The new ePrivacy Directive - making life after GDPR tougher?
13 Feb 2017
If you’ve been preparing for the introduction of the GDPR by reviewing the information that’s already publicly available, you may have noticed that a large part of the framework relates to the PECR (Privacy and Electronic Communications Regulations). PECR covers specific rights that individuals have with regards to electronic communications (marketing calls, cookies, emails, etc.) but these regulations are set to be replaced by the e-Privacy Directive.
On the 12th of December 2016 the text of this replacement directive was leaked. The draft suggests a significant toughening of the online and direct marketing landscape and a convergence toward the principles of the GDPR.
This is just a draft at present, and the leaked text may not be 100% accurate, but it is worth noting the proposed changes and considering their implications.
Bear in mind this is a Directive, which means it is not law and individual countries currently have autonomy to alter it. Assuming things run their natural course, however, it will be upgraded to a Regulation and pass into law.
Areas of Interest:
Cookies and Similar technology
The draft broadly maintains the current consent rule for cookies. Prior consent will be required unless there is a strict necessity for electronic communication with the subject.
The draft suggests that rules will apply not only to cookies but also whenever information about the device in question is collected.
What about Analytics? The draft does not refer to analytics specifically, but does suggest a more relaxed approach for "web audience measuring to that service…carried out by the provider of the information society service".
Analytics companies may need to reword consent requests, though, to better capture their activities.
We can expect much negotiation and lobbying - especially from the online advertising industry - before the draft text is finalised. It does, however, seem that the cost of getting cookie compliance wrong in the future will be much more significant.
Browser Providers/Mobile Device Providers and ‘Do not Track’
Unsurprisingly, the definition of consent used in GDPR applies to the draft e-Privacy text. There are, however, some practical changes that will make obtaining consent much trickier.
The draft requires technology providers to include default settings which must all be set to preclude third parties from storing information on, or using information about, an end-user’s device. Browsers will have to be pre-configured so that cookies used for frequency capping of ads or ad-serving will be blocked by default unless a user opts to enable them.
Similarly, mobile device manufacturers and operating system manufacturers will have to ensure that SDKs (used by app developers to allow ad tech companies to collect data) are blocked by default.
The draft also states that end-users can express consent simply by the technical settings of a software application which gives them access to the Internet. If all their browser defaults are set to reject cookies, then they switch settings to allow cookies, this will operate as a permission for cookies, without need for overlays or consent pages.
Marketing Opt-Outs and Opt-Ins
The new text contains rules on email and phone marketing.
The draft proposes a general prior consent (i.e. opt-in) requirement whenever electronic communications services are used to transmit direct marketing. The current distinctions between corporate subscribers and individual subscribers are not retained – although the so-called ‘soft opt-in’ for email marketing for similar products and services in limited circumstances remains.
Voice calls are generally considered more intrusive than other forms of marketing. Direct (voice) marketing calls will be required to use a specific marketing prefix number, so that end-users can recognise them as marketing calls.
Liability and Sanctions
The draft follows the approach of GDPR in extending broader rights to individuals (such as rights for representative bodies to bring claims and provisions tilting the balance of proof in favour of individuals).
The fines are also in line with GDPR:
2% of turnover – applicable to providers of devices and software who fail in their privacy
4% of turnover – for breaches of communications secrecy requirements, cookies and rules on use of metadata
The draft suggests that it will come into force 20 days after publication in the Official Journal and will be effective 6 months after that. The Commission objective had been to ensure that changes to this instrument were effective at the same time as GDPR – i.e. 25th May 2018.
The proposed directive (and future Regulation) provides additional privacy and data protection, guidelines and fines! There is lots here to digest and we’ll all need to consider the contents of the final draft in conjunction with the upcoming GDPR changes.
Giles Kirkham, Information Security Officer at Occam DM Ltd (part of the St Ives Group)