The new draft ePrivacy Regulation changes on digital marketing

The new draft of the ePrivacy Regulation introduces substantial changes. The final approval still appears far to happen, but companies may start to get ready.

The saga on the ePrivacy Regulation seems endless. Our Tommaso Ricci had given an update on the version published in January 2019 (Read ePrivacy Regulation – Status and interplay with the GDPR) in LawBytes. But on 8 November 2019, the Finnish government issued a revised proposal for the ePrivacy Regulation with some amendments concerning electronic communication content, data & metadata, and further processing of metadata.

In this post, there is a summary of the amendments and the broader text as it currently stands.

What changes with the new draft of the ePrivacy Regulation?

The main changes introduced in the latest draft of the ePrivacy Regulation can be summarized as follows:

1. Article 6 provides that data can be processed for the provision of electronic communication services;
2. Article 7 imposes the obligation to erase electronic communications data when no longer necessary for the purposes of the processing;
3. Recital 20 clarified when consent to the processing of cookies cannot be a condition to access to a service if there is an imbalance between the end-user and the service provider which might be for instance in a dominant position;
4. Recitals 12 limited the scope of applicability of the ePrivacy Regulation to M2M electronic communications when carried out via a publicly available electronic communications network; and
5. Recital 21 allowed the access or processing of data on terminal equipment without the consent of the relevant end-user when necessary to provide a service requested by the latter e.g. the storage of session cookies used during the online filling of forms and the usage of authentication cookies to verify the identity of end-users engaged in online transactions. But the exemption applies also to IoT devices such as connected cars, connected eHealth products, and connected smart home devices when the storage and processing of data is necessary for the performance of the service.

The current status of the draft ePrivacy Regulation

Below is a summary of the current version of the draft ePrivacy Regulation:

1. Anti-spam rules might exclude online advertising

As under the current framework of the ePrivacy Directive, unsolicited commercial communications by electronic means (“spam”) are prohibited, except if the recipient gave consent. No consent is needed though for the sending of commercial emails to existing customers to advertise their similar products, but every communication must include an opt-out possibility. The scope of these rules still appears to be subject to discussion, in particular, their applicability to both online advertising displayed to the general public and targeted advertising.

Basically the current version would extend rules set out by the ePrivacy Directive for emails, faxes and automatic calling machines to any sort of unsolicited commercial communication. This scenario would exclude the possibility to rely on legitimate interest for this activity.

2. Cookies and similar files/tags still subject to the prior consent

The draft of the ePrivacy Regulation also provides comprehensive rules for the use of web cookies and similar files or tags, considerably extending the current regulations. The scope of these rules has been substantially extended compared to the old ePrivacy Directive, referring now to any use of the storing or processing capabilities of the device (and not merely the storage or retrieval of information). In other words, cookies and stored information remain covered, but so are now specific scripts and tags.

The use of cookies (and similar files/tags) requires consent in general. However, the ePrivacy Regulation provides for numerous exemptions, including both already familiar exemptions (cookies necessary for communication or technical reasons) as well as new exemptions such as (certain forms of) analytics, security (incl. fraud prevention), software updates and execution of employees’ tasks as well as the further exemptions listed above.

The quality of consent should, in general, correspond to the criteria provided by the General Data Protection Regulation (GDPR). However, the ePrivacy Regulation should, to some extent, allow consent through browser settings, and currently contains several references to the possibility to give consent by software-related technical means.

As far as ‘cookie walls’ are concerned (the practice of blocking access to content until a user gives consent to, e.g., advertising cookies), they are not prohibited in principle provided the user is offered an ‘equivalent offer‘ that does not involve the need for such consent.

3. Secrecy requirements still applicable to M2M and IoT communications

The draft ePrivacy Regulation attempts to clarify the difference between the rules on electronic communications content, electronic communications metadata, and electronic communications data (common rules for content and metadata).

The common principle remains that of secrecy of electronic communications data, save for specific exceptions, e.g., metadata can now be processed for network management or network optimization, or statistical purposes. There is also now a specific possibility to process metadata for ‘compatible‘ purposes subject to compliance with a specific process.

These rules apply not only to communications between humans, but also the so-called “machine-to-machine” communications relevant for Internet of Things devices.

What is going to happen next?

There is still uncertainty as to the timing of the final adoption of the ePrivacy Regulation. It seems that the Finnish Presidency is unlikely to reach a final approval before the end of their mandate which is going to happen in December 2019. However, it appears that the discussion now shifted from technical experts to politicians and we will have to see the developments in the coming months.

What does this mean for organizations?

While the text of the ePrivacy Regulation is not final, it is useful for organizations to consider it already when contemplating any long-term product or project. For instance, organizations embarking on significant Internet of Things projects may wish to take into account secrecy of electronic communications, to avoid having to stop or redesign the project in a year or two. Any organization contemplating a new flagship website or application may also wish to reconsider widespread use of tags rather than cookies if the intent was to avoid the applicability of the cookie rules, as the rules will at some point be the same.

More generally, it can be useful for organizations to identify key fields of activity that will be impacted by the ePrivacy Regulation, so that when the final text arrives, they can more rapidly engage in a readiness exercise.