While the data protection community has been busy grappling with the GDPR, another piece of legislation could have an even more significant impact. This is the new ePrivacy regulation, which is likely to substantially effect online advertising, direct marketing, media and digital services.
Despite unprecedented lobbying to try and dilute the original draft published in January 2017, a report has now been agreed by the EU Civil Liberties Committee (LIBE). This proposes strict rules, which could have far-reaching consequences. Although this signals the direction of travel of the regulation, there is still room for manoeuvre as the final position has yet to be agreed.
The impact specifically on digital advertising could be substantial if the text remains unchanged, Yves Schwarzbart, Head of Policy and Regulatory Affairs is urging further consideration, “People’s concerns around data and privacy are real and of great importance to everyone involved in digital advertising. They have to be weighed against the £10 billion worth of income digital advertising generates for publishers and content creators in the UK alone. In the coming months of negotiations, the European Parliament and EU Member States must ensure that advertising can continue to power the internet in the important and powerful way it currently does under the future ePrivacy Regulation, taking full account of any unintended consequences, and the fact that as an industry we continuously work to give people greater transparency and control over their data through AdChoices and implementing the General Data Protection Regulation.”
The aim of the ePrivacy Regulation is to modernise Directive 2002/58/EC (amended 2009) which gave us the UK’s Privacy and Electronic Communications Regulations (PECR), to ensure rules both reflect today’s technological reality and are aligned with the GDPR.
The European Commission sets out the broad aims of the Regulation as being to enhance communications security and confidentiality, to define clearer rules on tracking technologies (e.g. cookies) and to achieve greater harmonisation among Member States.
Crucially the scope of the Regulation will apply to e-communication services to end-users in the European Union, irrespective of whether the user pays for that service or where the supplier of that service is based. To bring rules up-to-date, the Regulation will be broadened not to just to apply to traditional players in this arena, but also cover instant and social media messaging services, for example WhatsApp and ‘voice over internet protocol providers’ (VoIPs) such as Skype.
Tracking and Cookies
An area which is proving particularly contentious is the strict rules proposed on tracking services, which include, but are not limited to, cookies. Consent to tracking will have to be given in line with the GDPR definition, i.e. it will have to be freely given and unambiguous. The plan is to ban cookie walls which can currently block access to a website if a person doesn’t agree to his/her data being used by the site. Tracking personal devices via cookies or software updates, or tracking people without their clear approval through public hotspots or Wi-Fi will also be prohibited.
As it stands, this would restrict access to devices and severely limit the ability to drop cookies and collect information. FEDMA, in particular, had been calling for the possibility to collect information on the basis of the marketers’ legitimate interests, but this has not been included.
The regulation specifically provides for the possibility, wherever technically and feasibly possible, for consent to be given at browser level settings, to avoid what the EC terms, “the consent fatigue caused by current pop-up banners.” It also covers giving options for privacy settings that should be offered by browsers to allow users to prevent third parties from tracking online data related to their terminal equipment.
There is agreement, however, that some cookies won’t need consent. This provision will encompass what are termed “non-privacy intrusive” cookies which improve the user’s internet experience. For example, cookies that remember shopping cart histories, cookies for Google Analytics or cookies that monitor the number of website visitors. It unlikely though that cookies for online advertising will be considered as improving the user’s internet experience.
The Regulation’s core rules in respect of confidentiality will apply to both content data and metadata communications. Metadata relating to, for example, numbers called, websites visited, geographical location or time/date a call was made, is consider as having a high privacy component and should be anonymised or deleted if users don’t give their consent. This data should also never be passed to third parties.
For direct marketing communications, the main principle within the Regulation is that such communications are allowed under user consent (i.e. the user actively agreed to such communications). The “soft opt-in” exemption for existing customers to be contacted by email for similar products or services will still apply as long as an opt-out is guaranteed. There is also provision for Member States to allow for an opt-out for telemarketing calls (where data is screened against do-not-call registers, e.g. the Telephone Preference Service).
The definition of direct marketing, is facing criticism for being too broad, it will potentially encompass any advertising sent, served or presented to one or more identified or identifiable individuals. Will this apply to all advertising, and as such will consent be required and the right to object apply?
There are also widespread concerns surrounding the impact on B2B marketing. The DMA is warning, “Article 16 of the Regulation would require organisations to have a prior opt-in consent for business-to-business (B2B) corporate marketing. Currently, marketing to limited or public limited companies is carried out on an opt-out basis in the UK. Restricting B2B corporate marketing to a prior opt-in consent would prevent businesses communicating and their ability to sell their goods and services. The ePrivacy Regulation should keep the status quo where Member States can decide how to regulate B2B direct marketing.”
ePrivacy will now enter the trilogue negotiation stage, where the LIBE Committee report will be debated by the EU Parliament and the Council of Ministers before a final text emerges. It was confirmed in January that the ambition of implementing the Regulation in line with the GDPR on 25 May 2018 will not be met. A final text is anticipated later this year, or perhaps even early in 2019.
Michael Bond is the Data Protection Officer at GLH Hotels and says, “Organisations have wanted clarity on these crucial issues for some time now but it looks like we may have to be patient for a little while longer. My advice is simple; get proactive. Take the opportunity to engage with customers, suppliers, regulators and other stakeholders – start the conversation about what solutions could look like and where the pain points are. The AdTech and Marketing ecosystems are disruptors by nature… go disrupt. Whatever you do, don’t close your eyes and hope ePrivacy will go away, it won’t.”
Updated February 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.