What we know about the ePrivacy regulation so far
By now, if you haven’t heard of the General Data Protection Regulation (GDPR), it’s likely you’ve either been asleep or living under a rock for the past year.
However, when it comes to the legislation’s electronic comms counterpart – the ePrivacy Regulation (ePR) – there’s less chance you’ll have given it much thought, or even recall it being mentioned at all.
So, what exactly is it?
Originally intended to come into force at the same time as the GDPR, the new European ePR has been drafted to work in conjunction with the wider data protection legislation and will replace the UK’s existing Privacy and Electronic Communications Regulations (PECR).
However, amidst all the GDPR panic – and largely down to the fact that the finer details are yet to be finalised – the ePR seems to have been forgotten. Many are now saying it’s unlikely at this stage that it will be implemented on the 25 May 2018, but that’s yet to be confirmed.
And what will it entail?
Like the GDPR, the ePR will be applicable to all organisations worldwide that provide services to EU citizens. Although little has been confirmed or denied about the new regulation since the initial proposal was published by the European Commission in January 2017, there are a few key things we do know that it’s worth being aware of so far…
- CookiesThe main takeaway point from the proposal is that cookies will no longer be website-specific, so those annoying permission banners that pop up when you visit a new page will be gone – or rather replaced by privacy notices. Website users will instead be able to select their default privacy settings when configuring their browsers, giving them greater control over the private information that’s stored on their devices.
With more of a focus on browser settings, the regulation aims to cover issues surrounding ad-blocking and WiFi location services too. However, some have expressed worry that blocking cookies by default could actually damage the user experience.
- Electronic commsAs well as emails, the new regulation will apply to all channels delivering comms via the internet – including messaging apps like WhatsApp and Facebook Messenger, and VoIP providers such as Skype.
Collectively known as ‘over-the-top’ services, any comms sent through these channels will have to follow the rules set out in the ePR relating to consent and content. The intention is to more tightly control how these platforms are employed to target users, as well as the metadata involved within the transmission of these messages.
- B2B marketingA particularly shady area within these new regulations, rules governing B2B marketing comms are also expected to be included in the finalised ePR.
At this stage, the choice for marketers seems to be that they can either choose to rely on legitimate interest for B2B communications – and have adequate evidence to back their claims – or actively seek consent from those they wish to contact.
- Opting inThis is another slightly blurry area of both the GDPR and ePR, with the ICO stating that the latter “tightens the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in”. However, the soft opt-in option that exists now will still be applicable in certain situations, which has created some confusion.
For instance, it’s likely that promotional comms sent to existing clients and customers will still be permitted – as long as the messages relate to similar products or services. The crucial thing to remember is that recipients must be given the option to opt-out via easily accessible unsubscribe buttons/other interactions.
- Security and breaches
To avoid duplicating the security obligations outlined within the GDPR, the ePR won’t cover these, which will hopefully help to simplify the responsibilities that businesses have. As an extension to these, it does introduce the need to notify customers of specific security risks, so it’s worth keeping an eye on how this pans out.Plus, when it comes to breaches of the regulation, the two-tier fine system is the same as that of the GDPR – up to £17 million, or 4% of global turnover. It goes without saying that the penalties are extreme, with some claiming that this is to make the cost of compliance efforts seem minimal by comparison – but we’ll let you make up your own mind on that one!
Well, the general consensus seems to be that companies should focus on getting over the GDPR compliance hurdle first, then keep up that momentum to leap over the ePR one – whenever it makes an appearance down the line. Hopefully we’ll have some idea of just how high we’re going to have to jump sooner rather than later!
The key thing to remember is that the GDPR is the over-arching legislation governing the security of personal data, whilst the ePR sits under this wider regulative umbrella and rules how you use it.
For further updates on the ePrivacy Regulation, keep an eye on our blog! And if you’re after some clear guidance about GDPR compliance, just get in touch.