eprivacy, gdpr, data protection, eu law, pecr
DATE Nov 21, 2018 12:27 pm POSTED BY CATEGORY Data Protection

ePrivacy Regulation and Electronic Direct Marketing

What is it?

The ePrivacy Regulation (ePR) will replace the ePrivacy Directive 2002 (amended 2009), which gave us the UK’s Privacy and Electronic Communications Regulations (PECR) in 2003. The ePR is expected to come into force in 2019 and will apply to internet-based voice and messaging services (such as Skype, WhatsApp and Facebook).

It will also regulate communications metadata (such as location, device information, IP address); internet of things (IOT) devices (e.g. smart thermostats); electronic messaging services; and the use of cookies, pixels, web beacons and similar tracking technologies amongst other things. Its objective is to update and strengthen privacy rules for electronic communications, reinforce trust and security in the digital market, and align the ePrivacy regulations with the GDPR and uniformly across Member States.

The ePR has the same territorial scope and administrative fine structure as the GDPR. The ePR, like the GDPR is a European Regulation therefore it will have binding legal effect throughout every EU Member State on a pre-determined date without the need for domestic legislation although as it contains scope for derogations these may well be implemented through domestic legislation.

It specifically focusses on two things:

1) protecting individual’s electronic communications and the integrity of their devices; and

2) setting out individuals’ rights to control electronic communications.

It also sets out how the responsibility for regulation and a framework for remedies, liability and penalties. It sets out to regulate activities such as electronic direct marketing, website audience measurement and behavioural monitoring, the transmission of communications across devices and browsers, the use of cookies, and maintaining the confidentiality of electronic communications.

What does this mean for businesses?

Businesses are increasingly using electronic direct marketing to promote their products and services to specific groups of customers or prospects. Electronic direct marketing is the marketing of products or services using digital channels to targeted individuals. ‘Channels’ is a term that relates to different methods of digital marketing such as messaging via email, messaging apps, and social platforms (e.g. LinkedIn), search engine optimisation (SEO), targeted ads and re-marketing.

The ePR is expected to introduce greater regulation of electronic direct marketing. A key principle within the Regulation is that electronic direct marketing will require consent. The ‘soft opt-in’ exemption for existing customers, whose details are collected in the ‘context of a sale’ and who may be contacted by email/SMS about similar products or services will continue to apply in a similar fashion provided an opt-out was provided at the time the contact details were collected and is present in all subsequent communications.

However, the UK’s PECR has always featured a broader interpretation of the use of soft opt-in by allowing the soft opt-in to apply in relation to ‘negotiations of a sale’. The ePR also allows Member States to legislate for such consent to have an expiry date. It looks very likely the ePR will not permit such broad usage of the soft opt-in as used in the UK at present.

How are cookie consent and ‘opt-out’ options going to be affected?

Under the ePrivacy Directive, the ‘opt-out’ cookie banner was developed as a method for users to indicate their consent to cookies being placed on their devices and subsequently read by browsers. In general, if the banner was ignored or dismissed, this action was used to indicate consent had been granted.

The ePR’s aims to abolish cookie banners as they are deemed ineffective and out-of-step with the concept of consent in the GDPR as no response is interpreted as consent. The ePR aims to enforce that prior consent is obtained, freely given and unambiguous (a clear affirmative action i.e: ticking a box), cookie information is to be clear and comprehensive and browsers are to contain cookie controls which have started to emerge recently on many mobile apps.

The ePR proposes that cookies for website analytics should be exempted from the requirement for consent. However, the proposition only relates to first party cookies. It is undecided, whether third-party services such as Google Analytics will benefit from this exception.

Integration with the GDPR

The General Data Protection Regulation (GDPR) and the ePR reflect different parts of EU law. The ePR intends to reflect Article 7 of the European Charter in respect to an individual’s private life. Whereas the GDPR was created to reflect Article 8 of the charter in terms of protecting personal data. The private life of an individual is covered under the ePR, making it a requirement for a user’s privacy to be protected during online interaction.

Both laws work together to ensure that internet users have control over their data and that there is a legal requirement for all websites to maintain user data in a way that guarantees the safety of the information. However, some stakeholders such as The Centre for Information Policy Leadership (CIPL) [1], has warned that the broad scope of the ePR will have unintended consequences, such as “undermining the GDPR, as well as legitimate, necessary and beneficial processing of data and business practices within the Digital Single Market.”

The voting on the amendments to the ePR [2] was narrowly won by those who favoured approving the regulation texts i.e: privacy advocacy groups such as European Digital Rights. The decision was less favorable for marketing, advertising and media lobbyist groups [3] due to the potential impacts ad-supported business models reliant on cookie and tracking technologies. EU organisations will eagerly await more clarity on the final form of ePR and its implementation date. This is made all the more pressing due to a recent statement from the European Data Protection Board (EDPB) [4], calling for a prompt implementation of the ePR.

Conclusion

When a data protection issue is raised regarding electronic communications, the ePR will take precedence over the GDPR. Organisations should be paying close attention to the ePR as they will need to comply with both regulations. Here, at Data Protection People we will be following the Council of the European Union’s and the EDPB’s decisions very closely as we look to provide solutions to the potential impacts for businesses introduced by the new regulation.

[1] CIPL Comments
[2] European Digital Rights Comments

[3] ePR Amendments Vote
[4] EDPB Statement on ePR