, , ,

ePrivacy Regulation: top 4 hot changes for 2018

The e-Privacy Regulation is the next Big Buzz after the GDPR hype is going to slow down. What is it all about ? What changes in Direct Marketing and Cookies?


Let’s find out!

 1.Unsolicited Marketing

The upcoming ePrivacy Regulation (which is still a proposal for the moment) simplifies and strengthens the rules on unsolicited direct marketing. It prohibits unsolicited electronic communications by any means, including email, SMS, and in principle phone calls, if users have not given their prior consent.  So an opt-in will be required for all types of electronic marketing, except where an individual’s email contact details have been obtained in the context of a sale or service, in which case an opt-out is still possible. Prior consent will also be required for marketing phone calls, unless national law gives consumers the right to object to the reception of such calls, for example by registering their number on a ‘do-not’ call list.  Organisations making direct marketing telephone calls would be required to display calling line identification, or present a specific code/prefix indicating that the call is a marketing call. The ePrivacy Regulation does not apply to direct marketing by postal mail, and that channel falls back to be considered under the GDPR. Under the GDPR, Recital 47 specifically calls out that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. If an organisation is relying on legitimate interests in order to conduct its postal direct marketing, it may not need to obtain consent to do so.


The Regulation simplifies the rules on cookies in an attempt to overcome the problem of ‘cookie-banner fatigue’. The European Commission recognises that users are currently overloaded with pop-up windows requesting consent to the use of cookies.  The Regulation therefore proposes allowing browser settings be taken as consent. It adopts a privacy by design approach, requiring providers of browsers and similar software to provide users with cookie and tracking controls. By centralising consent in software, it is hoped to do away with cookie banners and notices. The Regulation proposes that no consent is needed for non-privacy intrusive cookies which improve internet experience (such as to remember shopping cart history), or for cookies used to measure traffic to a particular website. Cookies will now be tracked within software and the user’s browser within settings that each user can change to their needs. This will do away with the litany of banner pop ups that request consent for use of cookies on individual websites. This changes previous regulations which made each website request the ability to use cookies from each user.


Since the ePrivacy regulations are an add on to the existing ePrivacy directive, one aim was to broaden the scope to include online communications providers under the same requirements as traditional telecommunications providers. In this regard, companies including Gmail, Skype, Facebook Messenger and WhatsApp are now required to provide the same level of customer data safety as bricks and mortar providers. Providers of any electronic communication service are required to secure all communications through the best available techniques. This creates a need for websites to stay technologically in sync with the best safety features available on the market. The new provisions create the necessity for metadata to be treated the same as the actual content of the communication that it is facilitating being sent. It prohibits the interception of any such communication except where authorized by an EU member state specifically under law (such as within a criminal investigation).

4.Main Differences with GDPR

The GDPR was created to enshrine Article 8 of the European Charter of Human Rights in terms of protecting personal data, while the ePrivacy regulation was created to enshrine Article 7 of the charter in respect to a person’s private life. The private sphere of the end user is covered under the ePrivacy regulations, making it a requirement for a user’s privacy to be protected at every stage of every online interaction. It is important to remember that the ePrivacy regulation was created to complement and particularize the GDPR, so the rules of the GDPR are always relevant and an overall part of the legislative aspects of the ePrivacy. The ePrivacy directive takes the broad online retail sector into account in terms of how personal information might be used and in this sense is what it adds to the overall regulations that make up the GDPR. However, the big change is this: the draft ePrivacy Regulation imports a GDPR standard for consent. That is:

  • The consent must be freely given, specific, informed and unambiguous;
  • The consent must be expressed by a statement or clear affirmative action. Silence, pre-ticked boxes or inactivity should therefore not constitute consent.
  • The consent must be as easy to withdraw as it was to provide consent in the first place.
  • The organisation must be able to demonstrate that the individual has consented
  • The consent language must be intelligible and use clear and plain language
  • The request for consent must be clearly distinguished from other matters.


The ePrivacy regulations are on track to replace the GDPR in terms of applicability. By defining each particular situation that a user could enter into, both laws work together to ensure that internet users have control over their data and that there is an onus on all websites to maintain all user data in a way that guarantees safety of the information. Organisations for whom consumer-facing direct marketing data is major business enabler, but also a major risk factor, may already be addressing some fundamental points. For example, in the context of their overall GDPR programme, they may already be working to ensure that they have visibility in relation to their direct marketing data flows; they may be reviewing their consent language; they may be assessing the means and methods by which consent was obtained and they may be ensuring that there are controls relating to the use, access, retention and disposal of their direct marketing data. If they outsource their marketing operations to a third party provider, they may be reviewing contractual clauses and other controls such as audits. Importantly, they may also be looking at how they deal with challenge: how robust are their processes for dealing with direct marketing complaints, before those complaints turn into regulatory intervention? Of course, the longer tale will, inevitably, relate to technology.  Many of those same organisations will be looking at their technology stack to assess whether it supports them to demonstrate consent, as well as easily and effectively allow the withdrawal of consent, as is required by the GDPR.  With the increased focus on operational adequacy and accountability under the GDPR, the role of technology to evidence compliance will be important.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable, share it on your #SocialMedia, Be Influent! 

2 commenti

Lascia un Commento

Vuoi partecipare alla discussione?
Fornisci il tuo contributo!

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.