ePrivacy Regulation: what will it change?
17 Jul 2018
Introduction
The ePrivacy Regulation will replace the current ePrivacy Directive, which was implemented in the UK via the Privacy and Electronic Communications Regulation (PECR). EU member states interpreted the ePrivacy Directive in different ways meaning the rules vary across the EU. Overall it is remembered by marketers as the ‘cookie law’ as it required organisations to have a cookie pop-up explaining that cookies are used by a website.
Why?
The EU Commission stated the new law was necessary to ensure ePrivacy rules are consistent with GDPR and reinforce trust and security in the EU’s digital single market, a flagship policy.
Divergent ePrivacy rules across the EU can act as a barrier to cross-border trade. The ePrivacy Regulation will apply equally in all member states and will, therefore, harmonise rules.
The DMA position is that there must be a clear and detailed rationale for each proposal in the ePrivacy Regulation. Having spent years working on the GDPR, which is considered the gold standard in global data protection, there should be no contradiction between GDPR and ePrivacy.
What will change?
ePrivacy poses perhaps an even greater challenge to marketers than the GDPR. This is because of its possible severe impact on B2B marketing and the use of cookies online.
B2B marketing
Under PECR direct marketing can be sent to employees working for corporates or public authorities without consent, on an opt-out basis. The new law would reverse this and align B2B marketing with B2C. Therefore, consent would be required for B2B marketing, no contact could be made without prior permission.
This would severely hamper the work of B2B marketers, who rely on prospecting to generate new business. It would also be anti-competitive as SME’s don’t have large amounts of customer data and therefore often rely on using third-party lists bought from a supplier. They then contact people without permission but offer them the chance to opt-out. SME’s would be at a disadvantage in comparison to large companies that already have large customer databases.
Cookies
At the moment, a website will display a cookie banner informing individuals that the website uses cookies for the purpose of data analytics and marketing, for example. If someone doesn’t want cookies dropped on their device they can stop using the website. However, under the new rules, the Commission proposes that internet browsing companies should design some sort of functionality to facilitate individual and specific consent for cookies, with some exceptions.
Unhelpfully, the text doesn’t outline a particularly a solution and will leave that to the internet companies. Many marketers are concerned that even more power will be given to American tech giants like Google, that already govern large parts of the digital advertising ecosystem.
This change would effectively end digital advertising as we know it, with its often convoluted and confusing supply chain. It would make the use of third-party cookies extremely difficult, if not impossible. It’s also unclear if the Commission could compel the likes of Google to create a solution in the first place.
The proposal clarifies that Cookie consent wouldn’t be required for the purposes of analytics, for examples cookies for improving internet experience (e.g. remembering shopping cart history) or cookies which count visitor numbers. However, this exemption may only apply to first-party analytics, not third-party analytics (i.e. platforms like Google Analytics).
Existing customer soft opt-in
Currently, marketers are able to contact existing customers over email and SMS without asking for consent. They can only do this they’re marketing similar products and services to what the person bought before and always offer an opt-out from marketing.
The ePrivacy Regulation would keep the existing customer soft opt-in but place a time limit upon it of 12 months. This time limit is arbitrary as the length of time between contact is dependent upon the context and what product or service someone bought. There are products with long life cycles where it may make sense to first make contact 12 months or later.
Telemarketing
The text proposes prior consent for ALL electronic communications including live marketing calls. However, there is a provision allowing Member States to adopt an opt-out consent regime at a national level for telemarketing.
This would mean the UK could keep its existing approach with the requirement to screen against the Telephone Preference Service (TPS). The DMA supports maintaining the TPS as moving to an opt-in regime would not affect the rogue traders that already flout the law to make nuisance calls.
There are specific additional requirements in the proposal for callers to display their phone number or to at least use a special prefix to indicate the call is for telemarketing purposes. Consumers must also be able to block such prefixes if they choose.
Legal grounds for processing
The GDPR outlines six separate legal grounds for processing personal data. If an organisation processes personal data then one of these legal grounds must underpin it. The DMA long lobbied for direct marketing to be included as a legitimate interest, which is recognised in recital 47 of the GDPR.
However, the only legal ground referred to in the ePrivacy Regulation is consent and while consent may be appropriate in certain circumstances, in general, it offers less flexibility to marketers than legitimate interest.
The DMA is arguing for all legal grounds to be referenced in ePrivacy, in particular, legitimate interest to ensure consistency between them.
OTTs and VoIPs
What is clear is so-called ‘Over the Top’ (OTTS), which include instant and social media messaging services (such as WhatsApp) and ‘voice over internet protocol’ providers (VoIPs) (such as Skype), will soon fall under the same EU laws as telephone calls, email communications, and SMS messages.
The process
The EU Commission proposes legislation, it initiates the process. The EU Parliament and Council of Ministers are then given a chance to make discuss and make amendments. Once the Parliament and Council of Ministers have each agreed their own version of the text, they enter into trilogue negotiations, along with the Commission and a compromise position is reached, which then becomes the law.
Illustrated below:
The Parliament has already agreed their version of the text and their amendments did little to allay DMA concerns, as outlined above. In many areas, the Parliament text actually creates more problems for marketers. The Parliamentary Committee narrowly voted to accept the proposed amendments by a margin of 31 to 24.
On the other hand, the Council of Ministers are still discussing their version of the text and are making slow progress. This is because the Council is more concerned with the possible negative impacts on economic growth. They fear that the text may have unintended consequences, a sentiment the DMA shares.
Timeline
There is pressure from the EU Commission on the Council to agree their version of the text as quickly as possible. The DMA has sent letters to key UK Government ministers cautioning them against rushing to an agreement. Our EU DMA partners have sent similar letters in their own country too.
Once the Council agrees their version of the text the trilogue negotiations can begin. Negotiations may well be prolonged because this is a contentious piece of legislation with quite varied views between the Council and Parliament. Even the Parliament itself was very divided, with the vote to approve their version of the text narrowly winning with only several votes in it.
In May 2019 there are EU parliamentary elections and then after this the summer recess. If trilogue negotiations are not completed or even have not started then ePrivacy will be delayed significantly.
On the fastest timeline, ePrivacy will be agreed before the May deadline and then we will either have a 6 or 12 month grace period, depending on what is agreed. However, the May deadline might be missed and then delays will be significant. This is good news for the marketing industry, which is already dealing with the GDPR implementation, no small task.