What is the Electronic Privacy Regulation (ePR)
The new EU cookie law is coming, here are some key things to know about the ePrivacy Regulation (ePR) which is expected in 2022.
The preceding ePrivacy directive (ePD) has been around since 2002 & was updated in 2009. ePD is a voluntary code of practice which was originally designed to compliment the original EU data protection directive (prior to GDPR). It was known as the cookie law and dealt with amongst other things, cookie consent and direct marketing (via email, telephone etc) and is widely considered a relic and largely ineffective in a current context.
Intent of the new Law
The new ePrivacy regulation (ePR) was first proposed in 2017 by the European Commission and is meant to harmonise and enforce ePrivacy rules amongst EU states similar to GDPR. It’s also meant to faciliate the free flow of non-PII data amongst the union as part of a digital single market (DSM) strategy.
Key Changes to Look for!
- Goodbye annoying cookie consent popups, and more focus on browser cookie consent settings. Sanity has at last prevailed on this one as cookie consent popups were largely seen as just an annoyance and meaningless to end users
- Data protection authorities will have ability to fine violators €20 million or 4% of worldwide turnover..(this penalty matches existing GDPR sanctions)
- Extraterritorial scope: To match GDPR, companies operating outside the EU but processing EU citizen data, must comply with ePR
- Separate ePrivacy & GDPR data breach notification rules will be merged into one. Prior to this, there were conflicting notification obligations much to the irritation of data controllers
- Tracking users devices using device-identifying technologies such as clear pixels, web bugs, hidden identifiers, device fingerprinting, etc will now be regulated. Businesses will not be allowed to access users’ devices, or collect information (e.g., device type, browser type, etc.) without explicit consent.
- Expansion of direct marketing prohibition (without consent) to include social media platforms. This is potentially significant and reflects the post 2009 (ePD) explosion in social media platforms.
- Communication metadata must be anonymised or deleted by providers. This would incorporate IoT devices, bluetooth communications, social media providers, mobile devices along with traditional web communications.
It’s important of course to note that the new rules are still in draft stage and are expected to change significantly particularly as marketers will argue over any default cookie blocking legislation. The european data protection board has issued an opinion last March on it’s view of the rules. They are broadly supportive of the proposals but are quick to point out that there concerned about conflicts with GDPR regulations on retention of data for law enforcement purposes for example. They also want more specificity on encryption and explicit prohibition on using cookie walls. Cookie walls are sometimes used by providers to force users to accept a cookie to access a service.
If the directive gets enacted in 2022, we could probably expect fines to appear on the #DPC annual report by 2024 at the latest, judging by GDPR’s first fines which were recorded in 2020.