As companies continue to adjust to the demands of the GDPR, a new data law looms – the ePrivacy Regulation.
The ePrivacy Regulation serves as a revision to the current ePrivacy Directive — sometimes referred to as the EU Cookie Law. Similar to the GDPR, the regulation is based in the EU, but requires compliance from any business targeting EU consumers.
So how do these regulations differ from GDPR compliance? What does this new privacy law seek to accomplish? And how can you prepare to meet its guidelines?
1. What Is the ePrivacy Regulation?
The proposed Regulation on Privacy and Electronic Communications (ePrivacy Regulation) is an amended and expanded version of the current ePrivacy Directive.
The regulation seeks to set privacy standards regarding electronic communications – and the metadata associated with the electronic communications – of European citizens.
Adopted in January of 2017 by the EU Commission, the proposal is still under scrutiny, and will continue to be discussed, edited, and refined before it is officially and subsequently made enforceable.
The ePrivacy Regulation is intended to work in conjunction with the recently-released General Data Protection Regulation (GDPR) to achieve the EU’s reformed data protection framework.
The ePrivacy Regulation vs the ePrivacy Directive
You may be wondering why we need the ePrivacy Regulation when the ePrivacy Directive is already in place.
The regulation addresses three major components where the ePrivacy Directive has proven insufficient:
- Stricter guidelines
- Standardized enforcement
- Wider scope
Not only does the proposed regulation expand upon the directive’s guidelines by adding and amending provisions, but the regulation would notably standardize the EU-based legislation regarding privacy within the electronic communications sector.
Currently, the directive allows countries to create their own laws around privacy, provided that they meet the minimum standards established by the legislation. This leaves the standing directive as a loose framework for privacy, while the regulation would serve as a comprehensive and binding set of rules – applicable uniformly across the EU and to businesses operating therein.
Furthermore, the directive was crafted with traditional telecommunications services in mind, and neglects to write the appropriate provisions to govern the protection of data transmitted through new systems and platforms – like messenger apps and video calling services.
Along these same lines, the ePrivacy Regulation also expands its reach to include Internet of Things (IoT) technologies.
Studies show that IoT development and use is enjoying rapid growth at the moment. This trend, coupled with the digitally-advanced nature of many IoT devices – think bluetooth and ‘smart’ home devices – makes IoT a sector of technology in which personal data needs to be accounted for and protected.
As the current directive fails to meet these growing needs of an evolving digital world, the regulation seeks to move data privacy into the future.
2. Who Needs to Comply With the ePrivacy Regulation?
As is the case with the GDPR, the regulation is based in and enforced by Supervisory Authorities from the European Economic Area and Switzerland.
However, as both pieces of legislation act to grant rights to EU citizens, they are applicable to any business that targets EU citizens.
A study conducted by Vanson Bourne in 2016 found that 52% of U.S. companies, at that time, had data from EU citizens, making them subject to GDPR compliance.
Now, with the rapid globalization of online business and the increasing penetration of U.S. companies into the European marketplace, that number has surely grown – and continues to do so.
In the end, the bottom line is that most online businesses will need to comply with the guidelines of the ePrivacy Regulation.
3. When Will the ePrivacy Regulation Go Into Effect?
While the ePrivacy Regulation and GDPR were originally set to go into effect simultaneously, that is clearly not the case.
One of the leading factors in the regulation’s delayed institution is the fact that the text must be agreed upon by three governing bodies:
- The European Counsel
- The European Committee
- The European Parliament
Daniel Felz of Alston & Bird Privacy and Data Security says,
Trilogue negotiations will not begin until the fall of 2018. […] This would likely mean that a final ePrivacy Regulation text will not be agreed upon until near the end of 2018, or in 2019.
Furthermore, the regulation is expected to enjoy a one-year grace period between finalization and institution.
We saw this timeframe employed with the release of the GDPR as well, allowing business owners and other affected groups to develop and implement their compliance strategies.
4. EU ePrivacy Regulation vs GDPR
The ePrivacy Regulation is lex specialis to the GDPR.
Lex specialis means “law governing a specific subject matter,” indicating that the ePrivacy Regulation expands upon areas of the GDPR.
Of the relationship between the two, PrivacyTrust.com says:
The regulation takes on board all definitions of privacy and data that were introduced within the General Data Protection Regulations, and acts to clarify and enhance it. In particular, the areas of unsolicited marketing, cookies and confidentiality…
While the GDPR is concerned with all forms of personal data and the treatment of that information, the ePrivacy Regulation is focused on the transmission of data via communications such as:
- Text messages
- Messaging platforms (such as WhatsApp)
- Social media communications platforms (such as Facebook Messenger)
- Internet of Things (IoT) devices
The two regulations are designed to complement one another and create a comprehensive privacy framework to govern the EU.
5. What Are the Key Features of the ePrivacy Regulation?
The European Commission’s official website lists the key points of the proposed ePrivacy Regulation as:
- New players
- Stronger rules
- Communications content and metadata
- New business opportunities
- Simpler rules on cookies
- Protection against spam
- More effective enforcement
So let’s break down what exactly the Commission means with each of these points:
New Players
By expanding the scope to “new players,” the Commission is indicating which adjustments they’ve made in response to the rapidly-changing digital landscape.
Where protections and privacy standards were once (and largely still are) reserved for traditional telecommunications providers, the proposed regulation will expand the scope to include new avenues of electronic communication – such as Whatsapp and Skype.
By doing this, the Commission seeks to protect the content and metadata commonly associated with, and transmitted through, these increasingly-popular platforms.
Stronger Rules
The concept of “stronger rules” primarily boils down to legal semantics.
Currently, the title “ePrivacy Directive” indicates that enforcement relies on local governing bodies and implementation laws.
The “ePrivacy Regulation,” however, makes it so that the regulation is binding throughout the EU, and enforceable by its own merit – rather than being reliant on local jurisdictions.
In short, the regulation is inherently more powerful than the directive it succeeds.
Communications Content and Metadata
Of this rather broad component of the regulation, the Commission says:
Metadata [has] a high privacy component and is to be anonymized or deleted if users did not give their consent, unless the data is needed for billing.
Furthermore, if the data in question has met the requirements for consent, and/or anonymization, and/or deletion, it can be used to introduce new services and technologies to the public.
On this, i-scoop.eu writes:
Telecommunication firms can develop new services by leveraging content and/or metadata (but see the previous statement on anonymization) when consent is given for processing.
New Business Opportunities
This point is directly related to the one above, drawing our attention back to the development of new data-related technologies and services.
Essentially, the Commission proposes that so long as privacy and anonymity is maintained, data obtained through electronic communications can be made available for other purposes.
The Commission uses the following as an example of the new business opportunities being made available by the regulation:
They [telecoms operators] could produce heat maps indicating the presence of individuals; these could help public authorities and transport companies when developing new infrastructure projects.
Simpler Rules on Cookies
Cookies have proven important when it comes to the ePrivacy Regulation. In fact, its predecessor – the ePrivacy Directive – is referred to as “The Cookie Law.”
In its amended and improved form, that title should hold no less true, as the regulation continues to heavily address the deployment of and user consent to computer cookies and other tracking technologies.
How the regulation seeks to improve the current directive’s provision on cookies is by streamlining the way cookie consent (see our what are cookies explainer if you need a refresher on how they work) is introduced and collected.
The Commission says:
The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers.
Let it be noted that what these user-friendly browser settings entail has yet to be disclosed. While your cookie policy template will probably not be subject to drastic changes, how users opt in vs opt out of cookie use will likely see the biggest adjustments.
This is one of the most critical issues for concerned companies to follow, as it will determine how to properly seek user consent to cookies – an issue that affects almost all online businesses.
Further executing their play for simplicity and smooth business-to-users operations, the Commission states that:
The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.
This likely comes as a relief to you, as most businesses depend on the use of such necessary cookies as those described.
Protection Against Spam
Another big wig in the proposed regulation, the provision on protection against spam will likely affect all businesses – but are particularly applicable to the marketing sector.
The GDPR has already undertaken the task of redefining what it means for users to consent (if you’re confused make sure to read some GDPR consent examples) to receiving marketing materials through email and other forms of communication (like text messages).
ePrivacy, on the other hand, has upped the ante – dictating that marketers must obtain explicit permission to deploy marketing outreach to each and every email address and mobile device affected.
Marketers will not be able to send emails or text without prior permission from each email or mobile account holder. – PrivacyTrust
While the GDPR allowed for wiggle room in sending emails to non-consenting users (for instance, if they were doing so on the grounds of GDPR legitimate interests), the ePrivacy Regulation overrides this, by making user consent, under most countries’ jurisdictions, an immovable part of the equation. Our privacy policy emails guide and template gets into the details of how you can stay on the right side of this regulation.
As we previously mentioned, the onus of enforcing the guidelines of the ePrivacy Directive falls on local jurisdictions within the European Economic Area and Switzerland.
More Effective Enforcement
The European Commission writes:
The enforcement of the confidentiality rules in the Regulation will be the responsibility of data protection authorities, already in charge of the rules under the General Data Protection Regulation.
As we previously mentioned, the onus of enforcing the guidelines of the ePrivacy Directive falls on local jurisdictions within the EU.
Now, the ePrivacy Regulation will be enforced by the same bodies ensuring GDPR compliance.
Not only are the enforcing agencies the same for the ePrivacy Regulation and the GDPR, but the fines are also the same – meaning the cost of non-compliance comes in at 20 million euros, or 4% of a company’s annual revenue.
6. What Controversy Surrounds It?
Like any legal proposal, the ePrivacy Regulation is caught between two camps – those in favor and those in opposition.
As the text continues to undergo debate and renovation, voices are emerging boasting claims that the regulation – in its current iteration – is either too lenient or oppressively strict.
So what arguments are being made on either side of the debate?
The Ad World’s Concern
According to Jessica Davies of Digiday, those who stand to lose the most at the hands of the ePrivacy Regulation are companies who engage in
- Behavioral advertising
- Third-party cookie implementation
- A/B testing
Davies is just one of the many voices that has raised concerns over the consent guidelines regarding cookies under the ePrivacy Regulation.
As the regulation calls for a streamlined approach to cookie consent, the text indicates that users will have the ability to opt out of cookies implementation on a sweeping scale.
Many companies rely on cookies to track user behavior and tailor their online experience and marketing strategies to what those cookies find.
The fear within the advertising community, in particular, is that users will automatically opt out of having cookies track their behaviors online without fully understanding what those cookies do and how they affect the user experience.
If the ePrivacy Regulation prevents companies and ad agencies from employing cookies and tailoring their business strategies based on cookie-collected data, detrimental effects may be seen in the marketing sector.
In Favor of Strictness
On the other side, arguments have been made that the ePrivacy Regulation isn’t quite strict enough.
On May 25th – the day the GDPR went into effect – the Commission released a progress report on the ePrivacy Regulation.
Of the updates contained in the report, the attorneys of Mayer Brown LLP wrote:
The direction suggested in the Progress Report somewhat departs from the approach promoted by the European Parliament back in October 2017.
Not only do they indicate that the progression of the ePrivacy Regulation has moved in the favor of leniency, but they go on to say:
Furthermore, the Progress Report suggests that activities concerning national security and defense be excluded from the ePrivacy Regulation.
This particular point sparks controversy as they indicate that the regulation grants special exclusion to government activities.
Europe has led the efforts in pioneering a new age of data privacy, and that effort is in large part a response to the government abuses of personal data carried out during the Holocaust.
As the EU’s stance on data privacy is rooted in preventing such atrocities from happening again due to the inappropriate collection, analysis, and leveraging of personal data, the ePrivacy Regulation’s exclusion of government activities risks undermining this effort.
7. Conclusion
Regardless of the arguments for or against the ePrivacy Regulation, it’s already well on its way.
While we may see changes in the text in the coming months, and have yet to receive word on an official date of recognition and institution, we can expect big changes in the data privacy landscape in the near future.
Between the GDPR and the ePrivacy Regulation, the European Union is making waves in the digital world, reshaping the way data is treated and privacy is maintained.
The new standards are here – and it’s time for businesses to comply.
