Data privacy pros wiping their brows after preparing their companies for the new European General Data Protection Regulation (GDPR) better get ready for the next challenge: Preparing to comply with the upcoming EU ePrivacy Regulation.
Although it’s likely a year away from coming into effect, a Canadian lawyer told marketing and privacy experts last week that this proposed regulation covers content and metadata in everything from email messages and SMS texts, machine-to-machine communications and over-the-top providers like Skype, Facebook Messenger and WhatsApp.
“I think it’s of great concern to marketers,” Bill Hearn, a regulatory law specialist in the Folger Rubinoff firm told a Toronto workshop sponsored by the Canadian Marketing Association.
“It has very wide scope, broader than GDPR, and will apply to any organization that provides any form of online communication or utilizes tracking technology or that engages in electronic direct marketing” from an organization that gathers data from devices in the EU.
The ePrivacy Regulation (ePR) will replace the current ePrivacy Directive, which, allowed each EU country a certain amount of discretion in enforcement. The ePR will apply to all countries that adopt it.
Briefly, the ePR will try to simplify the rules for web site cookies and streamline the consent approval users have to give for allowing cookies. Consent won’t be needed for non-intrusive cookies aimed at improving user experience.
A proposed change in wording that came out in July, Hearn said, clarifies that an initial consent for a cookie on a web site will be good enough for subsequent visits. There would also be consent exemptions for cookies used only for statistical and analytic purposes, as well as for information needed to fix security bugs.
“Some say it will be the end of the cookie banner,” Hearn said. However, he’s skeptical.
[One site says ePR will merely mean exchanging one cookie pop-up for another]
For those in direct marketing to consumers, he noted, the ePR proposes that the marketer has to obtain opt in consent of a recipient to send messages. The July guidance would allow EU countries adopting the ePR to impose a 12 month time limit for those trying to market similar products and services to the customer after getting initial consent. (After 12 months additional consent would be needed.)
Because the ePR principles are similar to the GDPR it’s important companies aiming products and services at the EU be familiar with the GDPR if they aren’t already, he said.
The final version of the ePR hasn’t been set yet so the negotiations in Europe have to be watched, he added.
Companies here aiming products and services at the EU or widely collecting personal data should be “very concerned,” Hearn said in an interview, because just like GDPR the proposed ePR could apply to them.
Like GDPR, even if a firm doesn’t have a physical presence in EU countries the ePR will apply to them if they collect personal data of EU residents.
“The proposed rules for cookies are different than the existing directive, the rules on direct marketing are different,” he noted, “and you don’t want to trip up on those because the penalties under (ePR) will be as severe as under the GDPR.”
If your firm is already exhausted by complying with the Canadian Anti Spam Law (CASL), he added, it might consider scaling back its EU-aimed data collections for the time being.
The ePR guarantees privacy for communications content and metadata (such as time of a call and location). Metadata has to be anonymized or deleted if users don’t give their consent, unless the data is needed for billing.
Like CASL, unsolicited electronic communications by emails, SMS and automated calling machines would be banned. Depending on national law people will either be protected by default or be able to use a do-not-call list to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special prefix that indicates a marketing call.
