Updates to the draft ePrivacy Regulation
On 19 October 2017, the European Parliament approved a revised draft of the ePrivacy Regulation. Though still subject to negotiation, it introduces a number of important changes, and deserves careful study by every online communications business.
The development
The ePrivacy Regulation will replace the ePrivacy Directive, and is intended to complement the General Data Protection Regulation (GDPR) in the area of “electronic communications data”. It includes detailed provisions on direct marketing, cookies and online monitoring. It was originally scheduled to come into force on the same date as the GDPR, 25 May 2018, but timing of its actual implementation is currently unclear. It is still in the early stages of the legislative process, as it is currently entering the Trilogue process (informal tripartite meetings between representatives of the European Parliament, the European Council and the European Commission, which take place prior to plenary sittings of the European Parliament).
The changes
“What we are aiming at is to abolish surveillance-driven advertising.”
These chilling words are those of Birgit Sippel MEP, in her first public address as the European Parliament's Special Rapporteur with responsibility for the draft ePrivacy Regulation (9 November 2017). Sippel's speech encapsulates the firm stance European legislators seem to be taking towards online behavioural advertising and the technology behind it. The current draft of the Regulation brings a raft of changes, many of which may cause significant disruption to the sector.
The key changes are as follows:
- A major tightening on the rules regarding cookies. The EU's new proposal would require companies to obtain explicit consent for every cookie “dropped”. When seeking consent, publishers should present the information in a clear, granular manner, giving the user the best opportunity to make an informed choice. Websites cannot make consent to cookies a mandatory condition of accessing the service
- Cookie walls and banners are to be banned. The EU's “solution” is to offer users control by means of browser settings, in an apparent attempt to protect non-savvy users who simply accept cookies without reading the relevant cookie policy. Crucially, the current proposal stipulates that the default browser settings should be set to the most privacy friendly option – prohibiting cookies. Users would need to take an active step to consent to cookies at a browser level, although websites could still seek consent on a case-bycase basis
- The applicability of GDPR-level fines has been extended to include breaches of the provisions on consent and privacy settings for cookies. The maximum fine under these rules is now 4% of global annual turnover, or €20 million, whichever is higher
- A clarification that explicit consent will be required for direct marketing (subject only to the “soft opt-in” exception for existing customers). The ePrivacy Regulation has not adopted “legitimate interests”, which offer alternative legal bases for processing under the GDPR.
Any practical tips?
If the Regulation went ahead in its current form, it could frankly be disastrous for many within adtech and related industries. Recent research has suggested that 81% of users would not consent to having their behaviour tracked by third parties (eg by use of cookies). Marketers who use programmatic behavioural advertising reliant on third party cookies may struggle to attain reach under the proposed system, though platform providers using first-party cookies are likely to be less affected. We may see a shift in power to publishers, who could possibly ask to be compensated for obtaining marketing consents from users. On the other hand, they may begin to offer incentives to users for accepting cookies, for example with smoother, personalised services.
There are no easy answers, and new technology may be needed before a true solution can be found. All communications companies will need to innovate, and find new ways to engage with their user base.
What is clear, given the GDPR-level fines for non-compliance, and the tough attitude of EU legislators, is that companies who ignore (and fail to prepare for) the Regulation will do so at their peril. The most recent updates to the ePrivacy Regulation can be found here.
Stay connected and subscribe to our latest insights and views
Subscribe Here