Whatâs the ePrivacy Regulation?
17 May 2018
DMA Towers is buzzing to the sound of four letters, GDPR.
Don’t drop the ball, there is another piece of legislation set to shake up the marketing industry, say hello to the ePrivacy Regulation.
This will replace the old ePrivacy Directive, which informs the Privacy and Electronic Communications Regulations, but known to marketers as PECR.
It has specific rules for marketing over electronic channels. It states that you need consent to contact consumers via email or SMS, unless someone has bought from you before, and then only for similar products or services.
Bear in mind that many privacy activists perceived final GDPR text to be watered down and have therefore focussed their attentions on ePrivacy.
Parliamentary discussions
The DMA has been working with our EU partners to ensure that ePrivacy is a balanced piece of legislation that doesn’t neglect the economic contribution of marketing and innovation in technology.
EU legislation is proposed by the EU Commission and then amended by the Parliament, who are directly elected, and the Council of Ministers, who represent the individual members. Once both institutions have decided on their version of the text, they then enter what is called Trilogue negotiations, where a final text is agreed upon.
The EU Parliament was divided on the issue. Roughly half of the Parliament voted against ePrivacy, claiming it could hamper Europe’s economy. It was passed by a narrow margin with only several votes in it. All this weakened the mandate of the Parliament.
The Council of Ministers now had to debate their own amendments to the text. They too, were very unhappy with the sloppy drafting of the ePrivacy Regulation. The text is ambiguous and many countries at the Council of Ministers were struggling to grasp the rationale behind the ePrivacy Regulation, having just spent years creating the gold standard in data protection law, GDPR.
As a result, the Council are making slow progress. It is unlikely that they will approve their own version of the ePrivacy Regulation until later this year, probably in the autumn.
Marketers won’t be complaining though, as the draconian legislation poses a threat to various business models.
Calling for consent
The ePrivacy Regulation, as currently worded, would require an opt-in consent for all electronic marketing over email or SMS, whether it’s to consumers or business contacts. A dramatic change for B2B marketers, who have never had to ask for consent before.
This is an odd change of policy because it isn’t something that businesses are calling for and because of its effect on competition. Requiring consent would make it much harder for SME’s to reach out and find new business. Empowering large companies that already have a large amount of consented first party data.
For example, imagine that a new cleaning company is seeking new clients. Under the ePrivacy Regulation it would not be able to send emails to hotel managers without their prior consent, severely hindering the cleaning company’s ability to attract new clients.
This is not all. Perhaps the biggest impact will be felt in the world of digital marketing, where internet browsing companies will become the gatekeepers of online targeted advertising.
This is because ePrivacy is requiring prior consent for the use of cookies and it wants the browsers to design some sort of functionality to support this aim. Unhelpfully, the text doesn’t provide any more detail.
A soft opt-in
However, the Council version of the text does give a few reasons to be optimistic. The latest version of the text does not limit the existing customer soft opt-in to email anymore. It could be used via SMS, MMS or a service like WhatsApp.
That said, the Council also leave it up to individual countries to decide whether the existing customer soft opt-in should be time limited. An arbitrary time limit should not be imposed because it doesn’t take account of what someone is buying. Hopefully the UK would not impose a time period.
Hence, why the slow but positive progress made by the Council is appreciated. The DMA continues to focus its lobbying efforts on the UK negotiating team working hard to secure a more balanced text.
The ePrivacy Regulation go live?
Well, it will likely have a one year grace period, unlike the GDPR which had a two year grace period. If the Council agree their version of the text this Autumn, then Trilogue negotiations could begin in 2019 with the regulation being approved before the EU Parliamentary elections in May. This would mean ePrivacy would be enforceable between March-May 2020. However, if ePrivacy isn't approved before the Parliamentary elections, then this will significantly delay progress.
This is an estimation and it is subject to change – so do keep an eye on the DMA website and emails.
Some of you may have noticed that this timeline may put the date after Brexit, which will happen in March 2019.
This complicates matters further because the transitional arrangements for the UK post-Brexit are yet to be decided. However, the UK Government has indicated that data protection is one policy area where there will be alignment between the UK and EU.
The UK wants to continue to trade personal data freely with other EU nations, as organisations are currently free to do.
If it wants this then it will need to achieve adequacy status or a new bespoke deal equivalent to it. Adequacy status requires a nation to have essentially equivalent data protection safeguards to the EU. Aligning with the EU on data protection would smooth this part of the Brexit negotiation.
Rest assured that the DMA, working with FEDMA, continues to lobby at a UK and EU level to ensure that the ePrivacy Regulation strikes the right balance between the privacy and the legitimate interests of businesses and innovation.