Since the last year, businesses across the globe have been trying to make comply with the GDPR. Though most have succeeded, a significant chunk of the industry is still struggling.
To avoid making hasty decisions and writing flawed privacy policies, it is always helpful to prepare for upcoming legislation in advance. The ePrivacy Regulation is due to be revised by the Member States next month and is an excellent example of scrutinized security measures. The discussion will revolve around the latest step towards the realization of the EU’s Digital Single Market strategy.
Unlike the GDPR which applies to every single legal person registered in the EU, the ePrivacy regulation will only hold for businesses providing online and digital communication services, using online tracking or engaging in electronic marketing through platforms like WhatsApp, Viber, Facebook, etc. Post the Finnish government’s proposal to amend the Regulation; the EU Council has taken this up for discussion. These discussions will severely affect the digital marketing strategies of companies.
The discussions will suggest amendments primarily to meet the need to clarify the scope of the ePrivacy Regulation and uphold the principle of secrecy of e-communications (content and metadata), save for specific exceptions. Another crucial amendment is to Recital 32 regarding direct marketing. Online targeted advertising shall not be considered unsolicited communication and direct marketing.
Given the comprehensiveness of the new rules related to cookies, script, cookie walls, and “tags” provided by the ePrivacy Regulation, the industry would soon see the emergence of digital consultancies and start-ups providing something akin to “Cookies-as-a-Service” in the EU. The cookie and the anti-spam rules would apply to individuals and corporations alike, which would create significant new administrative challenges to B2B webshops, for instance. Another upcoming challenge for marketers is the requirement to delete metadata unless consent has been provided and exceptions are raised.
Lastly, the enforcement of the Regulation would be taken care of by the Member States’ data protection authorities, as with GDPR. The fines would also remain the same as the GDPR’s under the Regulation. Companies would be charged up to 2% of the annual revenue or 10m EUR (whichever is higher) for infringements of protection of information stored in the user’s terminal equipment. However, given the high amount, it would be unwise for businesses to ignore them.
The personal data and general laws related to digital marketing have been applied very differently across all the Member States. It places a significant burden and costs on SMEs who wanted to conduct their activities across the European Union’s entire digital space. In addition, the citizens are still unsure of the procedure of data collection and associated data breach risks. Of course, it might take a few more months for the implementation of the ePrivacy Regulation.
However, it is useful for businesses to make this text into account and start working on solutions that are compliant by design. The best way to avoid risk is to be prepared, especially taking into account the expected GDPR-mirroring fines.