Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Digital, Culture, Media and Sport, what steps she is taking to help protect consumers from the sale of mobile tracking data (a) within the UK and (b) abroad.

Organisations seeking to use cookies and similar technologies that track information about people accessing online services have to comply with the Privacy and Electronic Communications Regulations 2003 (PECR), the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). Subject to relevant exemptions, any use of cookies and similar technologies requires the provision of clear and comprehensive information as well as the consent of the user or subscriber.

The legislation does not expressly prohibit or permit the selling and sharing of people’s data, but regulates the circumstances in which data sharing can take place. The ICO has published a statutory Code of Practice on data sharing which contains practical guidance for organisations on how to share data fairly and lawfully, and how to meet their accountability obligations. The Code is available here.

The ICO has a number of powers to tackle the unlawful processing of personal data, including the power to serve enforcement notices requiring organisations to stop the processing or to erase the data, and the power to serve civil monetary penalties. The ICO can also investigate and prosecute criminal offences under the DPA. Those guilty of such offences can be subject to unlimited fines in the courts.