The official draft of the new ePrivacy legislation is not expected to be published by the European Commission until January 2017, however a leaked draft has given many of us an unexpected festive read.
Michael Bond, Data Protection and Privacy Advisor at News UK commented saying “this leaked draft of the ePR shows a significant strengthening of consumer rights, despite heavy lobbying from Industry and frankly I’m not surprised. There is of course still time for changes to be made before the ePR’s official unveiling in 2017 but unless there is an eleventh-hour reprieve, industry and especially Ad Tech companies, are going to have their work cut out to comply or face serious sanctions.”
The leaked text sheds some light on what we can expect.
A REGULATION NOT A DIRECTIVE
The new ePrivacy ‘Regulation’ is set to replace the 2002 ePrivacy Directive (amended 2009), which gave us the UK’s Privacy and Electronic Communications Regulations (PECR). Currently electronic communications rules vary widely across EU Member States and therefore a Regulation is being proposed with the aim of harmonising rules across the EU.
SCOPE OF THE NEW REGULATION
The Regulation would apply to “the processing of electronic communications data processed in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end users” and as with the General Data Protection Regulation (GDPR), this would apply regardless of whether the processing takes place within the EU or not.
OTTs and VoIP TO BE INCLUDED
Massive technological developments in recent years, mean a review of the 2002 ePrivacy Directive is seen as long overdue. The leaked text makes it clear that the proposed Regulation would be extended to cover so-called ‘Over the Top’ service providers (OTTs), which includes instant and social media messaging services, such as WhatsApp, and ‘voice over internet protocol’ providers (VoIPs) such as Skype. Soon these providers will fall under the same EU laws as telephone calls, email communications and SMS messages.
OPT-INs AND OPT-OUTs FOR DIRECT MARKETING
Email & SMS
Unsurprisingly, as with the current ePrivacy Directive, whenever electronic communications services are used to transmit direct marketing via email or SMS, prior consent must be obtained (i.e. opt-in)
‘Soft opt-in’ to stay
It’s proposed that the so-called ‘soft opt-in’ will be retained in limited circumstances. The draft text states: “It is reasonable to allow the use of email contact details within the context of an existing customer relationship for the offering of similar products and services.”
Article 16 of the leaked draft text states: “Where a natural or legal person obtains from its customers their electronic contacts details for electronic mail, in the context of the sale of a product or a service, in accordance with Regulation 2016/679/EU, the same natural or legal person may use these electronic contact details for the direct marketing of its own similar products, or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and on the occasion of each message.”
The text omits the current PECR wording allowing the soft opt-in to be used in the context of “negotiations for a sale” which will limit its application.
The text requires that promotional messages should carry an unsubscribe message. End users may withdraw consent at any time and, in a new requirement, be given the possibility to withdraw their consent every 6 months.
The draft text also states: “When such data is used for direct marketing ad profiling, the end-user shall have the right to object as provided for in Article 21 of GDPR”
The leaked text proposes prior consent for ALL electronic communications including live marketing calls. However, surprisingly considering the level of consumer dislike of telemarketing calls, (the ePrivacy consultation process found 90% of consumer groups and activists favoured opt-in for direct marketing calls), there may be a provision allowing Member States to adopt an opt-out consent regime at a national level. This would mean the UK could keep its existing approach (with the requirement to screen against the Telephone Preference Service).
Under existing legislation rules surrounding communications directed at corporate subscribers have been more relaxed, but this is an area that looks set to change with the current distinction between corporate and individual subscribers being removed. The requirement for opt-in is therefore likely to be extended to include direct marketing communications sent to business end-users.
The DMA has published it’s lowdown on the leaked copy of the revised e-privacy directive
The leaked draft text proposes limited exemptions, for example there would not be a requirement to gain prior consent if cookies are just being used for configuration purposes – such as keeping a website stable when items are added to a shopping basket or for first party tracking.
However, for other purposes the Regulation would introduce a stricter regime, which includes proposals such as:
• ‘opt-in’ consent must be obtained prior to cookies being served
• applying rules to all end-users regardless of whether they are corporate or individual subscribers
• third party cookies should be prevented by default
• extending cookie consent rules to device fingerprinting
FINES IN LINE WITH GDPR
It’s proposed that fines for failing to comply with the Regulation would be in line with the provisions set out in the GDPR. Financial penalties could therefore be up to 20 million Euro (or 4% of total worldwide annual turnover).
ONLY A 6 MONTH LEAD-IN
When GDPR was finally agreed, organisations were given two years to prepare ahead of implementation on 25th May 2018. However, it’s proposed that once finally adopted the ePrivacy Regulation will only have a six-month lead-in period, leaving organisations with a tight timeframe in which to adapt. It’s likely the EC will endeavour to implement the regime at a similar time to GDPR meaning the UK is likely adopt the Regulation despite BREXIT.
Let’s not forget that this is a leaked draft and there are areas which may be subject to change. What isn’t in doubt is that organisations face a tricky eighteen months ahead to ensure compliance with not one but potentially two new Regulations.
Published December 2016
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.