It’s fair to say we all heard about the GDPR. Last year's regulation and all the requirements it brought dominated blogs and news feeds across the EU as businesses scrambled to prepare for the deadline. However, in the background, the European Commission has something else waiting in the wings that isn’t getting the same sort of coverage but is no less important—the ePrivacy Regulation.
What Is It?
There is currently an ePrivacy Directive in existence (implemented in the UK as the Privacy and Electronic Communications Regulations 2011), much like the predecessor to the GDPR. However, just as with the GDPR, it is dated and doesn’t cater to the new and emerging channels and digital ecosystems. This new ePrivacy Regulation will repeal the previous directive and, as it is a “Regulation”, and will apply directly across EU markets when it comes into force.
The ePrivacy Regulation will work in tandem with the GDPR, enhancing it in light of technological developments (specifically the “Internet of Things”). The Regulation is designed to complement the GDPR to ensure that Internet users have control over all their data and to ensure that businesses handle data with the greatest care. It also comes with those same hefty fines.
As we know, the GDPR came into force last year on May 25, 2018 and the intention was that this Regulation would come into force alongside it. However, it is important to note that the Regulation has not yet been finalized—more on that later.
What Does the Law Cover?
The previous Directive was often referred to as the “cookies law”. This new Regulation has a much broader scope and stretches out from cookies to handle a number of other aspects. It’s early days, so we can’t cover everything but here are the key parts of the regulation.
Cookies
Cookies are a key part of this regulation and are also one of the most contested aspects, particularly from various parties within the digital advertising sector who have raised warning flags over the perceived inefficiencies and reduced revenue that this could introduce.
In short, the proposal is to do away with the annoying cookie banners that have plagued sites for several years and move the privacy notices into the browser. If the ePrivacy Regulation has its way, you will be able to select your default privacy settings when setting up the browser and then maintain them through the browser from then on.
Already, there is a big plus point—who likes the cookie banners anyway? But then, there’s the reality. When people are consenting to the use of cookies through those banners, they are giving you license to push on with the all-important digital marketing features to enhance that customer experience. If the customer is blocking these from the off through their browser, how do we convince the customer to change their mind? The real danger here is that we could be introducing a wave of new, intrusive privacy notices to replace those cookie banners—damaging the customer experience in the process.
That aside, there’s still some clarification needed on which cookies count. It’s been suggested that cookies required for analytics or for improving the site experience may not be counted, but until we see the final Regulation, there’s nothing guaranteed.
Electronic Communications
Another major part of the regulation is around electronic communications. The previous directive covered the typical communications channels of the time, e.g., emails. However, the new regulation expands this significantly to encompass the Over-The-Tops (e.g., social media messaging services such as WhatsApp) and Voice Over Internet Protocol providers (e.g., video and audio services such as Skype).
The aim is to provide more stringent consents over these channels—both for the content of the communications and the metadata (data processed by the electronic communications network for the purpose of transmitting, distributing, and exchanging the content) attached to those communications. There’s layers of consent attached to both the content and the metadata to ensure that not only are these channels safeguarding the content of the communications but also only retaining the required metadata for as long as is needed to complete the service.
Soft Opt-In
The soft opt-in (consent isn’t required if you are sending them a marketing message about similar products and services) is sticking around, although it can only be retained in limited circumstances, e.g., sending promo messages to existing customers to offer similar products or services or in the context of the sale of a product or service). Much of this hinges on the legitimate interests processing condition.
However, the opportunity to opt-out through unsubscribe messages and interactions still needs to be available.
B2B Consent
One of the most ambiguous aspects of the regulation is around B2B marketing communications and whether consent is required when it comes to corporate email addresses. If it is a named corporate email address, then surely this falls within the personal identifiable data outlined by the GDPR?
It seems there is a choice to be made by B2B marketers over whether to seek out consent or whether to hedge their bets on legitimate interest.
Like many aspects of the regulation, it is still early so we’ll need to keep our eyes peeled to see how this aspect pans out.
What Do We Do About It?
There are some industries that have been pretty vocal about the potential impact of this regulation and the debate is likely to rumble for some time to come.
From an agency perspective, there are various aspects of this regulation that will need to be factored into what we do and how we work, but the cookies element is an important one. Banners aside, we need to consider the potential impact of this on even simple activities like A/B testing. There are some important decisions on the horizon and we, for one, will be keeping a close eye on how this develops.
Having said all of that, it is important to recognize that the regulation has not yet been finalized. The initial proposal emerged in January 2017 and the first revised draft got submitted on September 8, 2017. It took a long time to get the GDPR passed through so there are concerns across the board about the EC’s proposed launch date.
The industry’s key focus right now is still GDPR and on working towards compliance across sites given the hard stop last year. However, we need to keep this forgotten sibling in the corner of our eye.
Updated article previously published on June 12, 2018.
Please don’t forget to comment on your thoughts about GDPR compliance below. And check out how Kentico 12’s Data Protection app can help you keep GDPR-compliance at the heart of your tech stack.
As Digital Marketing Strategist at MMT Digital, Rich Madigan is responsible for the development and implementation of digital marketing strategies that transform business performance for their clients. In addition, he advises clients on best practice for GDPR compliance.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to data protection compliance.