<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

5 Things to Know About the EU's Upcoming ePrivacy Regulation

Posted: 27 February 2018

5 Things to Know about EU ePrivacy GDPR Regulation

With May 2018 within touching distance, you may think it will soon be all over. The GDPR (General Data Protection Regulation) is taking its toll and fatigue around the topic has undoubtedly begun to set in. Yet, it is only just the beginning, as one door closes another door opens, to make way for the European Union’s ePrivacy regulation.

Interwoven in any GDPR conversation regarding the application of the regulation, particularly in the case of marketing by method of communication, is reference to the PECR (Privacy and Electronic Communication Regulations). Dating back to 2003, the ICO (Information Commissioners Office) describes the PECR as sitting alongside the DPA (Data Protection Act 1997). Partners indeed they are, while one focuses on the use of personal data generally, the other focusses specifically on how that personal data is used in the context of communication.

[You may also be interested to read "Will purchasing contact data lists become illegal under GDPR?"]

So then, with the evolution of the DPA into the GDPR, it stands to reason that the PECR also requires some modern-day bolstering of its own, for fear of it becoming out-of-date. Here are five things to know about the ePrivacy regulation, as it stands in its January 2017 draft.

1. The GDPR's ePrivacy regulation is being implemented slowly but steadily

As was the intended partnership of the DPA and PECR, the GDPR was also supposed to have a commonly timed counterpart in the ePrivacy regulation. Bureaucracy, diplomacy and the joys of lobbying prevented that intention from becoming a reality and instead the timeline has proved sluggish. In January 2017, the EU released its first draft of the regulation, which drew heavy criticism of stifling innovation, by members of the European Parliament. It wasn’t until October 2017 that Parliament narrowly approved the regulation, allowing it to continue through the chambers of power in Brussels.

2. ePrivacy is a regulation, not a directive

We have heard this one before and dare I believe that IT administrators continent-wide are more familiar with European law than pre-GDPR. Despite the name, the PECR sporting the letter R, was the result of a 2002 directive. As we have learned with the GDPR, this means that local implementations of the directive have resulted in a patchwork of rules in each member state. The regulation not only solves that problem but it matches the rigidness of the GDPR, again a sign that these two were fated to be together.

3. Cookie consent won't be website-specific

Remember when the websites started to add pop-ups to their websites asking you to acknowledge their use of cookies? Well, the ePrivacy regulation intends to end that practice by removing consent for non-privacy intrusive cookies such as shopping carts. In essence, user must be in control of any private or sensitive information stored on their devices, without having to click on a banner asking for consent each time they visit a website. Instead, it is expected that website browsers will include settings to allow or deny cookie use. This could have a huge impact of targeted banner ads which determine content based on browsing habits.

[You may also be interested to read "The GDPR Lifecycle: Plan your Strategy from Discovery to Protection"]

4. B2B and B2C organisations will have the same ePrivacy laws

Under the PECR, direct marketing activities to B2B contacts had some level of distinction to B2C contacts, with regard to consent, by way of the definitions natural person and legal person. In the current draft of the ePrivacy regulation, this has been removed and made more consistent with the approach of the GDPR. Article 16.1 states, “Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent.” In effect, contacting someone’s directly named business email address, such as john.smith@infinigate.co.uk would require consent for email marketing. Whereas marketing@infinigate.co.uk would not.

5. Non-compliance of the ePrivacy regulation will provoke GDPR-like fines

Infamous for its stinging administrative penalties, the GDPR has been both criticised and applauded for its celling values. This attention can now be shared as in an act of plagiarism, the ePrivacy regulation contains the exact same level of punishment as a deterrent. It’s not certain which mechanism the writers of the two regulations used to determine these values, however what is certain is that when weighing the cost compliance vs non-compliance. The GDPR and ePrivacy regulation put a heavy emphasis on the cost effectiveness of compliance.

[You may also be interested to read "GDPR Myths & Monsters"]

As mentioned earlier, the GDPR and the ePrivacy regulation were always intended to work hand-in-hand or dovetail as some have written. Some of the confusion and ambiguity of the GDPR, especially in relation to communication and marketing with data subjects was supposed to be cleared up by the ePrivacy regulation. And even their enforcement dates were supposed to be synchronised. Twins by design.

Despite the lobbying treacle, the ePrivacy is on its way and once again you will be bombarded with the question, “are you ePrivacy regulation ready?”.

Click to get a free, online GDPR readiness assessment for your organisation >>

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by: Chris Payne
Senior Technical Consultant, Infinigate UK

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts