With May 2018 within touching distance, you may think it will soon be all over. The GDPR (General Data Protection Regulation) is taking its toll and fatigue around the topic has undoubtedly begun to set in. Yet, it is only just the beginning, as one door closes another door opens, to make way for the European Union’s ePrivacy regulation.
Interwoven in any GDPR conversation regarding the application of the regulation, particularly in the case of marketing by method of communication, is reference to the PECR (Privacy and Electronic Communication Regulations). Dating back to 2003, the ICO (Information Commissioners Office) describes the PECR as sitting alongside the DPA (Data Protection Act 1997). Partners indeed they are, while one focuses on the use of personal data generally, the other focusses specifically on how that personal data is used in the context of communication.
[You may also be interested to read "Will purchasing contact data lists become illegal under GDPR?"]
So then, with the evolution of the DPA into the GDPR, it stands to reason that the PECR also requires some modern-day bolstering of its own, for fear of it becoming out-of-date. Here are five things to know about the ePrivacy regulation, as it stands in its January 2017 draft.
1. The GDPR's ePrivacy regulation is being implemented slowly but steadily
As was the intended partnership of the DPA and PECR, the GDPR was also supposed to have a commonly timed counterpart in the ePrivacy regulation. Bureaucracy, diplomacy and the joys of lobbying prevented that intention from becoming a reality and instead the timeline has proved sluggish. In January 2017, the EU released its first draft of the regulation, which drew heavy criticism of stifling innovation, by members of the European Parliament. It wasn’t until October 2017 that Parliament narrowly approved the regulation, allowing it to continue through the chambers of power in Brussels.
2. ePrivacy is a regulation, not a directive
We have heard this one before and dare I believe that IT administrators continent-wide are more familiar with European law than pre-GDPR. Despite the name, the PECR sporting the letter R, was the result of a 2002 directive. As we have learned with the GDPR, this means that local implementations of the directive have resulted in a patchwork of rules in each member state. The regulation not only solves that problem but it matches the rigidness of the GDPR, again a sign that these two were fated to be together.
3. Cookie consent won't be website-specific
Remember when the websites started to add pop-ups to their websites asking you to acknowledge their use of cookies? Well, the ePrivacy regulation intends to end that practice by removing consent for non-privacy intrusive cookies such as shopping carts. In essence, user must be in control of any private or sensitive information stored on their devices, without having to click on a banner asking for consent each time they visit a website. Instead, it is expected that website browsers will include settings to allow or deny cookie use. This could have a huge impact of targeted banner ads which determine content based on browsing habits.
[You may also be interested to read "The GDPR Lifecycle: Plan your Strategy from Discovery to Protection"]
4. B2B and B2C organisations will have the same ePrivacy laws
Under the PECR, direct marketing activities to B2B contacts had some level of distinction to B2C contacts, with regard to consent, by way of the definitions natural person and legal person. In the current draft of the ePrivacy regulation, this has been removed and made more consistent with the approach of the GDPR. Article 16.1 states, “Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent.” In effect, contacting someone’s directly named business email address, such as john.smith@infinigate.co.uk would require consent for email marketing. Whereas marketing@infinigate.co.uk would not.
5. Non-compliance of the ePrivacy regulation will provoke GDPR-like fines
Infamous for its stinging administrative penalties, the GDPR has been both criticised and applauded for its celling values. This attention can now be shared as in an act of plagiarism, the ePrivacy regulation contains the exact same level of punishment as a deterrent. It’s not certain which mechanism the writers of the two regulations used to determine these values, however what is certain is that when weighing the cost compliance vs non-compliance. The GDPR and ePrivacy regulation put a heavy emphasis on the cost effectiveness of compliance.
[You may also be interested to read "GDPR Myths & Monsters"]
As mentioned earlier, the GDPR and the ePrivacy regulation were always intended to work hand-in-hand or dovetail as some have written. Some of the confusion and ambiguity of the GDPR, especially in relation to communication and marketing with data subjects was supposed to be cleared up by the ePrivacy regulation. And even their enforcement dates were supposed to be synchronised. Twins by design.
Despite the lobbying treacle, the ePrivacy is on its way and once again you will be bombarded with the question, “are you ePrivacy regulation ready?”.
