The landscape of data protection and privacy is evolving more rapidly than ever. Just as companies have gotten used to the new, stringent requirements of GDPR, the new ePrivacy Regulation is poised to shake things up again.
While GDPR and the upcoming ePrivacy Regulation apply in Europe, the global nature of modern business (and digital marketing) means that marketers everywhere need to stay on top of what’s going on.
And with the CCPA compliance deadline coming up at the beginning of January 2020, there’s plenty to keep us on our toes.
ePrivacy, GDPR and You: What Marketers Everywhere Need to Know
Note that we aren’t lawyers, and the information in this article is intended solely for informational purposes and shouldn’t be taken as legal advice.
The ePrivacy Regulation (ePR) was originally slated to come into effect alongside GDPR in 2018, but has been delayed by amendments and lobbying. It’s currently estimated that it will come into effect some time in 2019.
With just a couple months left in 2019 at the time of writing, it’s important to be aware of what’s coming down the pipeline.
The Difference Between GDPR and ePrivacy
Here’s the difference between GDPR and the ePrivacy Regulation. GDPR is a wide-reaching regulation with a broad scope, while the ePR specifically governs electronic marketing, cookies and other tracking technologies.
That terminology is important, as well – it’s a “regulation”, meaning it’s a legal act and completely enforceable across all member states, as opposed to a “directive”, which allows every member state to apply their own processes and mechanisms to enforce the law.
In addition, the ePR will also be lex specialis to the GDPR. In plain language, that means that ePR will cover specific subjects and apply rules around those subjects, while remaining inside the scope of GDPR.
What Does the ePrivacy Regulation Apply To?
As the draft of the regulation puts it:
Electronic communications data should be defined in a sufficiently broad and technology-neutral way so as to encompass any information concerning the content transmitted or exchanged […] and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location, and the date, time, duration and type of communication.
Unpacking that a little, it means that communications are protected regardless of how the data is transmitted. It covers, for example, radio, optical, wire and electromagnetic transmissions.
This means that data sent via cables, networks and satellites falls under the purview of the ePR.
The ePR aims to update EU privacy protection rules to include more modern communications methods, like OTT (over-the-top) services that sit on top of network provider services, with a ‘front’ service or app, such as Skype and WhatsApp.
Cookies also fall under the ePR’s umbrella, which is a major shift. The draft of the regulation explains:
Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties form storing information on the terminal equipment; this is often present as ‘reject third party cookies’.
The ePR endeavors to allow browser settings to enable blanket refusal or acceptance of tracking cookies, and to clarify that consent is not required for non-privacy-intrusive cookies that serve to improve the user experience on the internet. Examples of these are cookies that remember your shopping cart history, or cookies that a website uses to count its visitors.
Under the new regulation, companies will be required to give users the option to set blanket, higher-level cookie policies (such as ‘never accept cookies) as well as lower-level ones (such as ‘reject third-party cookies’).
These options also have to be presented in a clear way that’s easy to understand.
Consent must be “freely given, informed, specific and provide an unambiguous indication of the individual’s wishes by a clear, affirmative action”.
The regulation defines direct marketing as:
[…] any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services. In addition to the offering of products or services for commercial purposes, this should also include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same should apply to messages sent by other non-profit organizations to support the purposes of the organization.
This is to say that all unsolicited communication through channels like email, SMS, MMS, instant messaging, Bluetooth, and automated calling, will all be banned under the regulation. National laws will impact how this restriction is implemented in practice, of course.
Marketing calls will need to be identified by a “mandatory prefix” that enables people to identify who they’re receiving calls from so they can withdraw consent for that specific business if they wish.
The regulation adds:
[… it’s] justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against intrusion into their private life as well as the legitimate interest of legal persons.
Excluded from that requirement is the case where a business uses email contact information that has been obtained in accordance with GDPR requirements to offer similar products/services to users who have an existing relationship with that company.
What Does This Mean for Marketers?
Put simply, it means that unsolicited marketing is out when it comes to the EU.
In practice, this means that you need to be careful about your marketing communications. If you use cold email marketing for example, you’ll need to meticulously scrub out your contacts to ensure you aren’t sending campaigns to the EU.
It also means that if your website is accessible in the EU, you’ll have to change how cookies function in order to comply with the regulation. Functionally, of course, this applies to everyone with a website.
The ePrivacy Regulation has yet to be finalized and implemented, so changes may still take place before it rolls out.
Again a disclaimer that we aren’t lawyers and this article should not be taken as legal advice. The contents are intended solely for informational purposes.