Why You Shouldn’t Ignore the EU’s GDPR & e-Privacy Regulations

We’re now seven weeks out from the General Data Protection Regulation (GDPR) effective date. We hope your organization was prepared to meet the GDPR’s requirements and that you survived the onslaught of privacy policy update emails. As they say in infomercial-land, however: “But wait, there’s more!” “More?” You ask. “How can there be more?”

You may have seen references to “e-privacy” when preparing for the GDPR. The e-Privacy Regulation is a corollary regulation to the GDPR that was proposed by the European Union (EU) Commission in January 2017. It’s an offshoot of its predecessor, the e-Privacy Directive, AKA the “Cookie Law.”

It’s currently under consideration by the EU Council and is expected to take effect, depending on what you read, within the next five to 18 months. As a refresher, the GDPR addresses data protection and privacy for individuals within the EU and the European Economic Area (EEA). It requires, among other things, businesses that are offering goods or services to persons within the EU/EEA, including businesses outside the EU, to obtain affirmative consent before collecting and processing personal data of persons inside the EU.

The e-Privacy Regulation focuses generally on the right of confidentiality and privacy with respect to electronic communications, versus focusing specifically on the protection and privacy of personal data. Given the GDPR’s broad definition of personal data to potentially include spaces such as IP addresses and device IDs, protections in the GDPR and e-Privacy Regulation are similar, although it’s probably best to think of the two as working in tandem. If enacted its current form, the e-Privacy Regulation will likely affect the following situations:

Ban unsolicited email, SMS messages or calls from automated calling machines. Marketing callers will need to display their phone number or use a special prefix that indicates a it’s a marketing call.

Do away with the need for cookie “pop-up” consent requests because users will be able to accept or refuse cookies through their browser and software privacy settings. (Software providers will have an obligation to configure software so that it offers the option to reject third party cookies upon setup or at any other time post-set-up.)

Have no effect on non-privacy intrusive cookies that are intended to improve internet experience (e.g. to remember shopping cart history, to count the number of visitors to a site or aid in the copying of contact information from page to page in a webform).

e-Privacy will likely require consent for marketing and advertising cookies and advertising identifiers (e.g. IDFA and AAID), but first party analytics and ad block detection methods would likely not require consent.

Cover internet-based voice and messaging platforms such as iMessage, Skype and Facebook Messenger (these are not currently covered under the e-Privacy Directive) and guarantee privacy and require consent for capturing and retaining the content of communications over these channels as well as the metadata, For example, who was called; the timing, location and duration of the call, as well as websites visited unless the data is needed for billing purposes.

How does this affect your company’s marketing efforts, particularly online advertising? If you’re not marketing, advertising or selling to people in the EU, probably very little. And even if you are, some argue that the regulation won’t have as broad an impact as it may seem because: 1: People already have the option to block ads and will give consent when they really want your product or special offers; and 2: Even if behavioral or programmatic advertising ends up requiring consent, contextual advertising is still a viable option.

Rebel will keep you informed on this issue as it develops, but if you have any questions — or if you just want to chat about All Things Digital — please feel free to drop us a line.

Contact Us