While Europe's replacement for 2002's “Cookie Directive” has yet to pass through the European Parliament, it’s only a matter of time before the ePR (ePrivacy Regulation) becomes law. So, what does this legislation and Cookie Consent mean for your business? Your online communications? And, what effect will this law have on organizations and individuals outside the EU?
CookieScript is here to break down the key aspects of the latest privacy regulation so you’ll be ready when the new law takes effect. You can also read the full text of the ePrivacy Regulation draft on the European Parliament website.
What is the ePrivacy Regulation?
First proposed in early 2017, the Regulation on Privacy and Electronic Communications — better known as the “ePrivacy Regulation” and the acronym “ePR” — is seen as the successor and replacement to the ePrivacy Directive (“Cookie Directive”) first enacted in 2002. There are two primary goals of the new regulation; one: expand consumer privacy protections so they reflect emerging technologies, and two: standardize electronic privacy laws across all EU member states first put in motion with the “Cookie Directive.”
Who Will Be Affected by the ePR?
The latest ePrivacy Regulation will apply to:
- Communication service providers. All providers of electronic communication services — regardless of whether they hold a physical presence in the EU — will be expected to abide by the rules as they pertain to serving European citizens.
- Entities transmitting and processing data on EU citizens. Any entity that transmits or "processes" the communications (or communication metadata) of individuals in the European Union will find their activities further regulated.
- Businesses storing data on EU citizens. The ePR will expand the rules on how information can be stored within the electronic devices of EU citizens. Like similar regulations, the responsibility of ensuring secure storage still rests with the service provider.
- Marketers targeting the EU. Organizations taking part in direct marketing efforts to persons in the EU can expect changes to what information they can use, collect, and disseminate from EU citizens.
- App developers and communications companies. Organizations that make available electronic communication tools (apps, OTT platforms, devices, etc.) to EU citizens will face more limits on what consumer information can be collected, transferred, and stored.
Yes, the ePR Applies to the Rest of the World, Too
Like the GDPR before it, the ePrivacy Regulation carries extraterritorial powers, meaning the regulation extends beyond the borders of EU member states. It’s worth pointing out that violators can be fined through the international courts. Organizations that do not have a physical presence in the EU, but offer electronic communication services (or marketing) to the EU, will be required to appoint a data protection representative (a type of liaison) to each EU member state wherein they conduct business.
What is Cookie Consent?
Currently, two legal acts outline how Cookie Consent can be sought and obtained. These are the ePrivacy Directive and the General Data Protection Regulation (GDPR). It's important to note that even with the GDPR in place, the legal aspects of the "Cookie Directive" remain valid. (Although once the ePR passes through European Parliament, the ePrivacy Directive will no longer dictate how the EU member states implement laws in their own countries.)
- The General Data Protection Regulation, more commonly known by its acronym (GDPR), established that consent for user information must be explicit and presented in an unambiguous language. Therefore, "opt-out" types of consent are disallowed under GDPR. But, the latest draft of the ePR, with its expanded technological scope, will permit certain forms of implied consent so long as these are are at the request of and within the best interests of the end-user.
Cookie Consent and ePR: Changes on the Horizon
Cookie consent — the act in which users of electronic communication tools (such as websites) grant permission to have their cookies tracked — is a major topic within the latest draft of the ePR. The draft’s authors want to embolden end-users by making the law easier to understand. Additionally, the draft also seeks to make it easier for service providers to comply with the law. Here are some of the major changes you can expect to see in the ePR:
Streamlined consent process. In the annex of Section 20, the authors lament on a fact many service providers have already discovered (and exploited): end-users have become so inundated with cookie consent requests that many no longer take the time to inform themselves what rights they are signing away when they blindly opt-in without reading the literature connected to the consent request.
Although the language was struck from the latest draft (October 4th, 2019), the term "consent fatigue" aptly describes end-users willingness to gloss over the information contained in these cookie consent requests. Consequently, this “consent fatigue” has led many end-users to undermine regulations that are designed to protect their personal information. The latest draft includes a few proposals to counter this apathy.
In section 20a, it is recommended that service providers create a technical solution so end-users may readily consent to certain types of cookie tracking as part of a "whitelist” process. One provision of this fast-track consent process would also include a method for users to easily withdraw consent at any time.
Revised consent process for IoT devices. There are some common-sense changes proposed in the ePR about consent and IoT devices, for example, a user logging into an IoT app to adjust their lighting or thermostat. Should they need to go through the consent process as regularly as someone accessing a website for the first time? Could this form of implied consent be an exception to the previous consensus that all forms of consent must be explicit?
Exemptions for security purposes. The draft of the ePR also clarifies the point that consent should not be required in instances where an information society service intervenes on behalf of the end-user to fix a security vulnerability or "bug" and that this action does not alter the security settings or functionality of the end-user device(s).
Privacy regulations on IoT and OTT services. The latest ePrivacy Regulation draft expands its scope to include over-the-top (OTT) services such as instant messaging, VoIP (voice over internet protocol), and even network-connected IoT (internet of things) devices such as Amazon's Alexa, Google Assistant, and Apple Home.
Clarification on how service providers may “interfere” with users’ devices. The latest draft of the ePrivacy Regulation clarifies a point that previously caused some confusion: "Interference with the end-user's terminal equipment should be allowed only with the end-user's consent and for specific and transparent purposes."
What exactly is interference that constitutes purposes that are “specific and transparent?” Section 20 clarifies "interference" and what types of interference are acceptable under the law. Interference may be allowed in situations such as remotely installing a security or software fix, which is acceptable so long as the change does not interfere with the usage of the device or compromise the device’s security permissions.
Service Providers Still Bear the Responsibility of Compliance
What doesn't change is that entities providing electronic communication services — or a platform for communication — are still solely responsible for ensuring all data collected via cookies is done so with the full, unambiguous consent of users. Likewise, service providers are responsible for information breaches that occur during the collection, storage, processing, and virtually all aspects that involve handling the personal information of consumers.
Why are These Changes Necessary?
New communication technologies have emerged over the last decade, therefore new provisions are required to protect the privacy rights of consumers. The previous ePrivacy Regulation (2011) covered major telecommunication areas such as visitor-tracking cookies, email, fax, phone calls, and text messages. These privacy protections will remain in place, but the scope of the law will expand to include additional methods of communication.
“But, I Already Comply with the ‘Cookie Directive’…”
One common response to the looming passage of the ePrivacy Regulation has been, “I have a cookie opt-in notice on my website. Why should I care about these new changes?” Even if you already have a cookie consent or GDPR notice on your website, you should take the time to review the changes in the law so you can remain compliant (and avoid hefty fines). Fortunately, CookieScript customers can ensure compliance with our free starter opt-in/opt-out banner. If you aren’t already a customer, you should know that CookieScript is free to join — even our feature-rich ‘Pro’ plan is affordably priced.
When Does the EU’s New Privacy Law Go into Effect?
The new legislation was originally slated to go into effect in 2018 alongside the GDPR and the so-called “NIS Directive” (EU Directive on Security of Network and Information Systems). But, certain parliamentary hurdles and revisions to the regulation have delayed its adoption by the European parliament. Like other regulations, enforcement will begin two years after the final draft of the regulation is published in the Official Journal of the European Union. This pushes back the earliest possible date of enforcement to at least some time in 2022.
Have a Question?
Have a question about the ePrivacy Regulation? Want to ensure your website or app complies with the law? Reach out to a CookeScript team member today!