Thought you’d heard the last of changes to data compliance? Get ready for the new ePrivacy Regulation.

The EU have proposed that the current ePrivacy Directive be replaced by the ePrivacy Regulation (ePR) and sit alongside the General Data Protection Regulation (GDPR), which came into force in May this year. The current Directive is implemented in the UK as the Privacy and Electronic Communications Regulations (PECR) and continues to apply until replaced.

The PECR

The PECR cover several areas.

• The security of public electronic communications services.
• The privacy of customers using communications networks or services regarding traffic and location data, caller ID and call return, and directory listings.

The current Directive is commonly referred to as the ‘cookie law’ and will likely be familiar in the form of cookie consent popups or banners on some websites. Consenting to cookies allows a website to recognise a user’s device and store information about preferences or past actions, such as what the user has viewed or clicked on. If a user doesn’t give consent to cookies being used, access to a website can be blocked.

The current Directive (and proposed ePR) aren’t just about cookies though. They focus on personal data protection and all electronic communications. This includes marketing by electronic means, such as:

• phone calls
• emails
• texts
• instant or social media messaging (e.g. Skype or WhatsApp)
• apps
• faxes.

If you use electronic marketing, cookies or a similar technology on your website, or a phone directory (or a similar public directory), the regulations apply to you.

The PECR apply even if you are not processing personal data.

What’s changed?

The current ePrivacy Directive requires local governments to implement accordingly, which has resulted in inconsistencies where the Directive has been interpreted differently. Like the GDPR, the new rules are regulations (not directives), so they will automatically apply to all EU member states and become legally-binding.

The ePR proposes to remove consent for non-privacy intrusive cookies, such as remembering what’s in your shopping basket. The Regulation also aims to simplify the use of cookies, by requiring internet browsers (such as Google Chrome or Firefox, for example) to give users more control over how cookies are used on their devices or internet browsers. This means control of any private or sensitive information stored and settings to allow or deny cookie use.

The changes would include no longer seeing cookie pop-ups or banners on individual sites, as we would be able to set the types of cookies that are deployed when we first set up a browser.

Consent

Consent to tracking will have to be given in line with the GDPR definition, i.e. it will have to be ‘freely given, specific, informed, unambiguous’. Tracking personal devices via cookies or tracking people without their clear approval through public hotspots or Wi-Fi will also be prohibited.

Direct marketing by electronic means is allowed if an individual has provided consent to receive such communications. So, contacting a named person’s business email address directly would require consent for email marketing. Contacting a generic business email address, for example info@XXXXX dot com, would not.

Available methods of consent include:

• signing a paper consent statement
• ticking an opt in box
• clicking an opt in button or link
• selecting from yes/no options
• choosing technical settings/through a dashboard
• responding to an email
• answering ‘yes’ orally to a clear request
• volunteering information for a specific purpose.

It should be as easy for consent to be withdrawn as it is to give it, so you’ll need to make it clear how an individual can do this.

What does it mean for schools?

Like the GDPR, if the new ePR is breached the ICO can impose a fine of up to £500,000. The ICO can also pursue criminal prosecution.

Again, like working with third parties under the GDPR, if you pay someone else to do your marketing, you are both responsible for complying with the ePR. If someone else makes calls on your behalf or sends your emails, you are still responsible, as you are ‘instigating’ those calls or messages i.e. they are coming from you.

The ICO recommend having a written contract that sets out the responsibilities of any third party you work with.

How does it relate to the GDPR?

The ePR is designed to sit alongside, and work in conjunction with, the GDPR and to strengthen the control individuals have over the use of their personal data. It was proposed that the new ePR would be implemented at the same time as the GDPR but was delayed.

What do we need to do?

Be aware! We don’t yet know the date when the ePR will be published nor applied but changes are afoot. Preparations made ahead of the GDPR implementation should mean that you’re compliant so you’re in good shape.