Even if you're already complying with the EU's General Data Protection Regulation (GDPR), there's another law on the horizon that you must be aware of, and that's the ePrivacy Regulation (ePR).
The ePR is not yet in effect, which means this is the perfect time to familiarize yourself with the draft legislation and how it could affect your business practices.
Below, we break down what you need to know about this regulation and how to comply with it.
- 1. What is the ePrivacy Regulation?
- 2. Are EU Regulations and Directives the Same?
- 3. Will the ePrivacy Regulation Replace the ePrivacy Directive?
- 3.1. What Happens to the GDPR Once the ePR Comes Into Force?
- 4. How Does the ePrivacy Regulation Work?
- 5. What the ePrivacy Regulation Controls
- 5.1. Cookies
- 5.2. Marketing
- 5.3. B2B Marketing
- 5.4. Confidentiality of Communications
- 6. How Do Businesses Comply With the ePrivacy Regulation?
- 6.1. Use Cookie Walls With Caution
- 6.2. Know When to Use Cookie Banners
- 6.3. Prove "Legitimate Interest"
- 6.4. Perform Data Protection Impact Assessments
- 7. Penalties for Non-Compliance With the ePrivacy Regulation
- 8. Summary
What is the ePrivacy Regulation?
The ePrivacy Regulation is an EU law which aims to set new rules around how businesses can communicate with customers, market their services, and process electronic communications data.
"Electronic communications data" includes:
- Personal data: Information companies can use to identify individuals
- Content: Anything exchanged or communicated online such as videos or emails
- Metadata: The summary of the data content
In many ways, the ePR is similar to the existing ePrivacy Directive, also known as the "Cookie Law."
However, there are some key differences between these two:
- The ePrivacy Regulation is broader in scope and covers both personal and non-personal data.
- The ePR may make it easier for businesses to use some types of non-essential cookies without getting user consent (more on this below).
- As an EU Regulation, the ePR takes precedence over any EU Directive, including the Cookie Law.
While there's no set data for when the ePrivacy Regulation will come into force, it could become law as soon as sometime during 2022.
Are EU Regulations and Directives the Same?
No, they're quite different.
An EU Regulation must be adopted in its entirety by every Member State. It's legally binding the moment it comes into force and it supersedes national laws. In other words, every Member State must adopt the EU Regulation in the same way.
An EU Directive is not legally binding. Instead, it's more like a set of guidelines which every Member State must adopt in a certain timeframe. Directives can be adopted in such a way that they're compatible with national laws.
As mentioned, the ePR is a Regulation, so it must be applied equally across Member States, and it's legally binding in full.
Will the ePrivacy Regulation Replace the ePrivacy Directive?
Yes. Remember, EU Regulations take precedence over EU Directives. So, any law which is incompatible with an EU Regulation will be overruled.
What's more, there are significant differences in how Member States apply and enforce the ePrivacy Directive, which can be confusing.
The ePrivacy Regulation is designed to solve this problem by harmonizing and unifying privacy laws across Member States. This is actually good news for businesses because it's easier to comply with one set of rules rather than laws which vary by country.
What Happens to the GDPR Once the ePR Comes Into Force?
Nothing. The GDPR is a standalone Regulation. Your business will need to comply with both the GDPR and the ePrivacy Regulation once it comes into effect.
Now we're clear on where the ePrivacy Regulation stands in law, let's consider how the EU Regulation works and how you might comply with it.
How Does the ePrivacy Regulation Work?
The ePrivacy Regulation essentially sets out a new, improved privacy framework for protecting electronic communications.
As mentioned above, electronic communication is any exchange which takes place online, including emails and instant messages.
- Some electronic communications might include personal data, such as a name, telephone number, email address, or IP address.
- Other electronic communications might not contain any personal data. An example might be a cookie or web beacon which contains useful information, but none of it can be used to identify a living person.
So, if you collect any data which belongs to an EU citizen, even if it's anonymous or can't be used to identify someone, it's within the scope of "electronic communications," so you must comply with the ePrivacy Regulation.
What the ePrivacy Regulation Controls
The ePrivacy Regulation tackles four specific issues relating to electronic communications.
Cookies are lines of computer code. When someone performs an activity, such as logs into their account or adds an item to their cart, the cookies are downloaded onto their device.
Here's an example of a cookie banner from Sky:
The ePrivacy Regulation will change the rules slightly.
- You won't need consent to use non-essential cookies if they're used solely for web security and audience measuring.
- Users will be able to "whitelist" certain types of cookies which they're happy to accept, which gives people control over how many cookie banners they'll see.
- Cookie walls, which prevent people from accessing a website unless they accept certain cookies, will still be okay if you provide a viable alternative.
Under the GDPR's Article 6, you don't need consent to send marketing communications if you can prove there's a "legitimate interest."
As it stands, you'll still be able to rely on a legitimate interest under the ePR, which means you won't always need consent to send certain marketing communications.
The GDPR only protects personally identifiable data owned by living, natural ("real") people. So, for example, it protects individual consumers.
The ePrivacy Regulation, on the other hand, lays out rules for how businesses communicate with each other. So, the Regulation extends EU privacy law to now protect "legal" individuals i.e. companies rather than just "natural" individuals.
Confidentiality of Communications
Essentially, all communication which takes place online should be confidential. For example, a social media website won't normally have the right to intercept messages sent between users, and so on.
Under the ePrivacy Regulation, though:
- Businesses can intercept or eavesdrop on communications exchanged online if it's necessary to protect system security.
- Communications metadata, which is basically a summary of a communication, can be processed in certain circumstances without consent.
In other words, businesses can sometimes legally access some communications data which would otherwise be confidential.
How Do Businesses Comply With the ePrivacy Regulation?
Based on what we know so far, here's how you can comply.
Use Cookie Walls With Caution
A cookie wall is a banner which pops up when someone visits a website. The banner blocks users from proceeding unless they accept non-essential cookies onto their device.
Here's an example from Vox as to what a cookie wall might look like. As you can see, there's no option to reject or amend cookies, but only to accept them. This is not a good way to do things:
Under EU privacy law, consent to non-essential cookies is invalid unless it's freely given. So, cookie walls are now very uncommon.
However, under draft Section 20aaaa of the ePrivacy Regulation, cookie walls may be acceptable if the business provides an alternative service for users who don't wish to accept non-essential cookies.
What constitutes an alternative service, though, is open to debate, so be very cautious about using cookie walls of any kind.
Know When to Use Cookie Banners
Under the ePrivacy Regulation, it will be possible for users to "whitelist" certain types of cookies so they don't need to manually accept or reject cookies each time they visit a website. The issue for businesses, however, is that it's unclear when web browsers will introduce these new settings. So, in the meantime, you should use cookie banners.
A cookie banner is a pop-up notice which visitors must interact with before they can use a website.
A compliant cookie banner should include:
- A mechanism for users to accept or reject cookies
Here's an example of a cookie banner from AVG:
Right now, you should continue to use cookie banners like this unless the law expressly changes or at least until browsers update their settings. This is the best way to ensure you're getting free, express, and informed consent to non-essential cookies.
Remember, you should always get consent to using cookies unless they're essential or fall within the new exceptions e.g. necessary for security purposes.
Prove "Legitimate Interest"
Both the ePrivacy Directive and the GDPR allow companies to send marketing communications if they prove "legitimate interest." This is expected to remain the case under the ePrivacy Regulation.
You might have a legitimate interest in sending marketing communications if:
- The person might reasonably expect you to use their data for this purpose e.g. they already purchased similar items from you, or
- There's a clear benefit to your business, even if the processing is not strictly necessary
So, even if you don't have consent, you can still send marketing messages in some circumstances.
In a B2B context, under the ePrivacy Regulation, it's unlikely you can rely on legitimate interest for messaging unless you have a prior business relationship. This means unsolicited marketing communications may be prohibited, although it's not confirmed just yet.
If you do decide to rely on legitimate interests for sending messages, make sure to include "unsubscribe" buttons in all your communications so users can opt out.
Perform Data Protection Impact Assessments
Want to rely on legitimate interest? Then you'll need to perform a data protection impact assessment first.
- You must have a legitimate, legal, and ethical business reason for sending the communications.
- It must be proportionate to achieve your legitimate aims. If there's a less intrusive option, you should use it.
- The impact on individuals' privacy rights should be minimal. If their rights override your interests, you must get consent instead.
It's also where you can set out information about your cookies usage, such as what non-essential cookies you use and why.
- What cookies you use
- Why you use them
- How users can opt out of non-essential cookies
The guidance may well be subject to change as the ePrivacy Regulation evolves, so always seek legal advice if you're unsure how the ePR affects you.
Penalties for Non-Compliance With the ePrivacy Regulation
While the penalties have not been confirmed, here is what we know of them so far.
According to draft Article 18, under draft Article 23, supervisory authorities for Member States can impose financial penalties for any breaches of the Regulation.
Penalties could be up to 20 million Euros or 4% of a company's annual turnover, depending on the severity of the infringement.
You'll note this is similar to the penalty structure imposed by the GDPR, which is unsurprising since the EU aims to harmonize its privacy laws through the new ePrivacy Regulation.
The ePrivacy Regulation is a proposed piece of EU law which will replace its predecessor, the ePrivacy Directive ("Cookie Law").
The ePR has no impact on the GDPR, meaning you'll need to comply with both privacy laws concerning electronic communications.
Remember, the ePR isn't law yet, but to comply with the ePrivacy Regulation as it stands, you should:
- Categorize your cookies so you're clear on when you need consent
- Use cookie banners where appropriate
- Always get proper consent unless you can justify data processing on another ground e.g. legitimate interest
- Use cookie walls with caution
If you don't comply with the ePrivacy Regulation, financial penalties may apply.