Thought you’d heard the last of changes to data compliance? Get ready for the new ePrivacy Regulation.
The EU have proposed that the current ePrivacy Directive be replaced by the ePrivacy Regulation (ePR) and sit alongside the General Data Protection Regulation (GDPR), which came into force in May this year. The current Directive is implemented in the UK as the Privacy and Electronic Communications Regulations (PECR) and continues to apply until replaced.
The PECR cover several areas.
The current Directive is commonly referred to as the ‘cookie law’ and will likely be familiar in the form of cookie consent popups or banners on some websites. Consenting to cookies allows a website to recognise a user’s device and store information about preferences or past actions, such as what the user has viewed or clicked on. If a user doesn’t give consent to cookies being used, access to a website can be blocked.
The current Directive (and proposed ePR) aren’t just about cookies though. They focus on personal data protection and all electronic communications. This includes marketing by electronic means, such as:
If you use electronic marketing, cookies or a similar technology on your website, or a phone directory (or a similar public directory), the regulations apply to you.
The PECR apply even if you are not processing personal data.
The current ePrivacy Directive requires local governments to implement accordingly, which has resulted in inconsistencies where the Directive has been interpreted differently. Like the GDPR, the new rules are regulations (not directives), so they will automatically apply to all EU member states and become legally-binding.
The ePR aims to work in conjunction with the GDPR to:
The ePR proposes to remove consent for non-privacy intrusive cookies, such as remembering what’s in your shopping basket. The Regulation also aims to simplify the use of cookies, by requiring internet browsers (such as Google Chrome or Firefox, for example) to give users more control over how cookies are used on their devices or internet browsers. This means control of any private or sensitive information stored and settings to allow or deny cookie use.
The changes would include no longer seeing cookie pop-ups or banners on individual sites, as we would be able to set the types of cookies that are deployed when we first set up a browser.
Consent to tracking will have to be given in line with the GDPR definition, i.e. it will have to be ‘freely given, specific, informed, unambiguous’. Tracking personal devices via cookies or tracking people without their clear approval through public hotspots or Wi-Fi will also be prohibited.
Direct marketing by electronic means is allowed if an individual has provided consent to receive such communications. So, contacting a named person’s business email address directly would require consent for email marketing. Contacting a generic business email address, for example info@XXXXX dot com, would not.
Available methods of consent include:
It should be as easy for consent to be withdrawn as it is to give it, so you’ll need to make it clear how an individual can do this.
Like the GDPR, if the new ePR is breached the ICO can impose a fine of up to £500,000. The ICO can also pursue criminal prosecution.
Again, like working with third parties under the GDPR, if you pay someone else to do your marketing, you are both responsible for complying with the ePR. If someone else makes calls on your behalf or sends your emails, you are still responsible, as you are ‘instigating’ those calls or messages i.e. they are coming from you.
The ICO recommend having a written contract that sets out the responsibilities of any third party you work with.
The ePR is designed to sit alongside, and work in conjunction with, the GDPR and to strengthen the control individuals have over the use of their personal data. It was proposed that the new ePR would be implemented at the same time as the GDPR but was delayed.
Be aware! We don’t yet know the date when the ePR will be published nor applied but changes are afoot. Preparations made ahead of the GDPR implementation should mean that you’re compliant so you’re in good shape.
Our GDPR for Schools conference will be providing more information and guidance on the new ePR, as well as an update from the ICO.
Taking place in London on 27 November and Manchester on 24 January 2019, you can secure your place now.