ePrivacy is a logical extension to GDPR, but it faces challenges
Just when you thought it was safe to go back into the water, you find that there’s another danger lurking for companies doing business in the EU. It’s called the ePrivacy Regulation. The good news — for those still busy with GDPR — is that it missed its 2018 deadline, thus giving us all a head start for 2019.
Why ePrivacy? Isn’t GDPR sufficient?
GDPR governs the use of personal data in terms of why it is being collected, how it will be used and who it will be shared with. It answers the question: “why do you need my data and how are you going to use it?”
ePrivacy, on the other hand, governs the transmission of that data via electronic means. This is not just email and messaging platforms (Whatsapp, Skype …), but also tracking technologies (cookies and many others) and smart home devices. It therefore answers the question: “who is tracking me over the internet and are my communications confidential?”
ePrivacy is therefore a logical addition to GDPR. It clarifies certain areas, particularly unsolicited marketing, cookies and confidentiality. The two laws will complement each other as part of the EU privacy framework.
Who needs to comply and what are the penalties?
The law will apply to businesses that communicate EU residents’ data. This means most online businesses, telcos, messaging platforms and manufacturers of smart-home devices.
ePrivacy penalties for non-compliance are the same as for GDPR — which reinforces their essential complementarity.
How will it work in practice?
The most visible — and welcome — part of ePrivacy will be in better management of cookies. Instead of being bombarded with irritating interruptions for your consent every time you visit a website, you’ll be able to configure your preferences in your browser (hallelujah!). And no consent will be needed for non-privacy related cookies — e.g. those used to remember your shopping-cart history or count website visitors.
The other big area concerns spam protection, which will require businesses to obtain explicit consent to be able to send marketing and other communications to email addresses and mobile devices. But, unlike for GDPR, there will be no legitimate interests to fall back on to avoid consent.
What are the challenges, and why is it late?
Though the original proposal came out in January 2017, it took more than a year-and-a-half to come up with the draft regulation in September 2018.
The main roadblock is around consent and the absence of legitimate interests. Media and publishing are concerned about the impact to their current ad-supported business models, which rely on cookies and tracking technologies to monetise free content via targeted ads.
An opposing view, however, highlights the opacity and intrusiveness of ad tech, with its lack of genuine consent — as evidenced by the rise in popularity of ad blockers.
Regardless of your views on ad tech, opponents are asking — not without reason — why electronic communications should operate under a stricter set of rules than other personal information. If ePrivacy and GDPR are to form part of the same privacy framework, shouldn’t the same lawful bases apply to both?
These are valid questions, and given the very strong views and discussions currently under way, they are unlikely to be addressed before early 2019.