In the UK, the key regulations* that govern data protection are the UK General Data Protection Regulation (UK GDPR), the UK’s Data Protection Act (2018) and the Privacy and Electronic Communications Regulations (2003), also known by their abbreviation PECR. The UK’s regulator for data protection is the Information Commissioner’s Office (ICO).
Of course, legislation such as the UK GDPR and PECR has origins in European law, but even though the UK has left the EU, the EU’s GDPR and e-Privacy Directive will have a bearing on UK organisations if they are handling EEA citizens’ data or communicating with EEA citizens. Both the UK and EU GDPRs have extra-territorial reach.
We thought it would be useful to include links to the California Consumer Privacy Act (CCPA), which came into force on 1 January 2020. The legislation is similar in scope to the GDPR but it remains the most extensive shake-up in consumer data protection laws in the US. Like the EU laws, it has extra-territorial reach.
UK Legislation (Most relevant to Advertising and Marketing)
- UK General Data Protection Regulation – This is the UK’s implementation of the GDPR following Brexit.
- Data Protection Act 2018 – Sets the UK standards for protecting general data, in accordance with the GDPR, but it also ensured that the UK had an operable data protection framework after Brexit.
- The Privacy and Electronic Communications Regulations (PECR) (2003) – This regulation is a UK transposition of the EU e-Privacy Directive (2002).
- Information Commissioner’s Office Direct Marketing Code of Practice – This code applies to anyone who processes personal data for direct marketing purposes. It explains the law and provides good practice recommendations for those conducting direct marketing and those who participate in the broader direct marketing ecosystem.
EU regulations
- General Data Protection Regulation (GDPR) (2016) – This is the main law that covers data protection across the EU and EEA Member States.
- Privacy and Electronic Communications Directive (2002/58/EC) – This EU directive covers organisations that wish to send electronic marketing messages (by phone, fax, email or text), use cookies, or provide electronic communication services to the public.
You can find out more from the EU Commission’s website.
California Regulations*
- California Consumer Privacy Act – This law has similar scope to GDPR and came into effect on 1 January 2020.
- American Data Privacy and Protection Act – A draft text of a federal-level data protection law; however, it has not yet been enacted into law.
*Other US States may have their own privacy laws.
Key Regulatory Bodies
UK’s Information Commissioner’s Office
European Data Protection Board (EDPB) – The EDPB is composed of representatives of EEA national data protection authorities and the European Data Protection Supervisor. It is established by the GDPR and is based in Brussels.
Federal Trade Commission (FTC) – Unlike Europe, the US does not have a specific data protection authority. Instead, the FTC has very broad powers which cover consumer data protection.
*For in-depth legal advice, please visit the ICO website or consult a legal professional.
