Brexit Legal Update

Although the GDPR only came in to force less than 5 months ago, there are already a set of upcoming changes, laws and regulations which will impact website and business owners. These are:

  • Brexit
  • ePrivacy Regulation
  • California Consumer Privacy Act 2018


Although the situation regarding the UK’s withdrawal from the EU remains uncertain, the prospect of the country leaving the EU without an agreement appears to be a realistic possibility. This would, as you would expect, cause the most significant change from a data protection and legal perspective. We will be providing more detailed information on the impact of Brexit in due course as the situation becomes clearer. However, in short, you are more likely to be significantly affected the more you have customers or business interests in the EU. In particular, if the UK leaves both the EU and the European Economic Area (EEA) and no agreement is reached:

  • data transfers to the EU may require EU standard form contractual clauses to be used if the UK cannot obtain an adequacy decision from the EU in respect of its data protection regime; and
  • any business in the UK that processes the personal data of persons within the EU in the course of business and the processing is not ‘occasional’ will need to appoint a representative in the EU under Article 27 of the GDPR (which has extra-territorial effect).

Both of these changes, to the extent you are affected by them, will require amendments to your website privacy policy. We will be demonstrating the specific changes required in due course.

ePrivacy Regulation

The ePrivacy Regulation, which is closely related to the GDPR, is expected to come into force at some point in early 2019. The most significant changes it is currently expected to introduce are the reclassification of certain website analytical cookies as essential cookies (which means they will no longer require consent before website owners can set them on their users’ browsers) and the possibility of consent being required for unsolicited email marketing communications to personal corporate email addresses. It is important to note that the position on this is still subject to change and we will be providing a fully detailed description of how these changes affect your website when the text is finalized.

California Consumer Privacy Act 2018

Although less likely to have as much of an impact on UK businesses as Brexit or the ePrivacy Regulation, it is important to note changes in Californian law which will technically be binding on businesses around the world (including in the UK) which process the data of residents of California. The Californian Consumer Privacy Act 2018 (CCPA) introduces many similar requirements and rights for individuals as the GDPR although there are a number of differences. The CCPA will go into effect on 1 January 2020 and so is still over a year away before it becomes law. We will similarly be providing further information about the necessary changes to your website documentation in due course.