The Electronic Communications Directive 2002/58/EC is more commonly known as the E-Privacy Directive. It is a set of laws pertaining to privacy and the protection of data and is designed to regulate things like information confidentiality, spam, cookies, and the appropriate handling of online traffic data. The Directive has been amended several times since being passed in 2002, but it is only recently that an entirely new set of internet privacy laws have been proposed.
In January, a regulation was proposed to act as a significant amendment to the existing E-Privacy Directive. It is known as the Regulation on Privacy and Electronic Communications. This regulation, which is still being discussed in Parliament, sets forth a new set of rules pertaining to the confidentiality of electronic communications.
Information Leak
A draft of the proposed Regulation was leaked to the public prior to its official release. This leaked draft included stipulations regarding how communications content and metadata should be processed, allowing marginally wider uses of data than the previous data privacy laws. As was indicated in the leaked document, the official proposed regulation includes an exemption for any cookies required for first-party analytics.
Additionally, the document set forth some new regulations as to user consent, stipulating that all forms of e-marketing will continue to be required to obtain each user’s informed consent and offer the possibility of opting out of future communications. It also made some changes to transparency requirements on telemarketing calls.
The leaked draft also expanded the scope of current data protection laws to include OTT providers and VOIP services. IOT and machine-to-machine communications are also covered under the new regulation. The officially released draft maintains the majority of these changes.
Third-Party Tracking
Third-party tracking refers primarily to cookies and other online tracking technologies. While the old E-Privacy Directive relied on implied consent, the new regulation would require that users opt into any third-party online tracking.
In addition to changing the level of control users have over offering consent to online tracking, the new proposed regulation also suggests that all internet users be offered a larger number of privacy options. New web browsers will have to actively obtain permission from users to install and activate third-party tracking systems, while those already in existence will have to obtain consent by the 25th of August, 2018, at the latest.
Direct Marketing
Under the proposed regulation direct marketing, including email campaigns and SMS marketing, will also require the informed and unambiguous consent of users. Similarly, users will have to be informed of the specific nature of any communications being used for marketing purposes.
Telemarketers will be required to use a designated prefix in order to indicate that any calls being made from the number are being used for marketing purposes. They may also choose to display their phone numbers rather than use the prefix. In either case, the intent is to allow users the ability to block telemarketing calls.
Extra-Territoriality and Fines
Like the old E-Privacy laws, the proposed regulation would apply to any online entities providing publicly-available online communications or data collection services. Businesses or entities that fail to comply with the new regulation would be subject to a fine of as much as 4% of their annual turnover.
Businesses that currently make use of digital marketing and online data gathering will find this fine unsurprising. It is a holdover from the previous E-Privacy Directive.
Questions and Concerns
The proposed regulation has already attracted criticism from those in the advertising industry and the digital media sector more generally. Many believe that the ability to outright reject third-party tracking measures like cookies could lead to a substantial reduction in online advertisers’ audience in Europe.
In addition to placing new limitations on advertising potential not covered under existing E-Privacy laws, though, the proposed regulation also reduces the number of restrictions on how telecommunications companies are allowed to use the data that is collected. This could well change the way that online advertisers operate, allowing the potential for new uses of data for digital advertising purposes. The European Parliament and a specialized council for review are both considering concerns being raised by both the online advertising industry and consumer advocacy groups.
Effective Date
The official draft of the proposed regulation specifies the 25th of May, 2018, as its effective date. This is a fairly ambitious goal, given that the regulation would impact just about any business that engages in direct marketing via the internet, uses online tracking technologies, or provides any type of communication service. The changes it makes to the previous E-Privacy Directive are more substantial than previous amendments.
For the sake of comparison, keep in mind that the previous E-Privacy directive took more than four years to pass. The new regulation’s stipulations regarding communications data and online tracking are set to be implemented over the course of just one month. Any businesses using online marketing, tracking, or communications would be well-advised to begin planning now.
Business owners would also be well-advised to keep track of the changes being made to these new E-Privacy laws while they are moving through Parliament and the council. Both consumer interest groups and industry advocates could still have a substantial impact on how this new E-Privacy regulation changes as it moves through these legislative bodies.
