The EU is proposing regulation around ePrivacy. We consider the business implications of introducing the measure and recommend using it as an opportunity to manage data better.
The EU’s proposed ePrivacy regulation targets how businesses handle consent and data in electronic communications. It was first proposed by the European Commission (EC) in January 2017. As yet the proposal remains just that and its first reading in the European Parliament has been delayed. The plan is for it to become law in May 2019.
Like GDPR, the regulation applies to EU-based companies and those serving EU-based citizens. It has four cornerstones:
All electronic communication must be confidential
Confidentiality of users’ online behaviour and devices has to be guaranteed
Processing of communications content and meta data must be carried out on the condition of consent
Spam and direct marketing communications require prior consent
According to Iain Bourne, our data privacy leader , the thrust of the regulation is in tightening up companies’ policies and addressing their marketing practices.
“Currently it’s easy for a business to sell to another business by contacting the relevant person. We may go to a consent model, meaning businesses must obtain permission before marketing to their clients in industry,” he explains.
Bourne says it also risks furthering cookie fatigue, where websites are constantly demanding permission to use a cookie.
Unsurprisingly, the delay has raised questions about whether the regulation will pass through the different organs of the EU by its intended deadline. “Most people think it won’t be ready in time,” adds Bourne. “But they said that about GDPR. When European regulation is being passed, you often get a lot of significant changes at the end of the negotiation. So everything we say about ePrivacy is slightly speculative at the moment.”
It will, however, be a regulation rather than a replacement of a directive. The EC believes it can better foster a digital single market by imposing the same laws on companies across the EU, rather than issuing a more vague directive that is open for member states to interpret.
The current nature of Brexit means it is difficult to say whether the UK will have to comply. Bourne’s advice is to see the new regulation as a pointer towards good practice and an opportunity to improve governance around data.
Manu Sharma, partner and our head of cyber assurance agrees: “Many companies understand that they should be getting to the same objective as the regulation and shouldn’t wait for it to be finalised before they start working on it.”
The opt-in model for consent around marketing means companies will have a narrower, more focused database of clients that want to be marketed to, so conversion rates should be much higher.
Regardless of the timeframe of any implementation period, businesses would be wise to comply swiftly to achieve best practice. “We don’t know what the law will say, but it’s a good opportunity for businesses to sort out their marketing database and better understand how to get consent and manage data in terms of record-keeping,” concludes Bourne.
Europeans call for stronger privacy protections online
92% say it is important that personal information on their computer, smartphone or tablet can only be accessed with their permission
92% say it is important that the confidentiality of their emails and online instant messaging is guaranteed
82% say it is important that tools, such as browser cookies, that monitor their activities online should only be allowed with their permission
For more information or to talk to someone about how ePrivacy affects you, speak to Iain Bourne.