ePrivacy Regulation: what will the new EU law mean for your business?

On January 10, 2017, the European Commission has published an official draft of the so-called ePrivacy legislation which changes its status from a Directive to a Regulation. Not sure what this means? The change will have far-reaching consequences for EU law as the new ePrivacy regulation will surely impact the way business software is used. Read on to see what it will mean for your company’s digital setup.

A proposal for new rules concerning the respect for private life and personal data in electronic communications is available here. It has been given the name ‘Regulation on Privacy and Electronic Communications’, and is supposed to apply from 25 May 2018.

That’s not going to leave much time for businesses to react, right? So you’d better know in advance what’s being planned.

Let’s discuss why it was needed in the first place.

Why Is the New ePrivacy Regulation a Necessity?

The short answer is that the old EU law simply didn’t work and was outdated. Easy as pie!

All the rules were originally contained in Directive 2002/58/EC. The ‘directive’ status meant that the Member States were given a goal to achieve, but they had the freedom to decide the best way to do it within their individual legal systems. As a result, the rules surrounding electronic communications vary across the EU.

Since its introduction in 2002 and later amendments in 2009, online communication has evolved a lot, especially when it comes to services available via Internet-based apps (think Skype, WhatsApp, Facebook Messenger and the like).

Having a ‘regulation’ means that all Member States of the EU will be obliged to adopt a set of requirements harmonised at the global level. In other words, all the countries will need to apply exactly the same set of rules when it comes to implementing the resolutions of the new e-Privacy Regulation.

The Meaning Of the New EU Law for Your Company

The ePrivacy proposal seeks consistency with the General Data Protection Regulation regarding processing data in electronic communications. It broadens the scope to include web mail, VoIP, instant and social media messaging.

Surely you’ve heard of GDPR (and if not, it’s high time you did!). The new privacy law will enter into force in 2018. One of the key changes is that individual visitors will have to be provided with accurate information on the kind and purpose of data that is collected. Businesses will have to seek ‘explicit’ consent before any collection takes place. A breach may lead to fines of up to 20 million EUR or 4% of turnover of the company responsible.

The ePrivacy draft suggests that the European Commission wants to apply the GDPR’s consent requirements. Let’s consider what that’s going to mean for your corporate website.

One important change is the promise to simplify the cookies rules. Yes, these annoying little pop-ups that nobody reads will probably go. The new draft proposes to remove the requirement for information when cookies are used for configuration or are technically indispensable to render a given service, such as managing a shopping cart.

And in the case of cookies used for tracking, the information won’t have to be used if the user’s web browser is set to signify consent or refusal. This is simply an endorsement of Do Not Track (DNT), which means that DNT has finally gained official support. Check out this post to see what DNT can mean for your analytics data accuracy.

Some other key changes proposed in the ePrivacy Regulation come in Art. 8:

First of all, pay attention to the wording “collection of information from end-users’ terminal equipment (…) shall be prohibited.” If the ePrivacy wording remains like this, the usage of 3rd party analytics platforms could become illegal, making self-hosted tools preferable for privacy compliance.

Companies will definitely have to pay much closer attention to ongoing monitoring of their websites and ensure that their tools remain compliant with every change they introduce. You will also have to pay special attention to the tags you install on your website and make sure all the tools you pass the data to are in compliance with these new rules.

Secondly, such wording of EU law could also limit the usage of other 3rd party tools, such as those for detecting adblocks using client-side scripts. Think of publishers blocking access to content for users of Adblock Plus and alike! That would also potentially mean that a growing group of adblock users could not be tracked. Read this post to learn more about the way adblocks impact the operation of your web tracking efforts.

Are you ready to quit your cloud-hosted tools and switch to exclusively on-premises software? Be realistic and keep in mind this isn’t a move that can be made overnight.

Instead of Conclusion

To wrap up, it seems clear that businesses will need to ensure that assets like user data are protected and processed in an adequate manner. The new EU law will certainly be an opportunity to evaluate risks and improve your data protection processes.

This is of course, just a proposal of the ePrivacy Regulation, so you can expect a lot of lobbying from the industry. That said, we can see which the direction the new EU law is going, and that failure to be in compliance will be quite costly. But better safe than sorry, huh? So it’s probably time to start getting ready for some serious changes.