The new EU ePrivacy Regulation: what you need to know

While quite some organizations are investing to be compliant with the upcoming European General Data Protection Regulation (GDPR) and others are still trying to get their heads around it and aren’t even close to ready, another EU Regulation requires your attention: the new EU ePrivacy Regulation.

The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.

This Regulation, which currently (February 2017) still is a proposal text, is an update of the EU’s existing ePrivacy legal framework, more specifically the EU ePrivacy Directive which goes back to 2002 and was revised in 2009, requiring prior consent regarding cookies.

Since then the Directive on Privacy and Electronic Communications (Directive 2002/58/EC and the 2009 update, Directive 2009/136) often was called the cookie law by the marketers and Web folks among us (and is the reason why you see cookie consent popups on many websites, including ours) since it became national law in EU countries with a gradual implementation, national differences and, let’s say relatively inconsistent enforcement across these countries.

EU ePrivacy Regulation - new electronic communication rules 2018 - impact and changes

Attention though: the ePrivacy Directive and Regulation isn’t just about cookies. It concerns electronic communications and the right of confidentiality, data/privacy protection and more. In other words: personal data protection.

Electronic communications means that it includes the Web, the Internet (email, apps, you name it), telephone, instant messaging and so on. So we are also talking about spam, direct marketing, telecommunication firms, mobile app developers, online advertising networks and, often overlooked, the Internet of Things (IoT), among many many others. A look at the text and the impact. Ready? Go!

ePrivacy: from a Directive to a Regulation

Why is this coming new ePrivacy Regulation important, why is it needed and how is it different?

First of all note the difference in the terms: whereas now we have an ePrivacy Directive, the newcomer is called an ePrivacy Regulation. This means that the new ePrivacy Regulation is self-executing and becomes legally binding across the EU, whereas its predecessor, the ePrivacy Directive, required local regulations for implementation with the mentioned inconsistent enforcement as one consequence.

Consent for non-privacy intrusive cookies which improve the Internet experience of the user soon is not needed anymore.

Secondly, the current ePrivacy Directive came as a complement of the EU’s Data Protection Directive. It’s exactly this Data Protection Directive that is being replaced by the General Data Protection Regulation or GDPR in 2018. As a consequence but also to ‘improve’ the current so-called ‘cookie law’ and, among others, include new forms of electronic communications (IoT and more), the new ePrivacy Regulation complements the GDPR and in pretty much the same way strives towards uniformity across the single digital market as a Regulation instead of a Directive.

New stipulations and consequences of the coming ePrivacy Regulation

Is that all? No. The new ePrivacy Regulation of the EU also goes several steps further than the current laws which exist as a result of the current Directive.

Taking into account that the text for now still is a proposal and we don’t know the final text nor the date when the ePrivacy Regulation will become enforceable (although the ambitious goal is to “let it go live” on the same date as the GDPR, which is not a proposal but final), below are some key new stipulations and consequences regarding the use of cookies and other impacts on the Internet and electronic communications services and providers.

We tackle the majority of aspects and impact of the “new” ePrivacy Regulation but for a very handy overview of pretty much everything below is a slideshare you can first go through in order to get the specifics.

The ePrivacy Regulation and cookies

Although the ePrivacy Directive has become known as the cookie law to some, as said it’s about more than just cookies.

But cookies and cookie consent are among the most visible aspects and there is also quite a bit that is poised to change in this regard.

According to the draft text of the new ePrivacy Regulation under certain conditions cookies consent is not needed anymoreThe ePrivacy Regulation AIMS to simplify the rules regarding cookies and streamline cookie consent in a more ‘user-friendly’ way. As such that is great news. In practice it, among others means that EU websites and websites with EU visitors, will not need to show those cookie consent pop-ups anymore. Hurray, that is indeed more user-friendly and less of a hassle for website owners (for us it’s another plug-in that can go).

Easier cookie rules: yes and no

HOWEVER, the current proposal says that browser settings will enable website visitors to accept – or refuse – cookies, as well as other ‘identifiers’.

Using browser settings for cookie consent/refusal de facto means that you’ll see more and more websites that show pop-ups saying “sorry, no visit if no cookies” as we already see with adblockers. So, it seems that one pop-up is indeed being replaced by another one, on a site level (unless the site doesn’t care about cookies which is not really the case for publishers nowadays).

For some cookies there is good news. In the proposal it is also foreseen that consent is not needed for “non-privacy intrusive cookies” which improve the Internet experience of the user.

Examples include e-commerce cookies, remembering shopping cart histories and cookies for Google Analytics and the many others. It’s not very likely that cookies for online advertising will be interpreted as improving the Internet experience, although opinions will obviously differ.

Advertising and marketing cookies: not simple at all

Now, all is not said yet and of course work had been done to prepare the draft text, including discussions with various stakeholders, also in the advertising space.

In the 432-pages report made by Deloitte for the European Commission  you can read the reasoning on the pros and cons of first-party and of course third-party cookies (“the backbone of digital advertising”). A link to it and all other sources below.

We don’t have to tell you that with all the marketing automation, audience measurement (on online media properties), connected databases of third-party cookies (for instance, enabling retargeting to name something still relatively simple), social network cookies, analytics cookies and so forth there is a whole lot of cookies going on. In the so-called ‘Cookie Sweep’ in 2014, it turned out that on average there were about 28.9 cookies on the analyzed media, public sector and e-commerce sites (in the EU), 70% being third-party cookies as the Deloitte report also mentions.

 While the sophisticated networks of cookies, as advertising and media bodies always say, make it possible for Internet users to get (increasingly partial) access to ‘free content’ (paid by the ads), and there is a case for ‘relevance’ of the ads in the context of the Internet user by better targeting, at the same time it’s also pretty well-known that for the average Internet user it’s far from clear how he/she is tracked across networks. We’ve rarely seen a website where those 28.9 cookies and trackers on average are mentioned nor read a cookie policy that’s understandable or makes it clear for an Internet user what really happens in the background with all those connected networks and sites and so forth when visiting a site or using some app.
Cookies beware: major fines

Even if we deduct the ones where consent won’t be needed anymore it’s still a lot and we don’t think this debate is over. It is – to say the least – complex and changes quite some things.

While the Commission finally acknowledged the important role of advertising for funding free content online, it does so at the same time as presenting a law that as a practical matter would undeniably damage the advertising business model – without achieving any real benefits for users from a privacy and data protection point of view (IAB Europe CEO Townsend Feehan expressing the IAB’s dismay about the ePrivacy Regulation proposal text)

Moreover, the stakes are high: did we mention that the same fines as in the GDPR apply? Indeed, you read that right. High fines and little margin for error in a heck of a difficult context.

It probably won’t come as a surprise that the IAB (Interactive Advertising Bureau) Europe rapidly responded as soon as the draft text was leaked, stating that it was “dismayed by the European Commission’s proposal for a new ePrivacy Regulation, the next iteration of the infamous cookie law”.

From the draft text: “Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner”.

The ePrivacy Regulation and the Internet of Things

From cookies we jump to something entirely different: the Internet of Things (IoT). By now we suppose people know what it is (and it’s not an it or thing but that’s another topic).

The principle of confidentiality should apply to current and future means of communication

Before we start: do note that the Internet of Things is also tackled in the GDPR where, for instance, RFID tags, fall under the category of so-called identifiers (more about those online identifiers here).

In a European context we can say that the IoT is part of the backbone of Industry 4.0 and, not unimportant, in the coming years (until 2020) growth in the consumer segment of the Internet of Things is expected to be high in Western-Europe. As a matter of fact, by 2020 consumer IoT spend will jump to the third spot of IoT spend globally (until then, the market is led by respectively IoT spend in manufacturing or Industry 4.0, IoT spend in transportation and IoT spend in utilities, three segments of the Industrial Internet of Things).

However, in Western-Europe, consumer IoT already will rank second from an IoT spending perspective in 2020.

So, it’s probably noteworthy that in the proposal text of the ePrivacy Regulation, the Internet of Things is specifically mentioned and that “the principle of confidentiality which is enshrined in the Regulation should also apply to the transmission of machine-to-machine communications”. The text also calls for specific safeguards under sectorial legislation.

In the introduction, mentioning that principle of confidentiality the IoT is not specifically included but beware: it is mentioned further (and you can see it as part of ‘the current and future means on communication”).

From the introduction text: “Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media”.

The Internet of Things and regulation: GDPR, ePrivacy and more

The ePrivacy Regulation and Over-the-Top communication services

Have you ever heard about Over-the-Top communication services or OTTs? In all honesty: we hadn’t.

Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber (PR EU)

Just as the Internet of Things is included, these new ways of communication are also subject to the ePrivacy Regulation.

OK, but what are they? When we say Skype, Facebook Messenger and WhatsApp it’s probably clear enough.

So, in the new Regulation, the privacy and confidentiality and data protection rules of any company offering electronic communications services will apply to them as well: Voice over IP, instant messaging and anything else really.

The ePrivacy Regulation, direct marketing and email marketing

Like its predecessor, the ePrivacy Directive, the upcoming Regulation foresees various rules on spam and unsolicited electronic communications by other means such as SMS.

92% of Europeans say it is important that their emails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators (EU PR)

While spam and unsolicited electronic communications obviously aren’t marketing, we mention it under that umbrella as we know a few publishers and others that will be in for some serious surprises as they seem to keep sending “marketing” messages, even if you unsubscribed a gazillion times. Identifying other spammers is obviously another ball game.

Direct marketing also means calls and here there is something we really really like: marketing callers will need to show their phone numbers or use a prefix which indicates the call is a marketing call.

Nowadays those numbers are virtually always hidden. As a result we stopped picking them up but now and then a customer uses them as well. So, when we do pick them up and for the 694th time need to say we don’t want a subscription to a magazine that’s pretty uncool.

The impact of the correlation with the GDPR

We touched upon it previously but can’t emphasize it enough: the new ePrivacy Regulation is one single set of rules concerning all EU citizens and companies but it also ‘inherits’ several principles and stipulations from the GDPR.

The ePrivacy Regulation is lex specialis with regard to GDPR: it covers specific processing of personal data in the field of electronic communications and prevails on GDPR in case of conflict (Johan Vandendriessche, see SlideShare)

Undoubtedly one that will make many people concerned (from website owners to instant messaging developers, advertisers and – hopefully – spammers) are the fines.

Two different ‘sets’ of fines exist in the proposal’s text:

  • “Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data and time limits for erasure”: the up to 20 Million Euros or, in the case of an undertaking, up to 4 percent of worldwide annual turnover, whichever is the highest, as we know it from the GDPR.
  • “Infringements regarding obligations of legal or natural persons who process electronic communications data, the obligations of providers of publicly available directories and/or the obligations of legal/natural persons who use electronic communications services: up to 10 Million Euros or, in the case of an undertaking, up to 2 percent of worldwide annual turnover, whichever is the highest.

The further details regarding these obligations can be found in the articles 5, 6 and 7, and paragraph 1 of the text for the first set of infringements and in articles 8, 10, 15 and 16 for the second set of infringements.

(Tele)communications content and metadata

As the infographic below and the summary of the Regulation state, privacy is guaranteed for communications content itself and for the metadata of the content.

The metadata needs to be anonymized or deleted in case there is no consent with one exception; when it’s needed for billing.

Finally the summary also states that telecommunication firms can develop new services by leveraging content and/or metadata (but see the previous statement on anonymization) when consent is given for processing. This enables them and organizations to develop new services in a Big Data scope.

Examples of this already exist in the EU, whereby whomever is interested can gain insights in data from telecommunications providers and leverage them, for instance to detect patterns and heat maps showing the location of (mobile) users.

ePrivacy Regulation resources

This is about all we’ll cover for now. There is a lot more to say and if you are, among others, a provider of public directories, there are specific stipulations

Additional resources:

Time for us to seek a lawyer who is specialized in cookies, even if we only have Google Analytics and Google ads.

 

 

Top image: Shutterstock – Copyright: one photo – All other images are the property of their respective mentioned owners.