Coming on the heels of far reaching reforms to the data protection landscape from the EU General Data Protection Regulation (GDPR), proposed revisions to the EU ePrivacy Directive are now centre stage.
The EU Commission have published a Privacy and Electronic Communications Regulation ePrivacy Regulation to replace the previous Directive. Directly enforceable in all EU Member States the new regulation will impact on any businesses using cookies or similar tracking technology through websites, mobile apps, messaging services. It also proposes some additional requirements for direct marketing.
As with the GDPR this will introduce new compliance obligations for operators across the digital space interacting with EU based individuals.
The key points in the Commission’s proposal are:
- GDPR Consistency – the new regime is more consistent with the GDPR especially in terms of the test for consent and the high sanctions of up to 4% worldwide turnover for breaches.
- Consent becomes opt-in – User consent for processing of their data must be “freely given, specific, informed and unambiguous indication….by a statement or by a clear affirmative action”. Users will need to be reminded every six months of the possibility of withdrawing their consent.
- Exemptions for analytics – Cookie fatigue of digital users has been widely cited as a problem by both consumers and businesses. Acknowledging this, the Commission has removed the consent requirement for transactional or analytic cookies such as those used for shopping carts or web audience measurement. However this exemption only applies to first party analytic cookies not third party analytic cookies so if your website or app uses a tool like Google Analytics the exemption will not apply.
- Increased responsibilities placed on browsers – Browser settings can be used by consumers to indicate consent or lack thereof promoting the “Do Not Track” approach currently used by some browsers. Difficulty with this will continue to be that all websites may not honour the browser request. An initial proposal that would have required browsers to set maximum privacy settings as the default such as by deactivating by default third-party tracking cookies was removed from the published draft.
- Direct marketing – Electronic marketing will still require consumer opt-in (although the soft opt-in for existing customers still applies). Leeway is given for Member States to enact legislation that enables unsolicited calls to be made to those who have not expressed objections. The Commission has also proposed a specific prefix for direct marketing calls.
Businesses operating across borders will need to pay particular attention as the Regulation will apply uniformly across the EU. Although the aim is for the legislative proposal to become effective on 25 May 2018, the implementation timetable is optimistic in light of the time taken to discuss and negotiate previous digital initiatives in the Council and Parliament such as the GDPR which took over four years to be agreed.
It will be interesting to see how the ePrivacy Regulation finally succeeds in balancing the delivery of effective and innovative services by business with privacy rights and user choice and control.
Dr Michelle Goddard, Director of Policy & Communication, EFAMRO