On the 10th of January 2017, the European Commission put forward a new Regulation on Privacy and Electronic Communications which will replace the 2002 ePrivacy Directive, and will apply to all member states of the EU.
This was to ensure existing privacy legislation for any electronic communications correlates with the General Data Protection Regulation, or GDPR, coming in May 2018.
For any businesses involved in ecommerce or other online electronic services, it will be an important regulation to keep in mind. As for the aim:
The European Commission’s proposal for a Regulation on Privacy and Electronic Communications aims at reinforcing trust and security in the Digital Single Market by updating the legal framework on ePrivacy.
What is the EU ePrivacy Regulation?
The new Regulation on Privacy and Electronic Communications, or ePR, is part of the digital single market strategy of the EU. As the online world has changed, there are many things that have changed, and laws need to change and encompass new things. The ePrivacy Regulations are essentially an add-on to the existing ePrivacy directive, which aimed to include online communication providers under the same requirements as telecommunication providers.
Why, you may ask? The reasoning being:
European legislation is keeping up with the fast space at which IT-based services are developing and evolving.
In the past years, the Commission has started a major modernisation process of the data protection framework, which culminated in the adoption in May 2016 of the new General Data Protection Regulation. The ePrivacy legislation needs to be adapted to align with these new rules.
Data privacy is covered under the General Data Protection Regulation and the ePrivacy Regulation.
The ePrivacy Regulations aims to broaden what the current ePrivacy Directive covers, and aligns the rules for online privacy across the EU.
The GDPR introduced many definitions of privacy, which the ePrivacy Regulations takes into account. But instead, it acts to enhance the regulations around unsolicited marketing, how online tracking cookies work, as well as confidentiality.
The ePR will replace the ePrivacy Directive from 2002, also known as the cookies law. It will also take the place of any other state laws of EU members, which also includes the Privacy and Electronic Communications Regulations in the UK. This was the set of regulations that set the laws for marketing emails, phone calls, texts, cookies, and more. As it stands, any marketing occurring by phone, email text or via other electronic communications adhere to the PECR. So the new ePrivacy regulation will take the place of this.
The ePR is much broader and sets the same rules across the EU. This means privacy will be much more vital, and covers such things as over-the-top service providers including instant messaging apps, and Voice over Internet Protocol, or VoIP platforms. It also includes any communications between machines, so devices with “the Internet of Things (IoT) enabled will be covered by this.
ePrivacy is planned to come into effect at the same time as GDPR – with the same penalty regime for any businesses which do not comply. Though there is a chance it won’t be able to go through the legislative procedure in time for this deadline to be met.
The proposed act is mainly to align existing privacy legislation regarding electronic communications to the GDPR. The GDPR applies to processing personal information. The ePR is intended to work alongside it, providing more specific rules in terms of privacy and the use of electronic communications services.
A Summary of the ePrivacy Regulation Proposal
- Privacy rules will apply to electronic communications services, similarly to traditional telecommunication providers
- People and businesses in the EU will benefit from the same level of protection
- Privacy guaranteed for communications content and metadata
- When consent is given for communications data to be processed, telecoms operators have an opportunity to offer additional services
- Cookie rules will be simplified, with browser-wide settings to refuse tracking rather than separate cookie consent banners on websites
- Spam protection banning unsolicited email communications via email, SMS and automated calls
- Enforcement of the confidentiality rules will be the responsibility of data protection authorities
- Incorporating the GDPR’s two-tier system of fines up to €20 million or 4% of annual turnover
- All marketing communications must be opt-in – via email, text or calls
What does ePrivacy mean for online businesses and ecommerce?
Cookies will now be tracked within software and the browser itself, which the user can change to suit themselves. This will mean banners and pop-ups that request consent will be a thing of the past.
For online communication providers, companies such as Skype and WhatsApp will now be required to provide the same level of data safety for customers as traditional telecommunications providers. Electronic communication services will be required to secure all communications.
Metadata must also be treated the same as actual content of the communication that is being sent. It prohibits the interception of communications, other than when an EU member authorises it under law. This would include criminal investigations.
However, as of January 2018, the debates are still ongoing.
The Paper proposes a discussion as to whether:
Whether the exceptions to the consent requirement in current drafts of the ePR should be extended; or whether there should be a move to a harm-based approach.
The Paper also calls for discussion around potential modifications to the proposed centralised cookie consent mechanism, whereby browser providers would be required to allow users to accept or refuse consent for the use of tracking technologies on a generalized basis.
What does ePrivacy mean for digital marketing?
Opt-in for marketing communications will have a big impact. No more cold emails to large email lists, or any other form of cold marketing. The regulation changes the fundamentals on how marketers can communicate with customers, or potential customers, after May 2018.
B2B marketing is likely to get a lot harder. The GDPR scope of personal data means that data relating to someone at their place of business is someone’s personal data. As it stands, you could email someone as long as you let them opt-out, but now it’s the same as B2C. Essentially there will be no distinction between B2B and B2C. You will need to use consent, or soft opt-in principle. This would include contact details being obtained during a sale, with the business only promoting its own goods/services, with the clear opportunity to opt-out for the customer with each communication.
Consent must also not be a tick box any longer. Consent is now defined as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Cookies have been a very important part of advertising, in order to provide targeted ads to consumers by collecting information about browsing habits and otherwise.
While cookies do not contain personal information, it is still deemed a concern in terms of privacy. As it stands, by disabling tracking cookies, many websites provide limited functions or deny access. This would no longer be possible.
The amendments would prohibit the use of tracking cookies for many users, which means browsers and other software would have to disable the tracking, storing and collection of this information.
If the ePrivacy proposal does indeed include this, the online advertising business would change.
While there is an argument cookies are an intrusion on an individual’s privacy, it would shake up an entire industry and lead to a loss of revenue for many businesses.
The regulation notes it will take effect on May 25th 2018, along with the GDPR, but it must be approved by the European Parliament and European Council before it will be in effect.