The good news is that in planning our GDPR compliance program we can now also begin to include cookie, tracking and direct marketing activities. The bad news is that the proposed E-Privacy Regulation (“E-PR”) is still not fully formed and we will most likely have a maximum of 6 months to adapt these activities from when it is.
For most businesses there are two key areas that will be affected:
1. Cookies and tracking technologies
This is where the proposed Regulation will make most changes and have the most practical everyday effects. However, given the impact, we can see this being the area where significant amendments are made between proposal and final regulation.
Under the current legislation, the default position is that placing any cookie or other technology on a user’s device requires consent and prior information regarding the purposes (unless required for transmission of communications to provide an information society service – which covers most online and e-commerce activities – requested by the user). However, for many “necessary” or “obvious” cookies implied consent is widely regarded as sufficient (e.g. for shopping carts or language preferences). And in any event where consent is asked for the most widespread means of doing so is by a more or less generic banner on a website’s home page (whether or not any actual affirmative click is required – often a “by proceeding you consent” approach is preferred and apparently tolerated).
Under the E-PR this would change. As the proposal stands, we can divide cookies/trackers into four categories:
(i) those necessary for transmission of communications: no consent required
(ii) those necessary for providing information society services requested by the end user: no consent required
(iii) those placed for audience measuring carried out by the website operator: no consent required
So far so good: it seems our own first party – but not third party e.g. Google – analytics would be covered. But then:
(iv) all others: consent required.
“Consent” is supposed to be in line with the requirements of the GDPR (i.e. a higher level than currently, a “real choice”, as described by the UK’s ICO: “specific, granular, clear, prominent, opt-in, documented and easily withdrawn”). However, the draft E-PR opens up the possibility for cookie and tracker consent to be obtained “once for all” via the user’s browser settings. The idea appears to be to reduce the number of cookie consent banners; and by having browser (or even device) suppliers take on the role then users might understand the options better.
Does this give us true consent? Today, when presented the question whether we want the full functionality of a website, we’ll be likely to give our consent without fully understanding what this means later in terms of cookies and tracking. The proposal seems to swing fully the other direction: many may be expected instinctively to reject all cookies and say “do not track”, also without necessarily understanding what the consequences are.
Many modern sales and marketing techniques rely on cookies and trackers and, though others will come along, Eden Legal imagines that the industry won’t simply accept that fewer consents will be given: so either pressure will be brought to bear to amend the Regulation to provide for other alternatives; or creative ways of re-offering the browser consent when arriving at a site will emerge.
Also, with many cookies and tracking technologies being provided by third parties but set by publishers or operators with large audiences, we will clearly need to review all our relevant contracts to ensure that the relevant party sets and uses the tracking in accordance with the GDPR and E-PR (and in any event to move such agreements toward compliance with the GDPR provisions on data processing agreements and, where applicable, international transfers).
Finally, to the extent that we are processing personal data, if we look at the “fairness” principle under the GDPR, it is a data controller’s responsibility to ensure and demonstrate that consents are in place. “Browser settings consent” seems hard to demonstrate.
2. Direct Marketing Communications
The draft E-PR does not change the situation a great deal in relation to direct marketing communications. For individuals these remain “opt-in” i.e. consent is required, but the E-PR would extend the requirement for consent to marketing to companies and entities. And from the recitals to the Regulation we know that “when reference is made to consent by an end-user, including legal persons, [the GDPR definition of consent] should apply”.
Note that direct marketing (as it stands) is very widely defined i.e. “any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS etc.”
The “soft” opt-in will also continue to apply – a trader may use electronic mail contact details obtained in the context of a sale of a product or service for direct marketing of its own similar products or services (but only if the option to object is given at the time of collection and in each “message”).
Note that “electronic mail” would cover any electronic message containing information such as text, voice, video, sound or image sent over an electronic communications network which can be stored in the network or in related computing facilities, or in the terminal equipment of its recipient. So not just email.
In any event, where we are taking advantage of these provisions we need to ensure that we are obtaining GDPR-style “active” consent, that we are able to demonstrate that we did so, and for existing customers that we are correctly offering the right to object.
Finally, where we are using telesales marketing, we will need to present a real number on which we can be called or use a new direct marketing code or prefix that identifies the call. On the other hand, Member States are given the opportunity to decide to make live voice calls to natural persons possible on an “opt out” basis.
3. Relationship with GDPR
Like the GDPR, the E-PR is also intended as a Regulation so wouldn’t need any national implementation in order to be effective. (Though national implementing laws will need to be repealed and there are some areas where EU Member States have discretion, or are required to make changes e.g. to the powers of the supervisory body.)
The Regulation would apply the provision and use of (free or paid for) electronic communications services to or by end-users in the EU, and the terminal equipment of end-users located in the EU. So, similarly to the scope of the GDPR, providers based outside the EU that provide services to users in the EU are covered. And roaming users from outside the EU could become subject to the rules while “located in the EU”.
And as noted, the GDPR definition of consent is expressly adopted.
4. What to do?
For now, we are still having to speculate on the final shape of the E-PR. The European Commission points to research showing public support for better control of tracking technologies, and experience tells us that “cookie consent” as we currently have it is ineffective, for sure. On the other hand, change could present a major challenge for the marketing industry and whatever solution is found needs to be practical and not too far out of line with international standards. For the UK, where the GDPR is due to take effect in 2018, it remains to be seen whether this Regulation will also become law when the UK leaves the EU (though UK service providers serving EU users will need to comply in any event).
For now, the main action seems to be to follow progress and work with trade associations to be heard if necessary. Eden Legal will return to this proposal as it progresses.