Whilst the new GDPR regulation has dominated headlines and discussions for some time now, another new EU regulation – the ePrivacy Regulation – hasn’t received quite the same level of coverage but is just as important.
On 10 January 2017 the European Commission published its draft Regulation on Privacy and Electronic Communications (the ePrivacy Regulation), which is intended to replace the existing ePrivacy Directive.
The proposed regulation is designed to strengthen the protection of EU citizens’ private lives, and create new opportunities for business. Major topics addressed in the ePrivacy regulation include the much debated use of and practices related to cookies, as well as marketing message opt-in requirements. It has not yet been finalised but once released, the ePrivacy regulation is expected to replace the existing ePrivacy directive, applying directly across all EU markets and will work in tandem with the GDPR.
Currently, it’s expected to come into force around six months after the GDPR on 25 May 2018 but could be as late as 2019, depending on how much revision it needs.
You may already have heard of the ‘cookie law’, which is what the previous ePrivacy directive was colloquially known as. But the enhanced regulation has a much broader scope in light of technological developments and the unprecedented amount of data involved in ‘the Internet of Things’ (IoT).
The previous directive covered communication channels of the time, such as cookies, email and other electronic communications channels, however the new regulation now mentions new electronic communication channels including instant messaging apps such as Facebook Messenger, WhatsApp and Snapchat and VoIP providers such as Skype.
The aim is to provide more stringent consents over these channels – both for the content of the communications and the metadata (data processed by the electronic communications network for the purpose of transmitting, distributing and exchanging the content) attached to those communications.
The proposals therefore focus on clarifying and simplifying the consent rules to make it easier for end-users to accept or reject cookies and other identifiers through adjusting the privacy settings on their web browsers.
Cookies are designed to enhance the customer experience – so what happens to the customer experience when customers block cookies from their browsers? It’s also possible that the cookie banners will disappear only to be replaced with intrusive privacy notices instead.
It’s unknown at this point to what extent different types of cookies will be regulated – for example, it’s been intimated that cookies required for analytics or for improving the site experience won’t be counted – but until the regulation is finalised, we won’t know for definite.
Property companies will still be able to use the ‘soft opt-in’, although it can only be retained in limited circumstances. This means that consent is not required if you are sending marketing messages about similar products and services to your customers/clients or those you have negotiated with to provide products or services, as long as:
This processing is not based on consent, but rather the legitimate interests processing condition and can only be relied up on by the organisation that collected the contact details, not third parties.
With the ePrivacy Regulation still to be finalised, it’s tempting to focus purely on GDPR compliance but it’s important to factor in how the ePrivacy regulation will impact how we work and collect and store data and implement proper practices now.
Note that this article represents the views of the author solely and is not intended to constitute legal advice.