ePrivacy Regulation

You may (or may not) have just recovered from complying with the General Data Protection Regulation (GDPR). Get ready for another round of adjustments to your privacy practices. The EU ePrivacy Regulation could mean big changes to how your company advertises online.

Let's take a look at how the ePrivacy Regulation is likely to affect businesses.

Understanding the ePrivacy Regulation

The ePrivacy Regulation will replace the ePrivacy Directive (sometimes known as the "Cookies Directive"), which has been law since 2002.

It's worth noting that, like the ePrivacy Regulation, the GDPR is also a regulation that replaced a directive (the Data Protection Directive). The impact of this change is likely to be equally significant in certain sectors.

What's the Difference Between a Directive and a Regulation?

So, while the old law was a directive, the new law will be a regulation. What's the difference, and why is this changing?

A directive is a set of objectives that EU Member States (EU countries) must meet. A directive is addressed to Member States. It describes the sorts of national laws that Member States must pass. Then it's up to the Member States to pass those laws.

A regulation goes directly into effect in Member States. There's generally no need for Member States to pass national laws to give effect to a regulation. However, sometimes Member States are required to pass national laws to implement certain parts of the regulation.

If the national law of a Member State contradicts an EU regulation, the regulation takes priority.

The ePrivacy Directive is imposed differently across Member States. For example, in the UK's version is the Privacy and Electronic Communications Regulations (PECRs). In Ireland, somewhat confusingly, it's called the ePrivacy Regulations (available here).

These national laws are all different. So a regulation will make things simpler for businesses that operate across borders or deal with businesses from multiple EU countries.

As European Commissioner Andrus Ansip puts it:

"All this will mean the same level of protection for everyone in the EU. It also cuts red tape for European businesses. They will have just one set of rules to deal with, not 28."

It's worth noting, however, that the ePrivacy Regulation does allow Member States to implement some rules differently at national level. Each draft seems to afford Member States greater flexibility.

When Will the ePrivacy Regulation Come into Force?

The ePrivacy Regulation was due to pass in May 2018, at the same time as the GDPR came into force.

The ePrivacy Regulation has been pushed back several times, and is now expected at some point in 2019. But don't hold your breath. This law is the subject of industry lobbying and institutional debate that could delay it even further.

It's also worth remembering that once the law finally passes, there's likely to be a transition period before it comes into force. For the GDPR, this was two years.

The ePrivacy Regulation and Cookie Consent

The ePrivacy Regulation will make several significant changes in the area of cookie consent. It will also unify the rules, which are currently interpreted slightly differently in different Member States.

Less Strict Rules on Cookie Consent

The current rules on cookie consent come from the ePrivacy Directive. All cookies require consent, except from those covered under an exemption.

Exempted cookies that do not require consent include those that are:

  • Used to facilitate communication over a network
  • Necessary to provide a service that a user has requested (e.g. "remember my username")

This means some very useful and non-intrusive cookies require consent - whether or not the cookies involve personal data. This includes cookies used for analytics (even first-party analytics), optimization and load-balancing.

The ePrivacy Regulation proposals include some new exemptions. Websites will no longer need consent for cookies that are necessary for:

  • Audience measuring
  • Security and fraud prevention
  • Debugging
  • Providing software updates
  • Locating a device in an emergency

All of these exemptions will be subject to restrictions, for example on how long the cookie can be stored. But these proposals appear less strict than the current law.

Tracking cookies (and other tracking technologies such as web beacons) will still require consent.

Cookie Walls

"Cookie walls" are a particularly controversial way of getting cookie consent. Some Member States, such as Sweden, allow cookie walls under national law.

Will the ePrivacy Regulation Allow Cookie Walls?

It appears that the ePrivacy Regulation will allow cookie walls under certain conditions.

A May 2018 draft of the ePrivacy Regulation explicitly permitted cookie walls for all websites providing a non-essential service (e.g. Government websites). Recital 20 of this draft stated that:

"Access to specific website content may still be made conditional on the consent to the storage of a cookie or similar identifier."

This section was replaced in a February 2019 draft of the Regulation. This draft suggests that a cookie wall could be acceptable if the user is given a choice between paying for a service or consenting to cookies.

Certain companies already do this. For example, here's what greets EU visitors to the Washington Post:

Washington Post subscribe page with different options and consent to cookies highlighted

EU visitors to the Washington Post website have the option to consent to cookies or pay a subscription.

This model of cookie consent is problematic under the current law. You must implement a cookie consent solution and maintain a Cookies Policy that complies with the ePrivacy Directive and the GDPR.

However, cookie walls that offer a paid alternative to consent, like the Washington Post's, could be permitted under the ePrivacy Regulation. Cookie walls that offer no alternative to consent are likely to be forbidden across the whole of the EU.

Browser-Based Opt-Outs

If you want to use tracking cookies, some sort of cookie banner is required by law. However, they unpopular among some people. The ePrivacy Regulation will bring some changes regarding how users consent or object to cookies via their browser settings.

Early drafts of the proposals would have forced browser software companies to explain cookies to their users during the setup process. Users could then block or consent to all tracking cookies by default.

This would have been highly problematic for online advertisers. It would also sit uneasily with the GDPR's requirement that consent is "specific."

This has been watered down in the February 2019 draft of the proposals, which states that web browser providers

"are encouraged to ensure that end users can easily set up and amend [cookie] white lists and withdraw consent at any moment in a user-friendly and transparent manner."

This should allow users to manage their cookie consents via their browser settings. But it's not likely to spell the end of online advertising as we know it.

Natural Persons and Legal Persons

The GDPR only protects "natural persons." This means identifiable, living individuals. It's all about "personal data," which is data about natural persons.

The GDPR doesn't protect "legal persons." A legal person is an entity with certain legal rights. It can enter into contracts, take you to court, and lobby the government. But it's not a human.

So, for example:

  • Google is a legal person. Google's CEO, Sundar Pichai, is a natural person.
  • Calvin Klein, the corporation, is a legal person. Calvin Klein, the fashion designer, is a natural person.

The GDPR sets rules for both natural persons and legal persons. But it only protects personal data. Sundar Pichai and Calvin Klein (the fashion designer) have personal data. Google and Calvin Klein (the corporation) do not.

The ePrivacy Regulation is about electronic communications. It protects the privacy of electronic communications whether they contain personal data or not. In this way, the ePrivacy Regulation protects both natural persons and legal persons.

Therefore, the ePrivacy Regulation sets rules for how businesses communicate with other businesses.

Is Consent Required for B2B Direct Marketing?

A leaked early draft of the ePrivacy Regulation suggested that all B2B direct marketing might require opt-in consent. This led to a lot of panic and heavy lobbying from B2B marketing companies.

This is not true in the most February 2019 draft. But the rules are changing.

To understand the new rules, consider the difference between sending direct marketing emails to the following three email addresses:

  1. [email protected]
  2. [email protected]
  3. [email protected]

The current rules apply to email addresses 1 and 2. These both contain personal data - even though 2 is a corporate account. So, even if you're sending B2B communications to email addresses 1 or 2, the owner has rights under the GDPR since you are processing their personal data.

The current rules don't cover email address 3. This is non-personal data belonging to a legal person.

The February 2019 draft of the proposals would not require consent for all B2B direct marketing. However, businesses will need to respect the "legitimate interests" of legal persons. The Regulation would allow EU Member States some flexibility to make their own laws in this area.

This means that emails sent to email address 3 (above) will probably need to contain an unsubscribe mechanism.

It might also mean that unsolicited B2B direct marketing communications (without a pre-existing business relationship involved) could require consent.

Summary

The ePrivacy Regulation will have many implications for small businesses. It will:

  • Bring greater certainty and consistency across the EU
  • Change the requirements around cookie consent
  • Impose stricter rules around consent for direct marketing in some countries
  • Require businesses to take greater care when marketing to other business