The ePrivacy Regulation is due to replace the current ePrivacy Directive, which is the European law behind the Privacy and Electronic Communications Regulations (PECR). These are the rules which govern the use of cookies and similar tracking technologies, as well as digital marketing. The new Regulation is intended to bring the ePrivacy Directive into alignment with the GDPR and to introduce changes to the rules governing electronic marketing.
Originally intended to coincide with the GDPR, the introduction of the ePrivacy Regulation has been highly contentious and has met with considerable delay. Towards the end of 2019, the latest draft was rejected by the Council of Europe leading to further delays in its adoption.
The ePrivacy Regulation promised a simpler set of rules on cookies. It would remove the need for cookie banners and notices and allow browser settings to provide a way for users to indicate whether they accept or refuse cookies and other identifiers. It would clarify that consent is not needed for non-privacy intrusive cookies that improve internet experience (e.g. remembering shopping cart history) or analytics cookies used by a website to count visitors.
The new rules would also ban cookie walls (where a website requires users to accept cookies as a condition of being able to access the website’s content).
The proposal will also continue the ban on unsolicited electronic communications by emails, SMS and automated calling machines. However, it is not yet known if this will extend to B2B communications, or simply apply to B2C marketing as at present.
The draft Regulation also introduces more stringent penalties for non-compliance, and bring the sanctions regime and remedies available broadly into line with the GDPR.
It is uncertain what the final form of the Regulation will be. However, given the latest delay, Brexit has now intervened and so the Regulation will not be directly applicable in the UK. Despite that, it is likely that the UK will adopt the new rules as and when introduced. While the UK may be able to make its own decision on this following Brexit, if the UK does not implement the new Regulation that may stand in the way of the adequacy decision the UK needs in order to allow the free flow of data to and from the EEA. Also, the proposed extra-territorial scope of the new Regulation (like the GDPR) means that it will remain directly applicable to UK businesses targeting the EEA. Who said that after Brexit the UK will take back control of its laws?!
Meanwhile, the ICO has also published a draft direct marketing code of practice for consultation. The consultation closes on 4 March 2020 and the ICO expects to finalise it in 2020. The ICO plans to produce additional practical tools such as checklists to go alongside the code.
Some key points include:
- The two lawful bases most likely to be applicable to direct marketing are consent and legitimate interests. However, where PECR applies and requires consent, then in practice consent should also be your lawful basis under the GDPR.
- It is important to keep personal data accurate and up to date. It should not be kept for longer than is necessary. It is harder to rely on consent as a genuine indication of wishes as time passes.
- If you are considering buying or renting direct marketing lists, you must ensure you have completed appropriate due diligence
- Profiling and enrichment activities must be done in a way that is fair, lawful and transparent.
- If you are using new technologies for marketing and online advertising, it is highly likely that you will be required to conduct a data protection impact assessment (DPIA).
- If someone objects you must stop processing for direct marketing purposes. You should add their details to your suppression list so that you can screen any new marketing lists against it.
Once the draft ePrivacy Regulation is finalised and the UK’s position on Brexit is clear, the ICO has indicated that it will update the direct marketing code to take into account of the ePrivacy Regulation.