With the GDPR on the horizon, the EU is now overhauling and expanding the reach of the more specific privacy rules which relate to direct marketing, cookies and other forms of online monitoring. The ability of social media and messaging services to track users is one of many areas touched on in the European Commission’s newly proposed ePrivacy Regulation. This article sets out some key impacts of the Regulation, provided the proposed draft passes through the legislative process without dramatic changes.
On 19 January 2017, Olswang and ADTEKR held a webinar on the new Regulation – you can view the recording above.
Why are the rules being updated?
Since the last review of the EU’s Privacy and E-communications Directive (PECD) in 2009, a new typology of players has emerged offering communication services that many end-users perceive as comparable to traditional electronic communications services such as telephone calls and SMS messaging.
These new players, so-called Over-the-Top communications services (“OTTs“) (e.g. Skype, Gmail, WhatsApp), are generally not subject to the current EU electronic communications rules (although often voluntarily comply); the Regulation is proposing to change this.
The proposed new rules are designed to align with the stricter new general privacy rules under the GDPR (drawing on certain definitions and concepts used in that Regulation), which will come into force in 2018. Like the GDPR, the proposed new e-communications rules would take the form of a directly effective Regulation, to help iron out differences in different EU Member States.
Is the scope of the regime changing?
The new Regulation applies to the processing of electronic communications data carried out in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union. This extra-territorial effect is a significant change from the current Directive.
In addition to traditional voice, text and e-mail services, the provisions on confidentiality, the processing of electronic communications data, and storage and erasure of such data would apply to:
- OTTs such as unmanaged VoIP, instant messaging, web mail and social media messaging, and
- Machine-to-machine communication (i.e. IoT technology), should the information or metadata exchanged between two devices be deemed to contain personal data.
The proposal’s broad definition of “electronic communications services” is likely apply to all services that have a communications element – meaning dating apps, video game services, travel and e-commerce sites, even if they are just “ancillary” to another service.
Cookies: what are the proposed changes?
The new Regulation applies to cookies, spyware, web bugs, hidden identifiers and device fingerprinting. It prohibits the use of “processing and storage capabilities of terminal equipment and the collection of information from users’ terminal equipment, including about its software and hardware”, unless consent – or some other narrow conditions – are met. “Consent” has the same meaning as under the GDPR, i.e. freely given, specific, informed, active and unambiguous consent expressed by a statement or clear affirmative action.
However, in the context of cookies, such consent may be expressed by browser settings and the Regulation places specific obligations on browser providers to ensure that appropriate consent settings and options are given to individuals.
There are some new exceptions to the cookie consent rules, meaning those awkward banners and pop-ups won’t be needed where cookies are only used for:
- web audience measuring – but this applies only to first party cookies
Alongside the familiar exceptions i.e.:
- if it is necessary for the sole purpose of carrying out the transmission; or
- it is necessary for providing an information society service, e.g. to add items to a shopping cart.
Websites wanting to rely on cookies for marketing, tracking and behavioural purposes will therefore need to consider the browser consent users have given. In practice, we expect that websites will continue to want to get opt-in consent to override this and therefore pop-up consent boxes will remain a regular sight despite the European Commission’s intentions.
The collection of device information e.g. for Wi-Fi log-ins is prohibited, other than for the purposes of establishing the connection, unless a “clear and prominent” notice is displayed “on the edge of the area of coverage” informing the user of:
- how the data will be collected;
- the purposes for which it will be used; and
- the person responsible for collecting it and any other information required under the transparency requirement of the GDPR to make such processing fair.
Such notices may be provided by means of standardised icons – to be developed under the “delegated acts” provisions of the Regulation – to make this information user-friendly.
The Regulation proposes web browsers, and other applications that permit the retrieval and presentation of information on the internet, should provide users, at the moment of installation, with a clear and accessible choice on their privacy settings, which will be binding on third parties.
The ‘choice’ should be as user-friendly as possible, whereby users are offered a set of privacy setting options, ranging from higher (e.g. never accept cookies) to lower (e.g. always accept cookies). Further, the information provided, should not dissuade users from selecting these higher privacy settings.
What will be the impact on adtech?
From an adtech (and wider digital advertising) perspective, the concern will be the validity of the currently operated AdChoices scheme. As this works on opt-out basis, it is difficult to reconcile how this continues to be valid if a user has the equivalent of “do not track” activated on their browser. More emphasis will therefore be placed on publishers as the direct conduit to the user (i.e. the direct contact point for a user). Although the legal requirement for compliance remains with the party setting the cookies, without direct user interaction, other parts of the adtech ecosystem will be increasingly reliant upon such publishers obtaining consent from users to permit behavioural advertising – particularly where the user has a do-not-track activated and hence the publisher and advertising provider will need to obtain explicit opt-in consent to override this.
Can users still use ad blockers?
The proposal does not regulate the use of ad blockers specifically, but instead gives website providers the ability to check if an end-user’s device is able to receive their content, without obtaining the end-user’s consent – this is a useful clarification.
Should the end-user’s device be unable to receive the content requested, due to the user’s own configuration, it is then up to the website provider to respond appropriately, for example, by asking the user if they would be willing to switch off their ad blocker for the relevant website.
Practically, what should companies do?
And remember, if you are currently processing data on EU citizens but are based outside the EU (and hence not required to comply with current European data protection laws), you will now be subject to the revised Regulations.
Given how far communications media and advertising techniques have evolved since 2002, or even 2009 when the PECD was last updated, the overhaul of the rules is overdue.
The current cookies rules in particular have been widely ridiculed, so reconsideration is welcome. However, it is not clear in practice that the proposals will actually mean an end to, or substantial decrease in, pop-up consent and banners unfortunately, and the high consent threshold (to align with GDPR) is likely to be unpopular in many circles. Whether or not the rules will achieve a truly “future-proof” state also remains to be seen. The Commission’s aim is for the new rules to come into force at the same time as the GDPR. Whether this is realistic or not depends on how much lobbying it attracts from the wider domain of digital businesses now in scope and the scrutiny of the other European institutions – the European Parliament for one has already publicly said it is disappointed with the lack of a requirement for explicit opt-in consent; watch this space to see whether this results in changes to the draft regulations in the coming months.