The UK's Data Use and Access Bill, agreed by Parliament and soon to become an Act, amends existing laws covering online privacy and data protection. These include those based on European law i.e. the "UK GDPR" (the Data Protection Act 2018) and the UK's enablement of the ePrivacy Directive - the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Significantly, fines for violations of the PECR, including for the unconsented use of cookies and other browser storage (Regulation 6.1, corresponding to Article 5(3) of the ePrivacy Directive) are now subject to the same levels as the UK GDPR, namely up to €20 million (approximately £17 million) or 4% of a company's turnover, whichever is the greater.
There is a slight relaxation in the rules for using storage for statistical or website appearance purposes, but these mirror similar measures in the now abandoned European ePrivacy Regulation. Importantly information collected must not be shared except for the purpose of helping make improvements to the website, (ruling out Google Analytics and similar), and there must be in any case a simple (to use) opt-out.
In addition, the sending of spam messages, i.e. in emails, can also result in GDPR level fines, and can result in company officers also being fined.if the offence "took place with the consent or connivance of the officer, or was attributable to any neglect on the part of the officer".
