Where is the ePrivacy Regulation?

Where is the ePrivacy Regulation?

As 2018 draws to a close and the dust has well and truly settled on GDPR, we’re reflecting on what’s next for data protection and the effect it will have on us marketers.

Well, there’s one big thing looming on the data protection regulations horizon – and that’s the ePrivacy Regulation. It was intended originally to come into effect at the same time as GDPR, but, well, it didn’t. The fact of the matter is though, that many of the aspects GDPR addresses – including consent – are sort of given a bit of a makeover under ePriv. And, if you’re a particularly digitally-inclined marketer, there are some things in there about cookies you’ll want to sit up and pay attention to.

So, what is the ePrivacy Regulation, and when, why and how should you be worried about it?


Current legislation

The current legislation in this area is the ePrivacy Directive (2002), which was amended most recently in 2009. In the UK, we know it as the Privacy and Electronic Communications Regulations (PECR), which has also been amended five times. The legislation covers universal service and user rights in relation to electronic communications networks and services. For most businesses, the most important and relevant elements address the use of cookies and similar technologies, and other rules on electronic marketing. Communications network and service providers must also comply with security and privacy obligations.


The ePrivacy proposal

Way back in January 2017, The European Commission issued a proposal to overhaul the ePrivacy Directive and harmonise application across the EU as part of its catchily-named Digital Single Market initiative. As mentioned before, the intention was for the new ePrivacy Regulation to come into effect on the 25th May 2018 – which you may recognise as the day GDPR came into effect. This, clearly, didn’t happen, and it’s looking more and more likely that the Regulation will not be finalised before the European elections in May 2019.
Let’s dig into some of the detail on the original ePrivacy Regulation proposal. It:

  • Applies to “over the top” service providers like WhatsApp, Facebook, Gmail and Skype and not only to telecommunications service providers
  • Is a Regulation rather than a Directive
  • Covers both content and metadata derived from electronic communications -consent will be required to collect both, unless subject to exemptions (more on this later)
  • Gives traditional telecoms providers more scope to use data and provide additional services, subject to consent
  • Streamlines rules on cookies – consent to cookies will be able to be given through browser settings and consent will not be needed for non-privacy intrusive cookies improving internet experience and cookies set to count visitors to a website
  • Bans unsolicited direct marketing electronic communications to consumers by any means, including phone calls if users have not given consent (subject to exemptions)
  • Encourages Member States to require that marketing callers display their phone number or use a special prefix
  • Brings in GDPR-style penalties for non-compliance



As you may have guessed by the fact that the ePrivacy Regulation has yet to come into effect – it is still in very much in draft form. In fact it’s a been a bit of regulatory hot potato since the first draft was issued. In July 2018, the current Austrian Presidency of the Council of the European Union (let’s hope they don’t have to wear a name badge) published a revised draft with some significant changes. This proposal suggested watering down the original requirements around the information that has to be given to users about third party cookies and the requirements for making users select privacy settings. The Presidency commented that the measures suggested in the original proposal were impractical, and would lead to “consent fatigue”. Ha, how perceptive.
The July 2018 amendment also included further exceptions to the prohibition on dropping cookies under certain circumstances – for example, for anti-fraud, security and statistical purposes, or where the user has been given a choice to use the service with or without cookies which collect personal data.
The most recent set of amendments, submitted on 19th October 2018, suggested even further changes to the July draft, particularly centered around Article 6 (permitted processing) and Article 10 (protection of end-users’ terminal equipment). I hope you’re paying attention, there will be a test later.
It’s thought that Austria does not intend to do more than issue a status update before it hands the file over to the Romanian presidency in January 2019. Once the Council has agreed its position, negotiations with the European Parliament will begin. Due to next year’s elections, it’s highly unlikely that the ePrivacy Regulation will come into effect before 2020.


What do you need to know?

All the politics and back and forths aside, let’s get down to brass tacks – what could be coming in as part of the ePrivacy Regulation that you need to know about?
Once again, I must stress that the Regulation is still very much in draft form, and the below could change come January. But, running with what we do know, the following is the Councils’ current position on the areas which will most affect marketers – consent, cookies and direct marketing.



The provisions for consent under the GDPR apply under the Regulation. As you’ll be well aware by now, GDPR asks that consent for processing be freely given, informed, specific and above all be an unambiguous indication of consent through a clear, informative action. Considering that by the time the Regulation comes into effect we’ll all be versed in the practice of getting consent through the GDPR lens, this shouldn’t be too much of a biggie.
Where the waters muddy however, is with consent for cookies.



You’ve heard of cookies – they’re bits of data utilised by many digital marketing tools to collect and store data of a visitor to your website.
Under the latest version of Article 8, the use of technologies like cookies to collect information from users is strictly prohibited, unless:

  • The individual has given their consent
  • It’s necessary for the sole purpose of carrying out transmission of electronic information
  • It’s necessary for audience measuring (subject to restrictions)
  • It’s necessary for security, fraud prevention or detection of technical faults
  • It’s necessary for a software update
  • It’s necessary to locate the user’s device in an emergency

If we’re using the old definition of consent, there was initially some confusion around whether consent to cookies could be opt-out or opt-in, with different Member States taking different tacts. Using the new definition of consent under GDPR – where consent has to be clearly and unambiguously given – it looks like “assuming it’s ok unless they say so” isn’t going to cut it. There are however still questions around the practicalities of capturing specific consent.
Most notably in this current draft, the consent required to place cookies on user devices can (but doesn’t have to) be expressed by using browser settings, or as the draft Regulation puts it, “the appropriate technical settings of a software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet”. Consent given in this way doesn’t have to identify the individual but can be demonstrated using a technical protocol.

In previous drafts, Article 10 (that was “protection of end-users’ terminal equipment” if you were paying attention earlier) contained a requirement for software (including browsers) to offer the option of preventing third parties storing information on the user’s device. On installation, the user had to be informed about the privacy options and was required to select their settings in order to complete installation. For existing software, the privacy options had to be presented at the time of the first update and in any event, by a longstop date. The European Data Protection Supervisor had pushed for these (and possibly further) requirements around granularity of technical settings to enable user control, and for a requirement that privacy settings should be set at their highest level by default. This could all be moot – because in the current draft, Article 10 has been deleted completely.

That being said, the cookie rules in the Regulation make much more sense if we factor in Article 10. Under the GDPR, privacy by design and default is required – meaning that privacy settings have to be set at their highest by default. But without Article 10, there are issues around granularity and allowing or rejecting cookies on a case-by-case basis. If the Regulation came into effect without Article 10, one interpretation might be that all browsers block cookies by default, unless there is an exemption to the need for consent. But how then would us lowly marketers actually get consent from a user to use cookies? A website would not be able to override browser settings – and we can’t expect a user to amend this themselves. And that’s putting aside the fact that most browsers don’t actually allow granular cookie settings – they’re either on, or they’re off.

The latest draft of the Regulation is woolly in a number of ways on cookies. It’s looking most likely that in the absence of sufficiently sophisticated browser settings becoming industry standard, websites will need to continue to manage their own cookies and cookie consent through methods like banners and pop-ups. It’s pretty clear though that opt-in consent will be required.


Direct marketing

The current Directive bans the use of automated calls, fax or email for direct marketing without consent – except, specifically with email, where they’re already a customer of the business, and can therefore receive emails about related products as long as they are able to opt-out. Currently free to each Member State’s interpretation, they are required to either a) obtain consent or b) ensure opt-out in possible for “unsolicited direct marketing”.

The latest draft of the Regulation applies a similar ban, defining direct marketing communications as “any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the placing of voice-to-voice calls, the use of automated calling and communication systems with or without human interaction, electronic message, etc.”
Other requirements around email marketing in the latest draft include:

  • Anyone sending direct email marketing must provide a phone number on which they can be contacted
  • Senders must identify themselves with return addresses or numbers
  • Senders must clearly identify the marketing communication as marketing
  • There must be a way for the user to object or withdraw consent

For direct marketing voice-to-voice calls, Member States have the discretion to allow this activity if the person has not opted out, and to require that all direct marketing calls have a dedicated code or prefix so they can be identified.
Under the current Directive, rules around B2B marketing are open to interpretation to each Member State. The requirement is that “”the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected”. Here in Blighty we’ve taken that to mean opt-in consent is not required for B2B marketing, applying even when personal names are included in business email addresses. Other Member States have not distinguished between B2B and B2C in this context, and opt-in consent is required for both.

The latest draft of the Regulation uses similar wording, stating that Member States “shall ensure…that the legitimate interests of end-users that are legal persons with regard to direct marketing communications sent by [electronic means] are sufficiently protected”. It’s unclear whether the Regulation would keep the options open for Member States to decide whether this applies to B2B marketing, or whether it will by default consider this applies only to marketing sent to contacts with no personal data, e.g. [email protected]. Keeping such clauses “open to interpretation” means that despite one of the Regulation’s purposes being to harmonise data protection regulations across the EU – there still could be disparate interpretations of the legislation.

So, where do we stand on this, especially with the B word looming? It’s unclear at the moment whether we would maintain are current position of distinguishing between B2C and B2B, or whether we’ll tighten up on opt-in requirements. As it’s highly unlikely that the legislation will come into effect before Brexit, it might be that we don’t have to change our stance on B2B marketing.


What’s next?

I’ve said it several times, but it bears repeating – this article outlines the current position of the current draft of the Regulation – it could change significantly before it actually comes into effect. For a lot of organisations, including us and our clients – the uncertainty around the position on B2B marketing is tough. Do we need to put in place measures to address stricter rules on consent now, or carry on as we were? With the Regulation still very much in draft form and positions on consent and cookies still unclear, it’s hard to take a clear position and recommend a clear path forward.

Inflowing have got your best interests at heart, and we’ll continue to update you on the latest developments around ePrivacy Regulation as we hear about them. Keep a weathered eye on this blog over the next year or so for more information.