The e-Privacy Regulation: The Yin to GDPR’s Yang
There’s a new legal game changer in town: the e-Privacy Regulation. Even though you might feel like the dust has barely settled after the GDPR-storm, it’s time to take another hard look at your data processing. But don’t worry – I’m here to give you the tools you need to hack it.
So, you have been stressing over GDPR (General Data Protection Regulation) for the last year. Maybe you feel that you finally managed to get your head around it, and now you are reading this blog post and thinking – “oh no, back to square one…”? I would like to stop you right there.
The purpose of this post is not to cause you any more stress or panic. Rather, my main goal is to inform you and to provide you with the right tools to prepare for the upcoming e-Privacy Regulation (“ePR”), which aims to achieve clearer rules on opt-ins and on tracking technologies, such as cookies.
Consequently, and in combination with GDPR, it will provide a complete and consistent legal framework for citizens and companies within the EU.
Why Do We Need The e-Privacy Regulation?
During 2002, the European Commission enforced the current e-Privacy Directive with the aim to harmonise the national rules on e-communications (e.g. email, chat, phone and etc) confidentiality.
Unfortunately, that aim was far too optimistic. It failed to recognise how quickly the digital world was developing and that telecommunication services, such as phone calls and SMS, were soon to be dominated by advanced ‘Over The Top’ (“OTT”) services, such as instant messaging and Voice over IP (e.g. WhatsApp, Facebook, and Skype).
To add fuel to the fire, the EU Commission failed to identify the correct legal form, which resulted in the EU Member States enacting differing approaches across all Member States, leading to uncertainties amongst companies and a lack of equivalent level of protection for all European citizens.
Whilst the goal was to enforce ePR at the same time as GDPR (25th of May 2018), it, unfortunately, received over 800 amendments on the first proposal, which made the timeframe a tad too unrealistic.
However, when the proposal is ready to be adopted, the transition period will only be six months, unlike the two-year transition period for GDPR. Therefore, it is wise to prepare early so you set off for smooth sailing through the havoc!
How Will the e-Privacy Regulation Be Applied in the European Union?
So, what is changing? First and foremost, the current Directive will be replaced with a Regulation. This will result in a more cohesive application of the rules across all Member States since the Regulation must be applied in its entirety.
Similarly to GDPR, it does not matter whether the electronic communication data is processed outside the Union. The Regulation will be applied as long as the end-user is within the Union, and regardless of whether the end-user is required to pay for the service or not.
The e-Privacy Regulation Will Impact Your Cookie Tracking
The area that has been heavily discussed are the areas of tracking technologies, specifically cookies and cookie consents (I mean… the law is not known as the “cookie law” for nothing).
Tracking technologies are wonderful tools that could assist you in providing your customers with a more pleasant browsing experience, but there is still a huge gap in the market where companies are using cookie banners incorrectly and/or are bombarding users with pop-ups.
Therefore, there has been a suggestion that a “cookie accept” could actually be given at a level of browsing settings if it was technically possible in order to stop the nuisance. However, a correctly implemented cookie banner is preferred.
e-Privacy Regulation and the Importance of Cookie Banners
A cookie banner should always be transparent, sincere, and have a clear purpose. Whilst this might seem straightforward, companies are constantly bombarded with information, and they are surrounded by a variety of regulations that seem the same, but are completely different.
So, why is this important? In GDPR, “cookie” is only mentioned once, but try not to disregard this fact – that one mention has an extremely significant impact on the compliance of cookies:
“(30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Be Cautious: Cookies Can Burn
In a nutshell, this means that a cookie has the power to identify an individual and if it identifies an individual, then it will be considered as personal data.
All of a sudden, this one mention is what led the French data regulator, CNIL, to fine Google 50 million euros for a breach of GDPR on the grounds of “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
This is where the saying “well, that escalated quickly” comes in handy, and it perfectly shows how monetarily expensive it is to breach GDPR!
The e-Privacy Regulation Puts a Ban on SPAM
Besides cookie banners - has there been any discussions regarding direct marketing and SPAM? You bet! The upcoming Regulation will regulate the rules concerning unsolicited electronic communications, including SMS and marketing calls.
The aim is fairly consistent with the previous objective, and according to Article 29 Working Party’s guidelines on consent, direct marketing will only be allowed if the end-user has provided a freely given, specific, informed, and unambiguous indication of wishes expressed by a statement of a clear affirmative action – meaning:
Explicit consent (opt-in) is a must for direct marketing.
Will Soft Opt-Ins Be Legal Under the ePR?
Now, you might be thinking: “we don’t need explicit opt-ins, soft opt-in is legal”. Yes, this might be true in some European countries. However, it is very clear from Article 16 ePR that a “soft opt-in” only is permitted “in the context of the sale or purchase of a product or a service”. Meaning, for example, that browsing your website for services and products will not justify a soft opt-in.
However, the British Information Commissioner’s Office (ICO) has further clarified that the exemption in Article 16 should also include collected information that has been passed down during pre-contractual negotiations.
Consequently, this area of soft opt-ins is a grey area. If you should decide to choose this route, you will be entering dangerous waters. Why? Because the line between “legally ok” and SPAM, which could result in a hefty fine of up to 20 million euros or 4% of the total worldwide turnover, is extremely thin. Nevertheless, it is the Controller’s responsibility to demonstrate and justify such soft opt-in, and in any case, an opt-out must always be present in every type of communication.
How can APSIS make your life easier?
– Introducing APSIS One
As we can see, GDPR and ePR are the siblings of data protection – they share the same objectives, but they have different driving forces, though together they will be a force to be reckoned with!
Nonetheless, at APSIS, we have always chosen the safe pathway, and we only allow permission-based marketing in our platforms, because it increases the transparency, respect, and trust with your subscribers, and more specifically, it is in line with deliverability (anti-SPAM guidelines) requirements.
Despite this, we all have good intentions to always comply with the laws, but it can sometimes be overwhelming to decide how you should manage and maintain your subscribers’ consents. Because of this, we have tried to develop APSIS One so that managing your subscribers’ consent does not feel like rocket science anymore.
Within One, you can easily respond to a subscribers’ request of exporting or deleting their data, directly within their customer profile. But why stop there? APSIS has developed a straightforward function, known as Website, which will enable you to manage all customer opt-ins, not only for a variety of channels like SMS and Email, but also for specific topics!
Accordingly, we at APSIS, want you to spend your time on creating inspiring campaigns and analysing your data so that your business can thrive instead of getting lost in the minefield known as the law. Hence, we have tried to develop these tools in light of our customers’ needs for making data protection management as easy as possible.
As a result – and in reality – it is your responsibility as a Data Controller to fulfill these laws. Because, if there is one thing we can all learn from the absolute mess that Facebook is currently in, it is that it’s better to be safe than sorry…