Last updated on 28 September 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The ePrivacy Regulation will introduce new rules about cookies, direct marketing, and business-to-business (B2B) communications. Online advertisers have lobbied fiercely against many of its provisions. However, the proposals have changed a lot over a series of drafts.
This article will take a detailed overview of the draft law and consider how the final version might look.
Here's a breakdown of the basics: What the ePrivacy Regulation covers, who has to comply, and where it applies.
The ePrivacy Regulation is an update to the ePrivacy Directive, first passed back in 2002. What's the difference?
A directive is a law directed at EU Member States. The directive requires Member States to create national laws that give it effect. So, for example, the UK implemented the ePrivacy Directive as the Privacy and Electronic Communications Regulations (PECR).There is usually some variation between Member State laws implementing directives.
Unlike a directive, a regulation immediately becomes law in each Member State once it comes into effect at EU level. There's no need for Member States to create national laws to give the regulation effect. There will be less variation among how the law applies across Member States.
As of early 2022, draft negotiations agreed on a draft, but this may still be changed. It is not expected that the ePrivacy Regulation would take effect until 2023, and there will be a 24 month transition period.
The ePrivacy Regulation will not replace the GDPR. It's designed to complement the GDPR.
The GDPR provides a broad framework for all activities involving the processing of personal data. The ePrivacy Regulation will show how this framework applies to the area of privacy in electronic communications.
The GDPR and the ePrivacy Regulation should be compatible. But if the ePrivacy Regulation contradicts the GDPR in some way, the ePrivacy Regulation will override the GDPR.
The ePrivacy Regulation is about protecting two main things:
Together, these two things are known as "electronic communications data." You send them via an "electronic message" using "e-mail, SMS, MMS and functionally equivalent applications and techniques" (Article 4.3 (e)).
It's important to remember that electronic communications data is not the same as "personal data," about which the GDPR is principally concerned.
Electronic communications data might contain personal data, or it might not. This doesn't affect the rules under the ePrivacy Regulation.
Here's an example of why this matters in practice. Some cookies collect personal data. Some don't. This isn't a relevant consideration under the ePrivacy Regulation. The rules apply to cookies regardless of whether they collect personal data.
However, where electronic communications data does contain personal information, it falls under the scope of the GDPR as well as the ePrivacy Regulation.
The ePrivacy Regulation sets rules about:
The ePrivacy Regulation will apply to anyone carrying out the activities in the section above. Broadly speaking, this means:
Providers of electronic communications services, including:
One of the big changes about the ePrivacy Regulation is that, like the GDPR, it will apply extraterritorially, meaning that people outside of the EU will need to comply with the Regulation under certain conditions.
Article 3 of the ePrivacy Regulation draft sets out the "territorial scope" of the law. It's a little messy in its current form (at page 44):
The rules are actually quite simple. You'll need to comply with the ePrivacy Regulation, regardless of where you're based, if you do any of the following:
Note that the countries in the European Economic Area (EEA), which consists of the EU Member States plus Iceland, Liechtenstein, and Norway, will also be party to the ePrivacy Regulation. This means the rules will also apply to people in those countries.
The short answer is "no," the ePrivacy Regulation will not apply in the UK. The Regulation will be an EU law, and the UK is no longer an EU Member State, nor is it part of the EEA.
However, the UK is seeking an adequacy decision from the EU, which would allow for easier cross-border data flows between the two jurisdictions.
Obtaining and maintaining an adequacy decision will require the UK to maintain EU-equivalent data protection and privacy standards. This means that, in order to achieve "data adequacy," the UK may adopt many of the ePrivacy Regulation's legal requirements into its own law.
Also, bear in mind that many businesses in the UK will be required to abide by the ePrivacy Regulation whenever they are dealing with end-users in the EU. Therefore, whether or not the Regulation is adopted into UK law, an understanding of the ePrivacy Regulation's requirements will be essential for many UK businesses.
The draft ePrivacy Regulation sets a system of fines very similar to that present in the GDPR, namely:
These fines will be imposed (or prosecuted in court) by the EU's Data Protection Authorities (DPAs). A range of non-financial penalties will also be available.
Now let's look at some of the rules imposed under the draft ePrivacy Regulation.
The basic rule imposed by the ePrivacy Regulation is that all communications must be confidential. This means providers of communications services must not "eavesdrop" on communications.
However, the Regulation provides for exceptions where electronic communications data may be intercepted or accessed.
Providers of electronic communications services may process communications data where it is necessary to:
Such interference with communications must always be proportionate and subject to a full assessment of people's rights and freedoms.
The Regulation is more liberal with the processing of communications metadata, which can be processed where it is necessary to:
There are certain conditions under which you may process communications metadata for scientific or historical research or statistical purposes. These rules are set out at Article 6b.1 (e)-(f) and Article 6b.2a-2.
In the case of communications location metadata, such processing is permitted if the data has been pseudonymized, if:
Such metadata may also be processed for producing "official national European statistics.
Under the draft ePrivacy Regulation, the basic rules on cookies remain in place from the ePrivacy Directive. Here's the relevant section of that law, at Article 5:
Under the ePrivacy Directive, you must request GDPR-compliant consent for all cookies, except for those that are:
Some of the following activities might necessitate these types of cookies:
You don't need to get consent for these types of cookies. There are strict caveats here, however: The cookies in question must be limited in duration and fulfilling a specific purpose.
The recitals of the ePrivacy Regulation provide some interesting insights into how the types of cookies requiring consent might change.
For example, Recital 21a refers to cookies used "in assessing the effectiveness of... website design and advertising" or by "helping to measure the numbers of end-users visiting a website" as being "a legitimate and useful tool."
The ePrivacy Regulation contrasts these types of cookies with those "used to determine the nature of who is using the site," which "always require the consent of the end-user."
This suggests that counting unique page visits or ad impressions may not require consent under the ePrivacy Regulation.
A cookie wall is a cookie banner that denies access to a visitor access to a website unless the visitor consents to cookies.
Here's an example from Drugs.com:
With the cookie wall in place, the site isn't accessible beneath the cookie consent mechanism. To use the website, a visitor must consent to advertising cookies. Drugs.com does inform the visitor that they can opt-out once they've consented.
Here's what happens if the visitor clicks "Disagree":
Why are cookie walls a problem?
There are mixed views on cookie walls. On one hand, many consumers might be willing to "trade" their personal data for access to an online service. Also, many businesses depend on advertising revenue. This revenue can be increased by using tracking technologies.
On the other hand, such consent mechanisms do, arguably, contradict the GDPR's requirements around consent. There's a good reason to define consent as freely given. Recital 42 of the GDPR says that:
"Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."
The European Data Protection Board has given a statement about cookie walls, arguing that consent earned via a cookie wall is not valid.
The draft ePrivacy Regulation would allow for "cookie walls" under certain conditions.
A cookie wall is a cookie banner that won't let you access a website or service until you agree to cookies. The difficulty with this is that this doesn't meet the GDPR's definition of "consent," which refers to a "freely given" action.
Court rulings, data protection authority decisions, and May 2020 EDPB guidelines all make it clear that cookie walls are not allowed under the ePrivacy Directive and the GDPR. Access to services cannot be made conditional on consent to cookies.
This could change under the ePrivacy Regulation, which proposes the legalization of "cookie paywalls."
Recital 20aaaa (yes, that's 20 followed by four "a"'s) envisions a model whereby access to a website could be made conditional on consent to cookies, if there is "equivalent offer by the same provider that does not involve consenting to data use for additional purposes," which may require monetary payment.
The Washington Post already operates such a "cookie paywall" model:
While the Post's consent solution is problematic under the current rules, it appears that it would be allowed under the draft ePrivacy Regulation.
The ePrivacy Regulation deals with the issue of "cookie fatigue," a phenomenon that can lead to people frivolously agreeing to cookies because they are asked to do so with such frequency. As Recital 20a of the Regulation says: "This can lead to a situation where consent request information is no longer read and the protection offered by consent is undermined."
To attempt to resolve this, the draft ePrivacy Regulation seeks to allow users to provide consent en-masse, by "whitelisting one or several providers for their specified purposes" in their browser or device.
This arguably undermines the GDPR's requirement that consent is "specific," but it will likely be popular among those users feeling "fatigued" by cookie consent banners.
The ePrivacy Regulation specifically addresses IoT devices, providing a few basic rules and principles about their development and deployment:
The "use of the processing and storage capacities" of an IoT device and "access to information stored therein" should not require consent if "such use or access is necessary for the provision of the service requested by the end-user" (Recital 21).
The Regulation gives the example of a smart meter: you need to access information stored on the device for the purpose of maintaining the "stability or security of the energy network" and for the "billing the end-users' energy consumption."
To use or access information stored on IoT devices for any purposes that are not "necessary for the provision of the service requested by the end-user," you'll need to obtain consent.
The ePrivacy Regulation is set to bring electronic marketing under a single framework across the whole EU.
For the purposes of this section, "electronic marketing" or "marketing communications" means marketing via email, messaging services (such as WhatsApp and Facebook Messenger), fax, and SMS.
Some people believe that the GDPR requires consent for practically all processing of personal data. This isn't true. Consent is only one of the six lawful bases for processing personal data under the GDPR.
The current law allows for a "soft opt-in." This allows businesses to send consumers direct marketing communications without consent under certain conditions.
Under the GDPR and the ePrivacy Directive, it's possible to send marketing communications under the lawful basis of "legitimate interests." This is only normally allowed under certain conditions:
Under some Member States' laws, it's also possible if the person has entered into "pre-contract negotiations" for a sale (subject to the last three of the above conditions).
Before you can rely on the lawful basis of legitimate interests, you'll also need to conduct a Legitimate Interests Assessment.
Will the soft opt-in survive?
Early drafts of the ePrivacy Regulation suggested that businesses would no longer be allowed to rely on legitimate interests for direct marketing. This would have meant that all electronic direct marketing would require opt-in consent.
This is not the case in the most recent two drafts. There is a clear mechanism allowing for a soft opt-in. This means that businesses will continue to be able to send marketing communications to their existing customers, without consent, where the soft opt-in conditions are met.
There is no mention of "pre-contract negotiations" in the proposals. This sounds like a minor omission. However, it could be significant in countries, like the UK, where national law allows businesses to send marketing communications to potential customers under certain circumstances.
To put that into context, take a look at this email from Coffee Compass:
This email alerts the customer that they have not completed a sale that they may have intended to complete. This sort of marketing email is permitted under the ePrivacy Directive in some EU Member States, even if the customer has not previously made a purchase from the company.
Under the proposed ePrivacy Regulation, communications like this would no longer be allowed without consent, unless the customer previously had made a purchase from the company.
The proposals could also make the soft opt-in narrower. Member States will be able to assign a time-limit, beyond which companies would not be allowed to rely on the mechanism.
This would mean that if you sold a person something a long time ago, you would no longer have the right to send them marketing communications without their consent. Member States could each define how long this period would be under their national law. After this time limit elapses, you'll need to remove the customer from your marketing lists or obtain their consent.
The ePrivacy Regulation would expand into some uncharted territory - the realm of business-to-business (B2B) marketing.
The ePrivacy Regulation would:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
28 September 2022