The UK privacy landscape is poised to undergo major shifts in 2024, with tightening restrictions on cookie tracking, AI, and data security. Paired with these shifts is a talent shortage. According to Forrester, only 17% of privacy decision-makers say their organisation’s privacy team has marketing competencies or skills. This puts marketers in a tough position, as they must collaborate with informed privacy specialists for strategy discussions and campaign approvals.
In this post, we’ll cover everything your marketing team needs to know about the upcoming changes in the UK privacy landscape in 2024. We’ll also share what these changes mean for your organisation and how you can adapt. Finally, we’ll show you how revenue execution platforms like Invoca can help you achieve your marketing goals while complying with all applicable data privacy and cyber security regulations.
The Data Protection and Digital Information Bill had its second reading in the House of Lords on 19 December 2023. The goal of the bill is to update the legal framework to account for new technologies like AI and machine learning, to balance innovation with privacy. It sets out some modest reforms to the UK’s version of GDPR, designed to reduce businesses’ compliance burden. However, it does not radically change the existing GDPR rules. The bill has a few stages to go before it is passed, but experts say it could become law in 2024.
Google recently migrated 1% of Chrome users to Privacy Sandbox and disabled third-party cookies for them by default. This is part of an effort to assess Privacy Sandbox’s real-world readiness for the bigger changes that will come later in the year — namely, launching Chrome 115, which will deprecate all third-party cookies. Google’s actions should come as no surprise to UK marketers. Restrictions around tracking cookies are tightening, and this is Google’s way of staying ahead of the curve.
At the end of last year, the UK Information Commissioner’s Office (ICO) took more proactive steps to address non-compliant cookie banners. They wrote to numerous website operators and required them to update their consent management platforms (CMPs) in accordance with the guidelines.
In 2024, expect the ICO to continue its focus on this area, especially now that it is equipped with new technologies to improve enforcement in the space. Experts say the ICO will increase public reprimands, fines, and enforcement actions for non-compliant actors, so companies best make their cookie policies a priority.
Over the past few years, companies have collected more personal data from customers than ever before to assist with personalisation and ad targeting. Now, with the advent of AI, companies are also using this data to train large language models. These advancements have made it increasingly important for regulators to set boundaries around data anonymisation.
In the UK, the ICO issued some basic instructions around anonymising customer data. However, it is waiting for the Data Protection and Digital Information Bill to progress through Parliament before it releases more in-depth guidelines. The IPO wants to ensure that its final guidelines reflect any changes made to the law. To prepare, marketers should audit their current data anonymisation practices and ensure they’re protecting sensitive customer information.
The Financial Conduct Authority (FCA) Consumer Duty is a regulatory framework introduced in the UK to enhance consumer protection and promote fair treatment in financial services. It requires firms to act in the best interests of their customers, provide products and services that meet their needs, and deliver clear and transparent communications. Firms are expected to prioritise customer outcomes over profits and ensure that their actions do not cause harm to consumers. Compliance with the Consumer Duty entails a shift towards a more customer-centric approach, fostering trust and confidence in the financial services sector while holding firms accountable for their conduct.
It will cost UK firms an estimated $3 billion to comply with these guidelines, as they will have to audit their existing business practices, update their communications strategies, identify and mitigate potential consumer risks, and train their staff on new procedures. A key way that UK firms are planning to adapt to these new regulations is by adopting automated contact centre quality assurance, so they can ensure all of their agents are complying with the new guidelines, as failure to do so can result in hefty fines.
At the end of 2023, the EU reached an agreement on the text of the EU AI Act. Experts anticipate this law will go into effect this year. The EU AI Act serves as a comprehensive legal framework governing the sale and use of artificial intelligence in the EU, aiming to ensure the proper development, marketing, and use of AI technologies. It places a strong emphasis on transparency for AI models and establishes safeguards for AI systems based on their potential impacts on society. These protections will have an extra-territorial effect, meaning they will impact UK businesses operating in the EU that use AI.
The UK, meanwhile, opted to delegate AI regulation to its existing sector-specific regulators. Later this year, expect the ICO, CMA, and FCA to publish guidance on the principles of AI. At this time, it is unclear how stringent their standards will be, though some experts expect UK regulations will be slightly more lenient than the EU AI Act.
The rapid advances in technology over the last few years have created new vulnerabilities for malicious actors to exploit. Businesses are more interconnected than ever before, and employees have access to a wealth of sensitive data. To combat these threats, EU regulators introduced the Cyber Resilience Act, and the UK implemented the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA 2022).
However, it is becoming clear that existing regulations aren’t sufficient, and further protections are necessary. To address these shortcomings, regulators in the European Union are working on the EU Cyber Resilience Act, and the long-awaited NIS2 Regulations. The UK has yet to outline how it will approach cyber resilience in 2024, but it is likely to release guidelines on the heels of the EU’s new regulations.
It may seem intimidating to navigate all these changes — and pending changes — to the UK privacy landscape in 2024. However, there are a few basic tenets your team can follow that will set you up for success. We’ve listed our top three takeaways below.
Several of the UK’s new and forthcoming regulations are intended to curb the use of third-party cookie tracking. Without access to third-party data for ad targeting and personalisation, marketers will need to tap into internal data stores, such as purchase history, website activity, mobile app data, email engagement, sales interactions, customer feedback programs, and voice of the customer analytics from phone calls. The more first-party data you have at your fingertips, the better you’ll be able to personalise experiences and cater to your customers’ needs.
The EU AI Act set guidelines against black-box AI models, and the UK’s regulators are likely to follow suit. A black box AI conceals the logic and reasoning behind its outputs, making it challenging for individuals to comprehend how and why specific decisions are made. Black-box AI models are problematic from a privacy perspective because users have no way of knowing how sensitive personal data is used, and if it is kept onsite with the vendor. In addition, black- box AI models may harbor biases that could lead to privacy infringement for certain demographic groups.
In light of these concerns, UK marketers are moving away from black-box AI models to explainable AI models, which offer transparency into their inner workings. By using explainable AI models, marketing teams can rest assured that sensitive customer data is secured. They can also have peace of mind that the AI models are not engaging in discriminatory practices.
When selecting a marketing technology vendor, it’s important to vet their security and privacy practices. Even if your organisation is fully compliant with all applicable regulations, you’ll put yourself at risk if you share data with a third-party that doesn’t follow laws and guidelines. Below are some key questions to ask potential vendors:
With third-party data drying up for UK marketers, teams need to look for new first-party data sources they can tap into. Phone conversations are one of the richest forms of first-party data available to your business. In these interactions, your customers are literally telling you what they need and how to make them happy. They're also revealing their sentiments about your products and giving out information far beyond what you would receive from an online form.
Though phone conversations are brimming with valuable insights, they’ve been traditionally underutilised by marketers. That’s because, in the past, it was difficult to get these insights at scale. Invoca’s AI solves this problem, allowing you to easily capture the insights you need to feed your personalisation and ad targeting strategies.
Watch this short video to learn how Invoca works:
Invoca is fully committed to complying with applicable state and international data privacy laws, ensuring that customer information remains protected and secure. We’re ISO 27001 and GDPR compliant. We do not use black-box AI — our models are fully explainable. In addition, our solution automatically redacts sensitive personal data from your customers’ call transcripts. It’s why leading international brands like Rentokil, Rogers Communications, and Four Seasons Hotels and Resorts trust us as their conversation intelligence partner.
Want to learn more about how Invoca can help your marketing team drive more revenue in a privacy-safe way? Check out these resources: