What is the ePrivacy Regulation? And what does it mean for my business?
Over the last few decades the internet, combined with the development of electronic communications, has revolutionised the way we go about our business.
Interconnectivity has become an integral part of our lives. But with it comes a host of ethical and practical problems: How can society safeguard people’s online privacy? We unpick ePrivacy, so you don’t have to.
The proposed ePrivacy Regulation (ePR) aims to answer that question. It will replace the already existing ePrivacy Directive (2002) with a stronger law that must be adhered to by all EU member states.
Although the directive is a legal act that aims to uphold Article 7 of the EU charter (respect for private and family life), it doesn’t require all member states to implement it in the same way. Essentially member states can be selective about what parts of the directive to adopt and enforce, and this creates an uneven playing field.
In 2002 the directive was adequate. But the digital culture has, since then, become more intrinsic to people’s lives. Gathering and processing personal data via electronic communications is now a huge part of society. Not only that, but the interconnectivity of electronic devices means there are more digital entry points into people’s private lives, meaning there’s a greater risk of privacy violation.
So, the new proposal aims to bring the legislation up-to-date and create a level playing field for all EU citizens.
GDPR is about general data protection, which covers a broad range of elements; however, it doesn’t go into detail about electronic communications.
ePR, on the other hand, focuses specifically on electronic communications. In legal parlance, this is known as lex specialis. So, although the ePR will use the same definitions as GDPR, it will actually override GDPR on matters of data-privacy in the context of electronic communications.
Both the GDPR and ePR are part of a movement to reform the EU data protection framework.
It’s difficult to say as the proposal is still being developed. We won’t know the exact stipulations until the finalisation. However, based on what’s in the proposal now, it seems that the following areas will be of particular interest:
There will be stricter rules on sending out unsolicited marketing material via electronic communications, including email and SMS. It will also cover telephone-based cold calling; cold callers may have to adopt transparency tactics such as displaying their number or using a prefix that identifies it as being a marketing call.
There’ll also be stricter rules on gaining permissions and respecting people’s right to object.
One of the aims is to simplify the cookie process so as to reduce all the irritating cookie consent requests. The idea is to ‘streamline’ the consent process by shifting the onus onto web browsers as opposed to individual websites. This means people will be able to set their cookie preferences at the browser level.
In a press release, the European Commission said:
“The cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rules will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers”
There’ll also be a clear distinction between non-intrusive and intrusive cookies.
Non-intrusive cookies won’t require consent because they’re essential for providing services and improving user experiences. These could be things like shopping carts, remembering previous purchases, or non-identifying analytics.
Intrusive cookies, on the other hand, are those that use data (such as IP addresses) to identify and track users around the internet e.g. third-party cookies for tracking advertising clicks. These will require explicit consent.
The digital revolution has seen the rise of Over the Top (OTT) service providers such as Google, WhatsApp and Skype. Millions of people now use these communication services, meaning there is greater potential for invasion of privacy (think of all the private online conversations happening at any one time).
So ePR aims to make strict confidentiality rules applicable to the big internet communication companies and make them more accountable whenever they fall foul of the law.
It all depends on your strategies. If electronic communication is an integral part of your business model, then you’ll need to audit your current setup and ensure it adheres to the regulation. You may also need to anticipate threats. For example, if you’re a publisher that relies on third-party advertising cookies, you may see a drop in revenue because people have set their browsers to block certain identifiers. So you’ll need to come up with creative solutions for persuading users to enable cookies for your site.
ePR is definitely something you don’t want to ignore as, like GPDR, the fines for non-compliance will be pretty hefty, and you also face reputational damage i.e. you may gain a reputation for violating people’s privacy. The good news is that you still have plenty of time to prepare. You can get yourself up-to-speed by perusing the current draft proposal. However, it’s worth noting that the current proposal is not set in stone and there are likely to be amendments between now and when it comes into force. So, do keep track of all the latest developments.
At present, the exact date is unknown. It is, however, expected to come into force sometime in 2019.