by Alex van der Wolk, Privacy + Data Security Group Global Co-Chair, Morrison & Foerster
- What is this ePrivacy all about? Unlike GDPR, which regulates everything that has to do with personal information, ePrivacy has a more narrow, yet more specific scope of application. ePrivacy regulates certain forms of digital marketing, such as email, but also SMS and soon possibly also marketing via messenger services such as Whatsapp. But that’s not all. All the cookie pop-ups you’ve been seeing on websites over the years? That’s also ePrivacy. And in that domain the requirements are to be expanded also (think device fingerprinting, pixel (re)targeting and any other technology facilitating online tracking and conversion). And then there’s a new area ePrivacy is set to regulate, namely where digital marketing intersects with “brick and mortar”, such as beacon advertizing, wifi tracking, bluetooth marketing – technologies that rely on the proximity of devices.
- But doesn’t GDPR already cover all of this? Well, yes and no. The title ePrivacy may be a bit off-setting here. Unlike GDPR, which applies to anything that has to do with personal information (regardless of the technology used), ePrivacy rather regards just the technology. In fact, for ePrivacy, it doesn’t really matter whether personal information is at stake or not. The mere use of a covered technology may already qualify you for ePrivacy applicability. This also highlights the real tricky part about all of this: it is very well possible that ePrivacy and GDPR apply both at the same time. If you engage certain technology that is covered by ePrivacy AND that use also involves personal information, you may have to comply with both ePrivacy and GDPR.
Speaking of cookies, the ePrivacy Regulation may also contain a specific prohibition on cookie walls: denying access to a website, service, or functionality when the user does not provide consent will not result in valid cookie consent. And once any consent is obtained, the ePrivacy Regulation will likely require companies to remind the individuals of the option to withdraw consent at periodic intervals of either six or twelve months.
But it is not just about more consents. For example, the legislative proposals also suggest imposing an obligation on companies to offer online privacy settings (such as privacy dashboards) through which users can set and manage their online privacy preferences. Building such privacy dashboards would not only be a costly affair for any company, but could bring along a host of other issues. This may be one of the reasons that it is still in flux whether this obligation will make its way into the final text of the ePrivacy Regulation.
- Does ePrivacy say anything about marketing phone calls? Yes, the ePrivacy Regulation will also cover telephone-based marketing. The legislative proposals suggest that voice-to-voice calls should only be allowed if the recipient has not opted out. This doesn’t necessarily suggest an opt-in for marketing calls, but it does make sure that individuals have an opportunity to un-list from being approached by phone for commercial purposes. Many EU countries currently already provide for a similar requirement. In addition, companies conducting voice-to-voice calls may also have to adopt new transparency tactics, such as displaying their calling numbers and using a specific code or prefix identifying the call as a marketing call.
- So what are the risks? Like GDPR, the ePrivacy Regulation will also bring about substantially higher fines. The legislative proposals mention fines that could run up to 2% of a company’s total worldwide annual turnover or €10 million (whichever is higher).
- Where do we go from here? The ePrivacy Regulation is still a work in progress. It is uncertain when it will be finalized, but the latest prognoses are for end of 2018/early 2019. What is certain is that once ePrivacy is finalized, companies will have a one-year transition period to implement the new rules. Companies are advised to start their ePrivacy compliance programs on time.
About the Author
Alex van der Wolk is the global co-chair of law firm Morrison & Foerster’s Privacy + Data Security Group. Based in Brussels, he focuses on data protection information/communications technology law and advises global companies on data protection strategy and compliance governing all aspects of information management. Alex can be reached online at firstname.lastname@example.org and on Morrison & Foerster’s website: https://www.mofo.com/people/alex-van-der-wolk.html.