First proposed in early 2017, the Regulation on Privacy and Electronic Communications — better known as the “ePrivacy Regulation” and the acronym “ePR” — is seen as the successor and replacement to the ePrivacy Directive (“Cookie Directive”) first enacted in 2002. There are two primary goals of the new regulation; one: expand consumer privacy protections so they reflect emerging technologies, and two: standardize electronic privacy laws across all EU member states first put in motion with the “Cookie Directive.”
Who Will Be Affected by the ePR?
- Communication service providers. All providers of electronic communication services — regardless of whether they hold a physical presence in the EU — will be expected to abide by the rules as they pertain to serving European citizens.
- Entities transmitting and processing data on EU citizens. Any entity that transmits or "processes" the communications (or communication metadata) of individuals in the European Union will find their activities further regulated.
- Businesses storing data on EU citizens. The ePR will expand the rules on how information can be stored within the electronic devices of EU citizens. Like similar regulations, the responsibility of ensuring secure storage still rests with the service provider.
- Marketers targeting the EU. Organizations taking part in direct marketing efforts to persons in the EU can expect changes to what information they can use, collect, and disseminate from EU citizens.
- App developers and communications companies. Organizations that make available electronic communication tools (apps, OTT platforms, devices, etc.) to EU citizens will face more limits on what consumer information can be collected, transferred, and stored.
Like the GDPR before it, the ePrivacy Regulation carries extraterritorial powers, meaning the regulation extends beyond the borders of EU member states. It’s worth pointing out that violators can be fined through the international courts. Organizations that do not have a physical presence in the EU, but offer electronic communication services (or marketing) to the EU, will be required to appoint a data protection representative (a type of liaison) to each EU member state wherein they conduct business.
What is Cookie Consent?
- The ePrivacy Directive created a framework for EU member states that led the way to cookie consent laws being implemented in each state. The directive mandated that websites must have a cookie consent opt-in procedure in place and that they must receive explicit consent before they can track personal information through the use of cookies.
- The General Data Protection Regulation, more commonly known by its acronym (GDPR), established that consent for user information must be explicit and presented in an unambiguous language. Therefore, "opt-out" types of consent are disallowed under GDPR. But, the latest draft of the ePR, with its expanded technological scope, will permit certain forms of implied consent so long as these are are at the request of and within the best interests of the end-user.