The EU ePrivacy Regulation: What is it and why should you care?

Posted by Chris Scott

EU regulations hit the headlines again this week, as the UK’s Information Commissioner’s Office issued the first ever GDPR notice to analytics firm Aggregate IQ for its misuse of data to support the Vote Leave campaign.

This is another example of the consequences of malpractice when it comes to the collection and handling of personal data.

But businesses that got their ducks in a row before GDPR came into force benefited from a smoother transition and, in many cases, have enjoyed an improved relationship with their customers since May 25th.

That’s why a new regulation, closely related to GDPR, should be viewed as a new opportunity for businesses to streamline their communication channels and build greater trust with their customers.


Introducing the ePrivacy Regulation

ePrivacy is a forthcoming EU regulation, designed to better protect the privacy of personal data and metadata within electronic communications.

Replacing the outgoing ePrivacy Directive, which mainly regulated email and SMS, the ePrivacy Regulation will encompass modern communication services including WhatsApp, Facebook Messenger, Gmail and Internet of Things (IoT) devices.

To ensure confidentiality, the Regulation mandates that organisations must not store, monitor, scan or otherwise intercept the electronic communications data of their users.

Under the Regulation, individuals can also pre-determine their consent for cookie usage in their browser, with an option available to prevent third-parties from storing or processing information on the user’s device.

Organisations must respect these preferences, giving end-users more control over the way in which their movements are tracked online and removing the need to confirm consent for each individual website.


How is it different to GDPR?

Although ePrivacy has been designed to complement GDPR, it is likely to require additional measures to ensure compliance. Organisations should therefore be aware of the key differences between the two regulations.

For example, while GDPR protects the personal data of EU residents in all forms, ePrivacy is specifically related to the electronic communications sector. Regulators will therefore consult ePrivacy for any data privacy issues relating to compromised online communications.

Unlike GDPR, ePrivacy will also regulate the handling of non-personal data, such as an individual’s preferences around the use of cookies online. Importantly, it also protects sensitive metadata derived from electronic communications, such as the time and date an end-user initiated a call or online chat, and where the communication took place.

Ultimately, the key difference that organisations should bear in mind is that GDPR protects users’ personal data in all forms, while ePrivacy will better protect individuals’ right to a private life.


What does this mean for businesses?  

ePrivacy will apply to any business that services EU-based end-users with an electronic communication service, uses technology to track online activity or conducts direct marketing online. It’s therefore likely that many will need to make changes to their operations.

Specifically, ePrivacy could necessitate a rethink when it comes to marketing and advertising online. For example, many organisations rely on customer analytics to inform their direct marketing communications but, under ePrivacy, will have to secure prior consent before tracking behaviour and launching such communications.

The Regulation will be enforceable as law in all member states upon implementation, with severe financial penalties for non-compliance. At present, it is unclear when ePrivacy will be implemented, with most experts predicting a 2019 implementation date.

Until clear guidance and timelines for compliance with the ePrivacy Regulation are provided by the EU, the best advice would be to ensure that businesses are fully compliant with both GDPR and the existing ePrivacy Directive.

Getting organised today will help businesses to both ensure compliance when implementation does arrive, and build trust with their customers.