Up until now, theoretically they had the GDPR which is a strong privacy regulation. Enforcement of it has been significantly lacking though (but frankly, so is everywhere else) so in practice the effect of it was dubious.

Now since they are no longer in the EU they want to use this opportunity to deviate from the GDPR and relax the rules even more (not that they've been enforced to begin with). Ironically, the justification for relaxing the rules is that the GDPR didn't have the expected effects - well of course if won't have any effect if you don't enforce it.