New stipulations and consequences of the coming ePrivacy Regulation

Is that all? No. The new ePrivacy Regulation of the EU also goes several steps further than the current laws which exist as a result of the current Directive.

Taking into account that 1) the amended proposed text has been approved in the plenary of the EU Parliament end October 2017 as part of the so-called Lauristin report and 2) that there are different opinions in several areas between this EU Parliament draft ‘as it is approved’ and the version of the EU Council (representing member states), we don’t know the date when the ePrivacy Regulation will be published nor applied but don’t expect it to happen before 2019, even if the original intent was to have the GDPR and EU ePrivacy Regulation apply at the same time (check further updates at the bottom of this page).

Below are some key new stipulations and consequences regarding the use of cookies and other impacts on the Internet and electronic communications services and providers as mentioned in the proposal text and in the amended text as it was approved by the LIBE Committee on October 19th, 2017 and, next by the EU Parliament in plenary session.

The EU ePrivacy Regulation and cookies

Although the ePrivacy Directive has become known as the cookie law to some, as said it’s about more than just cookies.

But cookies and cookie consent are among the most visible aspects and there is also quite a bit that is poised to change in this regard.

The ePrivacy Regulation AIMS to simplify the rules regarding cookies and streamline cookie consent in a more ‘user-friendly’ way. As such that is great news. In practice it, among others means that EU websites and websites with EU visitors, will not need to show those cookie consent pop-ups anymore. Hurray, that is indeed more user-friendly and less of a hassle for website owners (for us it’s another plug-in that can go).

Easier cookie rules: yes and no

HOWEVER, the current proposal says that browser settings will enable website visitors to accept – or refuse – cookies, as well as other ‘identifiers’. In case the GDPR and term ‘identifiers’ is a mystery, read more about personal data and identifiers.

Using browser settings for cookie consent/refusal de facto means that you’ll see more and more websites that show pop-ups saying “sorry, no visit if no cookies” as we already see with adblockers. So, it seems that one pop-up is indeed being replaced by another one, on a site level (unless the site doesn’t care about cookies which is not really the case for publishers nowadays). This is one of the most heard concerns from delegations and food for discussions as you can read below: the fact that the suggested cookie method will simply miss its goal. However, the lawmakers have explicitly tackled this issue with decisions that are probably the most debated in the online media industry.

For some cookies there is good news. In the proposal it is also foreseen that consent is not needed for “non-privacy intrusive cookies” which improve the Internet experience of the user.

Examples include e-commerce cookies, remembering shopping cart histories and cookies for Google Analytics and the many others. It’s not very likely that cookies for online advertising will be interpreted as improving the Internet experience, although opinions will obviously differ.

Advertising and marketing cookies: not simple at all

Now, all is not said yet and of course work had been done to prepare the draft text, including discussions with various stakeholders, also in the advertising space.

In the 432-pages report made by Deloitte for the European Commission you can read the reasoning on the pros and cons of first-party and of course third-party cookies (“the backbone of digital advertising”). A link to it and all other sources below.

We don’t have to tell you that with all the marketing automation, audience measurement (on online media properties), connected databases of third-party cookies (for instance, enabling retargeting to name something still relatively simple), social network cookies, analytics cookies and so forth there is a whole lot of cookies going on. In the so-called ‘Cookie Sweep’ in 2014, it turned out that on average there were about 28.9 cookies on the analyzed media, public sector and e-commerce sites (in the EU), 70% being third-party cookies as the Deloitte report also mentions.

Infographic – the new EU ePrivacy Regulation. Attention!!! The infographic is based upon the draft text which will be adapted before it becomes a Regulation – source (PDF opens)

While the sophisticated networks of cookies, as advertising and media bodies always say, make it possible for Internet users to get (increasingly partial) access to ‘free content’ (paid by the ads), and there is a case for ‘relevance’ of the ads in the context of the Internet user by better targeting, at the same time it’s also pretty well-known that for the average Internet user it’s far from clear how he/she is tracked across networks. We’ve rarely seen a website where those 28.9 cookies and trackers on average are mentioned nor read a cookie policy that’s understandable or makes it clear for an Internet user what really happens in the background with all those connected networks and sites and so forth when visiting a site or using some app.

Cookies beware: major fines

Even if we deduct the ones where consent won’t be needed anymore it’s still a lot and we don’t think this debate is over. It is – to say the least – complex and changes quite some things.

Moreover, the stakes are high: did we mention that the same rules as in the GDPR fines apply? Indeed, you read that right. High fines and little margin for error in a heck of a difficult context.

It probably won’t come as a surprise that the IAB (Interactive Advertising Bureau) Europe rapidly responded as soon as the draft text was leaked, stating that it was “dismayed by the European Commission’s proposal for a new ePrivacy Regulation, the next iteration of the infamous cookie law”. Yet, so did other delegations.

From the draft text: “Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner”.

The ePrivacy Regulation and the Internet of Things

From cookies we jump to something entirely different: the Internet of Things (IoT). By now we suppose people know what it is (and it’s not an it or thing but that’s another topic).

Before we start: do note that the Internet of Things is also tackled in the GDPR where, for instance, RFID tags, fall under the category of so-called online identifiers.

In a European context we can say that the IoT is part of the backbone of Industry 4.0 and, not unimportant, in the coming years (until 2020)growth in the consumer segment of the Internet of Things is expected to be high in Western-Europe. As a matter of fact, by 2020 consumer IoT spend will jump to the third spot of IoT spendglobally (until then, the market is led by respectively IoT spend in manufacturing or Industry 4.0, IoT spend in transportation and IoT spend in utilities, three segments of the Industrial Internet of Things).

Benefits for citizens and business of the new EU ePrivacy Regulation according to the European Commission factsheet infographic – source (PDF opens)

However, in Western-Europe, consumer IoT already will rank second from an IoT spending perspective in 2020.

So, it’s probably noteworthy that in the proposal text of the ePrivacy Regulation, the Internet of Things is specifically mentioned and that “the principle of confidentiality which is enshrined in the Regulation should also apply to the transmission of machine-to-machine communications”. The text also calls for specific safeguards under sectorial legislation.

In the introduction, mentioning that principle of confidentiality the IoT is not specifically included but beware: it is mentioned further (and you can see it as part of ‘the current and future means on communication”).

From the introduction text: “Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media”.

The rules regarding to machine-to-machine communications are another concern of delegations and are and will be discussed.

The ePrivacy Regulation and Over-the-Top communication services

Have you ever heard about Over-the-Top communication services or OTTs? In all honesty: we hadn’t.

Just as the Internet of Things is included, these new ways of communication are also subject to the ePrivacy Regulation. OK, but what are they? When we say Skype, Facebook Messenger and WhatsApp it’s probably clear enough.

So, in the new Regulation, the privacy and confidentiality and data protection rules of any company offering electronic communications services will apply to them as well: Voice over IP, instant messaging and anything else really.

Here as well, delegations asked the the Council’s Working Party on Telecommunications and Information Society to review the text.

The ePrivacy Regulation, direct marketing and email marketing

Like its predecessor, the ePrivacy Directive, the upcoming Regulation foresees various rules on spam and unsolicited electronic communications by other means such as SMS.

While spam and unsolicited electronic communications obviously aren’t marketing, we mention it under that umbrella as we know a few publishers and others that will be in for some serious surprises as they seem to keep sending “marketing” messages, even if you unsubscribed a gazillion times. Identifying other spammers is obviously another ball game.

Direct marketing also means calls and here there is something we really really like: marketing callers will need to show their phone numbers or use a prefix which indicates the call is a marketing call.

Nowadays those numbers are virtually always hidden. As a result we stopped picking them up but now and then a customer uses them as well. So, when we do pick them up and for the 694th time need to say we don’t want a subscription to a magazine that’s pretty uncool.

When OneTrust announced its new OneTrust consent management platform in March 2018, the company stated that driven by the proposed text of a new ePrivacy Regulation, which would make consent the sole legal basis for processing in most marketing scenarios, paired with public statements made by various European regulators encouraging consent, many organisations are moving towards implementing a consent-based GDPR compliance strategy for marketing activities.

The impact of the correlation with the GDPR

We touched upon it previously but can’t emphasize it enough: the new ePrivacy Regulation is one single set of rules concerning all EU citizens and companies but it also ‘inherits’ several principles and stipulations from the GDPR.

Undoubtedly one that will make many people concerned (from website owners to instant messaging developers, advertisers and – hopefully – spammers) are the fines.

Two different ‘sets’ of fines exist in the proposal’s text:

 

• “Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data and time limits for erasure”: the up to 20 Million Euros or, in the case of an undertaking, up to 4 percent of worldwide annual turnover, whichever is the highest, as we know it from the GDPR.
• “Infringements regarding obligations of legal or natural persons who process electronic communications data, the obligations of providers of publicly available directories and/or the obligations of legal/natural persons who use electronic communications services: up to 10 Million Euros or, in the case of an undertaking, up to 2 percent of worldwide annual turnover, whichever is the highest.

The further details regarding these obligations can be found in the articles 5, 6 and 7, and paragraph 1 of the text for the first set of infringements and in articles 8, 10, 15 and 16 for the second set of infringements.

(Tele)communications content and metadata

As the summary of the Regulation draft text states, privacy is guaranteed for communications content itself and for the metadata of the content.

The metadata needs to be anonymized or deleted in case there is no consent with one exception; when it’s needed for billing.

Finally the summary also states that telecommunication firms can develop new services by leveraging content and/or metadata (but see the previous statement on anonymization) when consent is given for processing. This enables them and organizations to develop new services in a Big Data scope.

Examples of this already exist in the EU, whereby whomever is interested can gain insights in data from telecommunications providers and leverage them, for instance to detect patterns and heat maps showing the location of (mobile) users.

To read part 1 click here, to read part 3 here.