Automatically ticked consent boxes that allow companies to harvest and exploit valuable personal information are to be banned in an overhaul of consumer protection for internet users.
DNA profiles and browsing histories are also to be included in a new definition of personal data, with companies facing criminal prosecution if they fail to protect users’ identities.
Before the election Theresa May promised to rebalance the relationship between internet users and the technology industry, pledging to lead the world in internet regulation.
British ministers will today spell out the details of a Data Protection Bill to be introduced in the Commons next month. It will include the right of adults to request the deletion of social media content they posted as children.
They will say that they intend also to expand the definition of personal data to IP addresses and cookies. Matthew Hancock, UK digital policy minister, said it would contain the most robust, yet dynamic, data laws in the world.
Advertisement
Experts said that it could have far-reaching effects on companies that trade in anonymised data harvested online. Some offer cheap genetic tests for genealogy and then sell the information to medical researchers.
Officials said the bill would tighten consent requirements and punish those that failed to protect individuals’ identities. “The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will become a thing of the past,” one said.
With fines of up to £17 million or 4 per cent of global turnover, companies also face criminal sanctions if they are “either intentionally or recklessly creating situations where someone could be identified from anonymised data”.
Retailers increasingly rely on supposedly anonymised browsing data to target advertising. Researchers in Germany have exposed how easily identities could be uncovered, discovering the pornography preferences of a judge from anonymised data.
The measures are designed to bring Britain into line with the EU’s general data protection regulation (GDPR).
Advertisement
Vikki Hoyle, of the solicitors Walker Morris, said that the present data protection regime was created before the advent of Google, Amazon and Facebook. The EU regulation had been designed to deal with advances in technology over the past 20 years and for the next two decades, she added.