Heads up: ePrivacy regulation is coming

The UE's new wide-reaching privacy regulation, ePrivacy Regulation could be more impactful than GDPR, and will affect companies in the US.

This is a contributed article by Brussels-based of counsel Alja Poler De Zwart at law firm Morrison & Foerster.


In the background of the General Data Protection Regulation (GDPR), another storm is brewing around the new ePrivacy Regulation of the European Union (EU) that governs certain forms of marketing and the use of cookies and similar technologies. The new ePrivacy Regulation is expected to be adopted at the beginning of next year and will repeal the current ePrivacy Directive. Its purpose is to bring the ePrivacy rules on par with the GDPR and create harmonization across the EU.


Why should you care about this? The ePrivacy Regulation will not only impose considerably stricter requirements on marketing activities and the use of cookies and similar technologies, but it will also bring about substantially higher fines that mirror the GDPR penalties. The legislative proposals mention fines that could run up to 2% of your company's total worldwide annual turnover or €10 million (whichever is higher).

Note further that the ePrivacy rules do not attach to where companies are established, but instead to where the users are located. So even if your company has no physical presence in the EU, the ePrivacy Regulation may apply if your company markets to individuals in the EU, or uses cookies and/or similar technologies on their devices.  


GDPR versus ePrivacy? There is a lot of confusion about the relationship between the GDPR and the ePrivacy rules. The GDPR covers processing of personal information. The ePrivacy rules cover specific uses of technology (such as email, SMS, cookies, and device fingerprinting) whether or not personal information is involved. In other words, when your company is, for example, using email as a vehicle to deliver marketing communications, ePrivacy rules kick in. This means that your company needs to comply with the ePrivacy requirements on top of the GDPR ones.


What are the biggest changes? While the current ePrivacy rules already require consent for sending marketing via email and SMS, the ePrivacy Regulation suggests extending the scope to also cover other electronic communication methods (such as WhatsApp) when used for marketing. Consent is currently also required for the use of certain cookies and other similar (tracking) technologies. This will not change under the ePrivacy Regulation. Note, however, that consent will need to be compliant with the GDPR conditions for obtaining valid consent. This means, among others, that the ePrivacy consent will require a statement (i.e., a clear affirmative act) from the individual. Merely continuing to use a website will likely not provide a valid consent, and this might have far-reaching consequences for obtaining implied consent for cookies and similar technologies — the practice that has generally been allowed in the majority of EU Member States.

Speaking of cookies, the ePrivacy Regulation may also contain a specific prohibition on cookie walls: denying access to a website, service, or functionality when the user does not provide consent will not result in valid cookie consent. And once any consent is obtained, the ePrivacy Regulation will likely require companies to remind the individuals of the option to withdraw consent at periodic intervals of either six or twelve months.

Furthermore, the ePrivacy regulation may also apply to WiFi or other location-based tracking technologies that are not regulated under the current ePrivacy rules. Such technologies may, for example, be used for serving targeted ads when individuals enter a town area or a store. Whether this type of tracking will require the individual's consent (more likely), or merely a simple opt-out possibility, will depend on the outcome of the upcoming negotiations between the Commission, the Parliament, and the Council.


Will ePrivacy settings become an obligation? The legislative proposals from the Commission and the Parliament impose an obligation on companies to offer online privacy settings (such as privacy dashboards) through which users can adjust their privacy preferences at all times. Building such privacy dashboards would not only be a costly affair for any company, but could bring along a host of other issues. This may be one of the reasons that the language was dropped from the latest proposal prepared by the Council. Whether the privacy settings will find their way back into the final draft of the ePrivacy Regulation remains to be seen and is likely to be subject to intense lobbying efforts.


What about marketing calling? The ePrivacy Regulation will also cover telephone-based marketing. The legislative proposals from the Commission and the Council propose that voice-to-voice calls should only be allowed if the recipient has not opted out, while the Parliament furthermore proposes setting up national do-not-call registries in all EU Member States. Companies conducting voice-to-voice calls may also have to adopt new transparency tactics, such as displaying their calling numbers and using a specific code or prefix identifying the call as a marketing call. Additionally, telecom providers might need to deploy state-of-the-art measures to — free of charge — block marketing calls (along with other numbers, to be specified by the individual).


What do we know for certain? The ePrivacy Regulation is still a work in progress. What is certain is that companies will have one year to become compliant with the new rules, starting from the moment the ePrivacy Regulation is adopted. Companies are therefore advised to start their ePrivacy compliance programs on time.