On 10 January, the EU Commission proposed a new Regulation on Privacy and Electronic Communications (“proposed Regulation”) to replace Directive 2002/58 (known as the “ePrivacy Directive”).
The proposed Regulation
The proposed Regulation aims to align the rules that apply to electronic communications services with the forthcoming General Data Protection Regulation (GDPR).
As anticipated from the draft leaked before Christmas, the proposed e-Privacy Regulation addresses rules on the confidentiality of electronic communications. Additionally, and for the first time, over-the-top (OTT) communication service providers, such as VoIP, are brought within its scope.
The key changes set out are as follows:
1 Third-party tracking (cookies and other similar technologies)
Under the proposed Regulation, web browsers need to ask end users to opt-in to tracking via their privacy settings (in recognition that under the GDPR, consent must be “freely given, specific, informed and unambiguous”). This marks a departure from the current practice of “notification and implied consent,” which is generally achieved via cookie banners.
Privacy Settings Options
Providers of software that permit electronic communications (e.g. web browsers) must inform users of their option in preventing information being stored on their devices, as well as how users may prevent such providers from processing information already stored on their device(s). Furthermore, the proposed Regulation suggests that users be offered a number of privacy setting options, ranging from “never accept cookies” and “reject third party cookies” to “always accept cookies.”
Web browsers must ask users if they wish to allow third-party tracking to be activated upon installation. Where web browsers are already installed, consent must be requested at the time of the next update or, at the latest, by 25 August 2018.
2 Direct Marketing and Telemarketing
Telemarketing phone calls will need to display their phone number, or use a special prefix to indicate that the call is for telemarketing purposes. In that regard, users must have the ability to block calls with such prefixes.
In accordance with consent rules under the GDPR, to engage in direct marketing, advertisers will need to obtain “freely given, specific, informed and unambiguous” consent from users, including for email and SMS marketing. In addition, users must be informed of the marketing nature of the communication.
The GDPR will introduce a tiered framework for penalties and the proposed Regulation follows suit; fines of up to EUR 20 million or 4% of annual global turnover for security breaches, with a maximum fine of EUR 10 million or 2% of annual global turnover for unsolicited marketing messages.
Commercial considerations and concerns
Concerns have already been raised by many in the advertising industry and digital media sector about the potential restrictive effect of the proposed Regulation, particularly regarding online behaviour advertising. Critics argue that allowing users to select browser settings to reject third-party tracking at the outset could lead to a significant reduction in the online advertising audience in Europe.
There are, of course, some benefits, as the proposed Regulation provides fewer restrictions on the way telecoms companies may use the data that they collect about their customers, with the potential for monetising such data via digital advertising.
Watch this space…
The proposed Regulation is now before the European Parliament and the Council for review, with the approval of both bodies required for the new legislation to take effect. The Commission seeks to have the proposed Regulation come into force in tandem with the GDPR on 25 May 2018 – an ambitious aim considering the various concerns raised by both consumer rights groups and industry to date.
No doubt new issues and concerns will come to the fore as these proposals are further scrutinised by these legislative bodies, industry and consumer interest groups. Keep an eye out for our future blogs on this topic.