Having just survived GDPR, the last thing you may want to hear about is the next big change in information law. You may therefore be relieved to know that little progress has been made on finalising the ePrivacy Regulation (ePR); having originally meant to have been in force at the same time as GDPR, it is now unlikely to be implemented before 2020. The proposed text is still to be agreed by the EU institutions amid significant lobbying from both tech companies and privacy campaigners. Throw in the European elections in 2019 (and Brexit) and it may be delayed until 2021 or later. It is expected that organisations will be given at least a year’s notice between final version approval and the ePR coming into force.
What is the ePrivacy Regulation and how will it affect me?
The ePR aims to supplement GDPR by providing more specific legislation on the confidentiality of electronic communications. It will replace the current law, the ePrivacy Directive, which is implemented in the UK as the Privacy and Electronic Communications Regulation or PECR. Whilst it has significant implications for the communications sector in particular, ePR/PECR also has an impact on email direct marketing and the use of website cookies (and similar technologies).
How will the rules on website cookies change?
Currently a website user’s consent is required for the setting of non-essential website cookies. The ePR aims to streamline the requirement for cookie banners; partly through removing the consent requirement for ‘non-intrusive’ cookies (such as analytical cookies which track website use for statistical purposes) and also by pushing the onus for gaining consent for ‘intrusive’ cookies (such as those used for behavioural advertising) onto the browser operator during the browser set-up process. However, whether this will allow website publishers who partake in behavioural advertising to discard cookie banners altogether is still uncertain.
What about direct marketing?
The proposed wording will still allow unsolicited direct marketing by email, without the recipient’s opt-in consent where there is an existing customer relationship. However, this ‘soft opt-in’ approach will be more limited under ePR as the email address must be obtained in the context of a sale; under PECR the email address can also be obtained during negotiations for a sale.
There is also ambiguity over how business-to-business direct marketing will be affected. As drafted, ePR will remove the distinction between corporate and personal subscribers, which would result in the sender having to satisfy the same requirements for sending marketing emails to corporate recipients, as it does for marketing to personal email addresses.
Scope and fines
Like GDPR, the ePR will apply both to organisations established in the EU and to organisations outside the EU who offer services to individuals based in the EU. Even if it comes into force in the EU after Brexit, it will almost certainly be implemented in its material form in the UK. Enforcement will be the responsibility of the Information Commissioner’s Office and the maximum administrative fines for infringement are set at the same levels as for breaches of GDPR.
If you require further information about anything covered in this briefing note, please contact David Morgan, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2018