Updates to the draft ePrivacy Regulation
On 19 October 2017, the European Parliament approved a revised draft of the ePrivacy Regulation. Though still subject to negotiation, it introduces a number of important changes, and deserves careful study by every online communications business.
The ePrivacy Regulation will replace the ePrivacy Directive, and is intended to complement the General Data Protection Regulation (GDPR) in the area of “electronic communications data”. It includes detailed provisions on direct marketing, cookies and online monitoring. It was originally scheduled to come into force on the same date as the GDPR, 25 May 2018, but timing of its actual implementation is currently unclear. It is still in the early stages of the legislative process, as it is currently entering the Trilogue process (informal tripartite meetings between representatives of the European Parliament, the European Council and the European Commission, which take place prior to plenary sittings of the European Parliament).
“What we are aiming at is to abolish surveillance-driven advertising.”
These chilling words are those of Birgit Sippel MEP, in her first public address as the European Parliament's Special Rapporteur with responsibility for the draft ePrivacy Regulation (9 November 2017). Sippel's speech encapsulates the firm stance European legislators seem to be taking towards online behavioural advertising and the technology behind it. The current draft of the Regulation brings a raft of changes, many of which may cause significant disruption to the sector.
The key changes are as follows:
- A major tightening on the rules regarding cookies. The EU's new proposal would require companies to obtain explicit consent for every cookie “dropped”. When seeking consent, publishers should present the information in a clear, granular manner, giving the user the best opportunity to make an informed choice. Websites cannot make consent to cookies a mandatory condition of accessing the service
- The applicability of GDPR-level fines has been extended to include breaches of the provisions on consent and privacy settings for cookies. The maximum fine under these rules is now 4% of global annual turnover, or €20 million, whichever is higher
- A clarification that explicit consent will be required for direct marketing (subject only to the “soft opt-in” exception for existing customers). The ePrivacy Regulation has not adopted “legitimate interests”, which offer alternative legal bases for processing under the GDPR.
Any practical tips?
There are no easy answers, and new technology may be needed before a true solution can be found. All communications companies will need to innovate, and find new ways to engage with their user base.
What is clear, given the GDPR-level fines for non-compliance, and the tough attitude of EU legislators, is that companies who ignore (and fail to prepare for) the Regulation will do so at their peril. The most recent updates to the ePrivacy Regulation can be found here.