The Draft ePrivacy Regulation and What it Means For Your Business

The Draft ePrivacy Regulation and What it Means For Your Business

The European Council delivered its negotiating mandate of the ePrivacy Regulation in February. This document has been a long time coming and gives us the best impression yet of how this important law will look once passed.

Your compliance with the General Data Protection Regulation (GDPR) probably took up a lot of time and resources. Complying with the ePrivacy Regulation might require just as much effort, depending on how the law applies to your business.

This article will take a detailed overview of the draft law and consider how the final version might look.


ePrivacy Regulation Draft: The Basics

Here's a breakdown of the basics: what the ePrivacy Regulation covers, who has to comply, and where it applies.

What's the difference between a directive and a regulation?

The ePrivacy Regulation is an update to the ePrivacy Directive, first passed back in 2002. What's the difference?

A directive is a law directed at EU Member States. The directive requires Member States to create national laws that give it effect. So, for example, the UK implemented the ePrivacy Directive as the Privacy and Electronic Communications Regulations (PECR).There is usually some variation between Member State laws implementing directives.

Unlike a directive, a regulation immediately becomes law in each Member State once it comes into effect at EU level. There's no need for Member States to create national laws to give the regulation effect. There will be less variation among how the law applies across Member States.

What is the current status of the ePrivacy Regulation?

What is the current status of the ePrivacy Regulation?

Right now there are three documents relevant to the ePrivacy Regulation, proposed by three different EU bodies:

  • European Commission proposal, adopted in January 2017, the original text of the proposed ePrivacy Regulation
  • European Parliament mandate, adopted in October 2017
  • European Council mandate, adopted in February 2021

There's also an opinion on the Council's mandate by the European Data Protection Board (EDPB) published in March 2021.

We'll be looking at the Council mandate in this article because it's the most recent version. However, this version still has to be approved following the inter-institutional negotiating process. Therefore, it could change before coming into force.

What types of data does the ePrivacy Regulation cover?

The ePrivacy Regulation is about protecting two main things:

  1. Electronic communications content: "the content exchanged by means of electronic communications services, such as text, voice, videos, images, and sound" ( Article 4.3 (b)).
  2. Electronic communications metadata: the data about electronic communications content, such as: where it was sent from, who sent it, "the date, time, duration. and the type of communication" (Article 4.3 (c))

Together, these two things are known as "electronic communications data." You send them via an "electronic message" using "e-mail, SMS, MMS and functionally equivalent applications and techniques" (Article 4.3 (e)).

It's important to remember that electronic communications data is not the same as "personal data," about which the GDPR is principally concerned.

Electronic communications data might contain personal data, or it might not. This doesn't affect the rules under the ePrivacy Regulation.

Here's an example of why this matters in practice. Some cookies collect personal data. Some don't. This isn't a relevant consideration under the ePrivacy Regulation. The rules apply to cookies regardless of whether they collect personal data.

Check out our free tools for website owners:

  • Cookie Consent - a free cookie consent solution to comply with GDPR + ePrivacy Directive.
  • CCPA Opt-Out - a free CCPA opt-out solution to allow visitors to opt-out from personalized ads and comply with GDPR.
  • I Agree Checkbox - a free solution to enforce your legal agreements.

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.

However, where electronic communications data does contain personal information, it falls under the scope of the GDPR as well as the ePrivacy Regulation.

What types of activities does the ePrivacy Regulation cover?

What types of activities does the ePrivacy Regulation cover?

The ePrivacy Regulations set rules about:

  • Direct marketing: "Any form of advertising, whether written or oral, sent via a publicly available electronic communications service, directly to one or more specific end-users." (Article 4.3 (f))
  • Cookies and similar technologies: Any software or code, including pixels, web beacons, spyware, that you place on a user's device. The Regulation also sets rules about collecting data from a user's device.
  • Security of communications services
  • Publicly available directories: Public databases containing information about people, such as their "name, phone numbers (including mobile phone numbers), email address, home address" (Recital 30).

Who does the ePrivacy Regulation apply to?

The ePrivacy Regulation will apply to anyone carrying out the activities in the section above. Broadly speaking, this means:

  • Businesses engaged in electronic directing marketing, including emails, messages, SMS, or calls
  • Developers creating software or websites, insofar as they use cookies and similar technologies
  • People or businesses operating software or websites, who must ensure that such services comply with the Regulation
  • Providers of electronic communications services, including:

    • Internet Service Providers (ISPs)
    • Voice over Internet Protocol (VoIP) providers
    • Providers of messenger apps and other "over the top" services
    • Phone service providers
    • Internet of Things (IoT) providers
  • Providers of publicly available directories: Anyone wanting to compile a telephone, fax, or email directory.

Where does the ePrivacy Regulation apply?

Where does the ePrivacy Regulation apply?

One of the big changes about the ePrivacy Regulation is that, like the GDPR, it will apply extraterritorially, meaning that people outside of the EU will need to comply with the Regulation under certain conditions.

Article 3 of the ePrivacy Regulation draft sets out the "territorial scope" of the law. It's a little messy in its current form (at page 44):

Council of the European Union: ePrivacy Regulation Draft - Article 3

The rules are actually quite simple. You'll need to comply with the ePrivacy Regulation, regardless of where you're based, if you do any of the following:

  • Provide electronic communications services to people in the EU
  • Process communications data of people in the EU
  • Access information from the devices of people in the EU
  • Offer publicly available directories of people in the EU
  • Send direct marketing communications to people in the EU

Note that the countries in the European Economic Area (EEA), which consists of the EU Member States plus Iceland, Liechtenstein, and Norway, will also be party to the ePrivacy Regulation. This means the rules will also apply to people in those countries.

Will the ePrivacy Regulations apply in the UK?

The short answer is "no," the ePrivacy Regulation will not apply in the UK. The Regulation will be an EU law, and the UK is no longer an EU Member State, nor is it part of the EEA.

However, the UK is seeking an adequacy decision from the EU, which would allow for easier cross-border data flows between the two jurisdictions.

Obtaining and maintaining an adequacy decision will require the UK to maintain EU-equivalent data protection and privacy standards. This means that, in order to achieve "data adequacy," the UK may adopt many of the ePrivacy Regulation's legal requirements into its own law.

Also, bear in mind that many businesses in the UK will be required to abide by the ePrivacy Regulation whenever they are dealing with end-users in the EU. Therefore, whether or not the Regulation is adopted into UK law, an understanding of the ePrivacy Regulation's requirements will be essential for many UK businesses.

How will the ePrivacy Regulation be enforced?

The draft ePrivacy Regulation sets a system of fines very similar to that present in the GDPR, namely:

  • Less serious violations will result in a penalty of up to 2% of annual worldwide turnover, or up to €10 million (approx. $11.8 million), whichever is greater.
  • More serious violations will result in a penalty of up to 4% of annual worldwide turnover, or up to €20 million (approx. $23.6 million), whichever is greater.

These fines will be imposed (or prosecuted in court) by the EU's Data Protection Authorities (DPAs). A range of non-financial penalties will also be available.

What Would the Draft ePrivacy Regulation Require?

What Would the Draft ePrivacy Regulation Require?

Now let's look at some of the rules imposed under the draft ePrivacy Regulation.

Privacy of Communications

The basic rule imposed by the ePrivacy Regulation is that all communications must be confidential. This means providers of communications services must not "eavesdrop" on communications.

However, the Regulation provides for exceptions where electronic communications data may be intercepted or accessed.

Processing Communications Data

Providers of electronic communications services may process communications data where it is necessary to:

  • Ensure communications systems are secure (Article 6.1 (c))
  • Identify whether malware is present (Recital 16)
  • Safeguard against threats to public security where permitted by national law (Article 6.1 (d))

Such interference with communications must always be proportionate and subject to a full assessment of people's rights and freedoms.

Processing Communications Metadata

The Regulation is more liberal with the processing of communications metadata, which can be processed where it is necessary to:

  • Manage or optimize networks (Article 6b.1 (a))
  • Meet technical quality of service requirements (Article 6b.1 (a))
  • Perform contractual obligations, such as billing, calculating payments, detecting or stopping subscription fraud or abuse (Article 6b.1 (b))
  • Fulfill one or more specified purposes, with the user's consent (Article 6b.1 (c))
  • Protect a person's vital interests (this may including monitoring the spread of epidemics) (Article 6b.1 (d))

Processing for Research or Statistical Purposes

There are certain conditions under which you may process communications metadata for scientific or historical research or statistical purposes. These rules are set out at Article 6b.1 (e)-(f) and Article 6b.2a-2.

  • In the case of communications location metadata, such processing is permitted if the data has been pseudonymized, if:

    • You cannot achieve such processing using data that has been anonymized
    • You anonymize or erase the data once you no longer need it
    • You're not using the data to build a profile about the user
    • You do not share the data with a third party unless it has been anonymized
  • In the case of communications metadata other than location data, such processing is permitted subject to national law and with appropriate safeguards in place, including encryption and pseudonymization

Such metadata may also be processed for producing "official national European statistics.

Cookies and the Draft ePrivacy Regulation

Cookies and the Draft ePrivacy Regulation

Perhaps the ePrivacy Regulation's most far-reaching implications are around the use of cookies. These rules must be obeyed by anyone developing or controlling a piece of software, an app, a website, or a device that uses cookies insofar as it is accessible in the EU.

Basic Rules on Cookies

Under the draft ePrivacy Regulation, the basic rules on cookies remain in place from the ePrivacy Directive. Here's the relevant section of that law, at Article 5:

EUR-Lex ePrivacy Directive: Article 5 Section 3

Under the ePrivacy Directive, you must request GDPR-compliant consent for all cookies, except for those that are:

  1. "(Used) for the sole purpose of carrying out the transmission of a communication over an electronic communications network"
  2. "Strictly necessary in order to provide an information society service explicitly requested by the subscriber or user to provide the service"

Some of the following activities might necessitate these types of cookies:

  • Load-balancing
  • Shopping carts
  • Authentication
  • Security (with strict limits on duration)
  • Media playback
  • UI customization
  • Social media plug-ins

You don't need to get consent for these types of cookies. There are strict caveats here, however: The cookies in question must be limited in duration and fulfilling a specific purpose.

The recitals of the ePrivacy Regulation provide some interesting insights into how the types of cookies requiring consent might change.

For example, Recital 21a refers to cookies used "in assessing the effectiveness of... website design and advertising" or by "helping to measure the numbers of end-users visiting a website" as being "a legitimate and useful tool."

The ePrivacy Regulation contrasts these types of cookies with those "used to determine the nature of who is using the site," which "always require the consent of the end-user."

This suggests that counting unique page visits or ad impressions may not require consent under the ePrivacy Regulation.

The draft ePrivacy Regulation would allow for "cookie walls" under certain conditions.

A cookie wall is a cookie banner that won't let you access a website or service until you agree to cookies. The difficulty with this is that this doesn't meet the GDPR's definition of "consent," which refers to a "freely given" action.

Court rulings, data protection authority decisions, and May 2020 EDPB guidelines all make it clear that cookie walls are not allowed under the ePrivacy Directive and the GDPR. Access to services cannot be made conditional on consent to cookies.

This could change under the ePrivacy Regulation, which proposes the legalization of "cookie paywalls."

Recital 20aaaa (yes, that's 20 followed by four "a"'s) envisions a model whereby access to a website could be made conditional on consent to cookies, if there is "equivalent offer by the same provider that does not involve consenting to data use for additional purposes," which may require monetary payment.

The Washington Post already operates such a "cookie paywall" model:

The Washington Post Cookie Paywall with Free and Premium options highlighted

While the Post's consent solution is problematic under the current rules, it appears that it would be allowed under the draft ePrivacy Regulation.

Browser Whitelisting

The ePrivacy Regulation deals with the issue of "cookie fatigue," a phenomenon that can lead to people frivolously agreeing to cookies because they are asked to do so with such frequency. As Recital 20a of the Regulation says: "This can lead to a situation where consent request information is no longer read and the protection offered by consent is undermined."

To attempt to resolve this, the draft ePrivacy Regulation seeks to allow users to provide consent en-masse, by "whitelisting one or several providers for their specified purposes" in their browser or device.

This arguably undermines the GDPR's requirement that consent is "specific," but it will likely be popular among those users feeling "fatigued" by cookie consent banners.

Internet of Things

The ePrivacy Regulation specifically addresses IoT devices, providing a few basic rules and principles about their development and deployment:

The "use of the processing and storage capacities" of an IoT device and "access to information stored therein" should not require consent if "such use or access is necessary for the provision of the service requested by the end-user" (Recital 21).

The Regulation gives the example of a smart meter: you need to access information stored on the device for the purpose of maintaining the "stability or security of the energy network" and for the "billing the end-users' energy consumption."

To use or access information stored on IoT devices for any purposes that are not "necessary for the provision of the service requested by the end-user," you'll need to obtain consent.

Summary

The ePrivacy Regulation would:

  • Apply to the processing of electronic communications content and metadata
  • Apply to anyone processing the electronic communications data of end-users in the EU
  • Impose fines of up to 4% of annual worldwide turnover or €20 million ($23.6 million)
  • Require consent for the processing of most communications data except for certain limited security, national security, health, and research purposes
  • Allow cookie walls as long as a paid alternative to cookies was provided
  • Allow end-users to whitelist cookies from certain providers
  • Set rules about consent regarding IoT devices
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.