Reflection of skyscraper through RPC's transparent glass with sheep and guy on bridge.

Updates to the draft ePrivacy Regulation

Published on 18 December 2017

On 19 October 2017, the European Parliament approved a revised draft of the ePrivacy Regulation. Though still subject to negotiation, it introduces a number of important changes, and deserves careful study by every online communications business.

The development 

The ePrivacy Regulation will replace the ePrivacy Directive, and is intended to complement  the General Data Protection Regulation (GDPR) in the area of “electronic communications  data”. It includes detailed provisions on direct marketing, cookies and online monitoring. It  was originally scheduled to come into force on the same date as the GDPR, 25 May 2018, but  timing of its actual implementation is currently unclear. It is still in the early stages of the  legislative process, as it is currently entering the Trilogue process (informal tripartite meetings  between representatives of the European Parliament, the European Council and the European  Commission, which take place prior to plenary sittings of the European Parliament). 

 The changes

 “What we are aiming at is to abolish surveillance-driven advertising.” 

These chilling words are those of Birgit Sippel MEP, in her first public address as the  European Parliament's Special Rapporteur with responsibility for the draft ePrivacy Regulation  (9 November 2017). Sippel's speech encapsulates the firm stance European legislators seem  to be taking towards online behavioural advertising and the technology behind it. The current  draft of the Regulation brings a raft of changes, many of which may cause significant  disruption to the sector. 

The key changes are as follows:

  • A major tightening on the rules regarding cookies. The EU's new proposal would require  companies to obtain explicit consent for every cookie “dropped”. When seeking consent,  publishers should present the information in a clear, granular manner, giving the user the  best opportunity to make an informed choice. Websites cannot make consent to cookies a  mandatory condition of accessing the service 
  • Cookie walls and banners are to be banned. The EU's “solution” is to offer users control  by means of browser settings, in an apparent attempt to protect non-savvy users who  simply accept cookies without reading the relevant cookie policy. Crucially, the current  proposal stipulates that the default browser settings should be set to the most privacy  friendly option – prohibiting cookies. Users would need to take an active step to consent  to cookies at a browser level, although websites could still seek consent on a case-bycase  basis 
  • The applicability of GDPR-level fines has been extended to include breaches of the  provisions on consent and privacy settings for cookies. The maximum fine under these  rules is now 4% of global annual turnover, or €20 million, whichever is higher 
  • A clarification that explicit consent will be required for direct marketing (subject only to the  “soft opt-in” exception for existing customers). The ePrivacy Regulation has not adopted  “legitimate interests”, which offer alternative legal bases for processing under the GDPR. 

 Any practical tips? 

If the Regulation went ahead in its current form, it could frankly be disastrous for many within adtech and related industries. Recent research has suggested that 81% of users would not  consent to having their behaviour tracked by third parties (eg by use of cookies). Marketers  who use programmatic behavioural advertising reliant on third party cookies may struggle to  attain reach under the proposed system, though platform providers using first-party cookies  are likely to be less affected. We may see a shift in power to publishers, who could possibly  ask to be compensated for obtaining marketing consents from users. On the other hand, they  may begin to offer incentives to users for accepting cookies, for example with smoother,  personalised services. 

There are no easy answers, and new technology may be needed before a true solution can be  found. All communications companies will need to innovate, and find new ways to engage  with their user base. 

 What is clear, given the GDPR-level fines for non-compliance, and the tough attitude of EU  legislators, is that companies who ignore (and fail to prepare for) the Regulation will do so at  their peril.  The most recent updates to the ePrivacy Regulation can be found here.