose of replying to the enquiry. For more information on how we process data please visit our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.