GDPR and ePrivacy regulation

GDPR and ePrivacy regulation

Update: 16.01.18. The ePrivacy Regulation is still under review. Since this article was published, there’s been a big shift in the draft legislation, moving the emphasis strongly towards opt-in for both business-to-business (B2B) and business-to-consumer (B2C). When the text has been approved in Brussells, we’ll update this article fully to reflect the new standard in full.

Just as us marketers are finally waking up to the obligations that GDPR brings, those pesky people over at the EU have thrown another big legislation change over the fence. This time, they’re proposing a reform of ePrivacy legislation, aiming to deliver a formal regulation.

It’s designed as an accompaniment to GDPR, a trusty sidekick in the most traditional superhero sense. We can now forever think of GDPR and ePrivacy Regulation as the Batman and Robin of marketing compliance (this may see you through the darkness you face when painstakingly trying to get your head around it all).


What is the ePrivacy regulation?

Regulation, regulation, regulation

The draft ePrivacy regulation is set to replace the ePrivacy Directive 2002/58/EC. We’ll then be dealing with a regulation rather than a directive. In the same style as GDPR, it’s applicable and enforceable in every member state and it’s again trying to bring harmony across the region regarding how consent, data and privacy is managed.


It’s truly global

Much like GDPR, it applies to anyone providing “electronic communications services” to users based in the EU. It doesn’t matter whether the company is based in Sidmouth or Sydney, if their user (think subscriber, lead, customer, partner) is an EU citizen then the rules apply. Fundamentally, this makes it a global standard that organisations need to comply with.
It’s set to be a love-fest for the same consent rules as GDPR.
Consent must be:

  • Freely given, informed, unambiguous and specific
  • Expressed by a statement of clear affirmative action (silence is not golden!)
  • Easy to withdraw
  • Explained in clear and plain language
  • Demonstrable (the business must be able to evidence the details of how it was obtained)
  • Detached from other matters (e.g. not stipulated as part of the general terms and conditions of the organisation)


Big-money fines

Organisations could be hit hard for non-compliance. Evidently, lawmakers are keen to give this new regulation similarly pointy teeth to GDPR.

The draft document sets out fines of 10,000,000 EUR, or up to 2% of the offending organisation’s total worldwide annual turnover (whichever’s biggest) for breaches in relation to unsolicited direct marketing communications.

These already dizzying numbers double to 20,000,000 EUR or 4% of the total worldwide turnover for unlawfully processing communications data. Ouch.


How does this relate to marketing?

Some marketing channels and mediums will be covered by the ePrivacy regulation and others by GDPR. Obviously any marketer worth their salt has an approach that is multi-channel and integrated. This means that marketers will have to get their head around both, and make sure that they are compliant with both standards in order to keep their marketing momentum going.
We’ve put together a handy comparison table. As you can see, there are major differences in how Business to Consumer (B2C) and Business to Business (B2B) comms are handled across the two new standards:

Tactic Covered by GDPR Covered by ePrivacy regulations B2C Opt in/Opt out* B2B Opt in/Opt out
Email marketing x Opt in** Opt out
SMS/text marketing x Opt in** Opt out
***Instant messages (e.g. What’sApp, FB messenger, Snapchat) x Opt in** Opt out
Telemarketing x TBC – EU member states to set (UK currently opt out****) TBC – EU member states to set (UK currently opt out****)
Direct marketing (postal) x Opt out***** Opt out

*Includes sole traders and limited liability partnerships
**Soft opt-in emails may be sent to existing customers to market similar products or services, subject to an opt-out being provided at the time that the data was collected, and with each subsequent email marketing message
***Newly introduced in the new standard
**** Managed through Telephone Preference Service/Corporate Telephone Preference Service
*****  Subject to Recital 47. If an organisation is relying on “legitimate interests” to carry out postal marketing, it might not need to get consent.


The blurring lines of B2C and B2B

Things are getting messy. There’s undeniably an individual’s data tied to a personal address within an organisation (e.g. [email protected]). They will have the right under GDPR for their data to be processed dutifully and lawfully. How that will work in practice, who knows, ultimately it will be down to the appetite of someone to test the new standard with an attempted prosecution.

Much like now, sole traders and limited liability partnerships are treated as B2C too, so unless organisations are really tight within the CRM or Marketing Automation system on who is a Ltd, PLC or public sector organisation and who is a sole trader/partnership then in practical terms, everyone needs to be treated under the stricter rules.

In today’s world, there’s also what’s actually palatable for users. People just don’t like being contacted on an unsolicited basis. The tide has moved massively against these tactics, and practices like inbound marketing have emerged based on the principles of delivering content of value and engaging people enough to want to subscribe for more communication. Where the legislation goes is one thing, but marketing is about meeting customer needs and wants. If they haven’t told you they want to be contacted, that should be strongly considered from a more holistic customer experience perspective.


New times for telemarketing

Telemarketing looks set to stay despite some concerns from telemarketing agencies and providers that laws would be tightened.

There are some changes in this area though. Callers will need to either display their phone number or use a specific code at the beginning of the number used to call to indicate that the recipient is set for a telemarketing call. This then opens up the opportunity for the user to block those codes if they choose on their phone.


What about marketing automation systems, web tracking and analytics?

There’s a noted exemption for consent for web analytics within the proposed new standard. But this exemption only applies to 1st party analytics. Commonplace third party tools like Google Analytics, Hubspot and ActiveCampaign will require consent. Tech teams need to be aware that the distinction between first party and third party refers to the owner of the analytics service, rather than the domain serving the cookie.
Communications data is overhauled in the proposed new standard too, with new rules for processing content (what’s said) and metadata (who, when, where etc). This metadata definition replaces the outgoing traffic data that we’ve been working with as part of the ePrivacy Directive.
Phil Lee, Partner at Field Fisher, has produced this handy image that defines these clearly and shows the relationship between the two.

Permitted uses of electronic data
All this will mean browsing history will need to be anonymised or deleted if a user has not given consent to the service.

How this will impact marketing automation systems and other marketing technologies whose purpose is to bring as much light to these situations as possible, in every circumstance, is unclear at this stage. You’d expect there’ll have to be some work done in this area to ensure compliance from the likes of Marketo,

Hubspot, ActiveCampaign and all the main vendors. I’m sure they’ll figure it out over the coming months.


Death to website cookie banners?

That would be awesome wouldn’t it?

It looks like that’s the way things are going. The outlined regulation relaxes the previous insistence that web browsers block cookies as a matter of course, instead opting for user choice during browser setup. It would seem to signal a move towards control for the user across all sites, rather than dealing with cookie banners on every individual site they visit.

How this will work in conjunction with the opt-in requirement for third party analytics tools is yet to be seen.


When will we see Privacy changes?

The draft process indicates a 25 May 2018 go live (in line with GDPR). Considering how long it took to get GDPR away, that seems unlikely at this stage.

Suffice to say, this legislation is an important filler to some of the notable marketing gaps within the final GDPR standard. This means they could yet pull out all the stops to get the wheels of bureaucracy ‘firing on all cylinders’ (if that’s ever really possible).


Steady on Cedric – it’s just a draft

We need to be aware that the ePrivacy Regulation, unlike GDPR, has not been through the full lawmaking treatment in Brussels yet. Some of this detail could be subject to change. As such, we’ll update this blog and the comparison table accordingly when new info becomes available.

What do you guys think of the GDPR and ePrivacy Regulation combo?

GDPR Checklist