ePrivacy Regulation – first draft 2017, so what’s happening two years on?
The ePrivacy Regulation is set to replace the 2002 ePrivacy Directive (and subsequent amendments) which currently sits alongside GDPR and from which the UK’s 2003 Privacy and Electronic Regulations (PECR) is derived.
The aim of the new Regulation is to provide more harmonised rules for electronic communications. It’s scope which includes direct marketing by email, text, telephone and social media, as well as rules for cookies and other tracking technologies, is far broader than the current Directive.
As a reminder, the e-Privacy Directive governs the opt-in/out and soft opt-in rules for all electronic direct marketing and the UK’s Information Commissioner’s Office has confirmed that where consent is required under PECR, it needs to be it needs to be to a GDPR standard.
This article focuses on the proposed amendments relating to email marketing and cookies but it’s worth mentioning that there are other proposed amendments, that I haven’t covered here.
After what seemed like stalled progress for many months, the Council of EU, under the Finnish presidency, appear to have been busy over the summer. Following discussions, the Finnish presidency issued a revised proposal for the e-Privacy Regulation with amendments, where considerable uncertainty has existed since the first draft was released in October 2017.
Definition of Direct Marketing
There were concerns with previous drafts that advertising ‘presented to’ individuals could be captured under the definition of direct marketing. FEDMA has welcomed proposed changes which state direct marketing entails communications being ‘sent’ (with the removal of the words ‘or presented to’), as a clarification which distinguishes direct marketing from display advertising. But it’s not the final text yet!
Business to Business email marketing
In relation to direct marketing, there is a glimmer of hope in the latest draft text that there will be a distinction made between B2C and B2B which had not been evident in previous drafts.
Currently the rules on whether consent is required for B2B emails differ across Europe, some require consent and others like the UK don’t. This lack of harmonisation looks set at the moment to stay, with Member States being able to apply local decisions surrounding B2B electronic marketing.
FEDMA has said that it welcomes the potential flexibility on B2B direct marketing, but is calling for further clarification of the scope of the provision to ensure it’s not limited to generic (non-personal data) contact detail, such as firstname.lastname@example.org, but rather clearly allows for communications to an individual acting in their professional capacity.
This movement from earlier versions of the texts is hopefully a positive sign for organisations operating in a B2B market, wishing to send emails to individuals in their business capacity or contact them by phone, subject to them having a legitimate business reason to do so.
Emails/SMS and the ‘Soft opt-in’ for existing customers
Under the current ePrivacy Directive, it’s unlawful to send unsolicited marketing emails or SMS messages to individuals (‘individual subscribers’, sole traders and some partnerships) unless they have given consent or the ‘existing customer’ exemption applies. This exemption is commonly referred to as the ‘soft opt-in’ and is retained in the latest draft which states it can be relied upon if:
- the individual’s contact details have been obtained in the context of a purchase
- direct marketing relates to the organisation’s own, similar product and services
- the customer is clearly and distinctly given an opportunity to opt-out of marketing at the time the data is collected
- the customer can subsequently unsubscribe from marketing at any time and there should be an unsubscribe link on every email sent
However, the current Directive includes the opportunity for using contact details collected in the context of “negotiations for the sale” meaning that the individual could have been browsing a website and perhaps gone part way through the buying journey but not completed the purchase. The fact that those words “negotiations for the sale” are still not included in the latest draft would restrict the scope in which organisations could use the soft opt-in exemption, if this doesn’t change.
A further potential restriction appears in the latest draft which states that:
– Member States may impose a time limit on the use of the soft opt-in
There are calls for this to be amended. There are concerns a time limit for all businesses regardless of what services or products they offer, could be restrictive, as each would respond to its own particular purchase cycle.
FEDMA are also hoping to influence change to the current (and proposed) rule of restricting the use of the soft opt-in to the marketing of an organisation’s ‘own products and services’. It’s argued that in today’s online reality marketers often promote both their own and partner’s products in the same communication.
At the start of this process, there was a clear desire to streamline the cookie provision which it was agreed had resulted in an overload of consent requests for internet users. Fast forward two years and we are all under much more of a deluge. FEDMA is certainly raising concerns about the impact cookie consent has on the user’s experience – the so-called ‘consent fatigue’, and is calling for a rethink. It believes, along with many others, that a balance needs to be struck between providing the user with control, while allowing online services to be funded by advertising and therefore being provided at no costs for the user.
Whilst it’s both interesting and encouraging to see some new developments in the ePrivacy journey, it must be kept in mind that this is the working draft and it could change again. The entire Article 16 which relates to Direct Marketing, is still open for discussion. It’s also worth mentioning that there’s additional commentary to suggest that not all member states are happy with the direction of travel and it will be interesting to see the updates from the next meeting which will take place during September.
Thereafter there is still a long road ahead for the new ePrivacy legislation. Even once the final text is agreed, there could be a two year implementation period before enforcement (as we had with the GDPR). So for the foreseeable future, we will continue to operate with GDPR and the current ePrivacy Directive (PECR in the UK) as somewhat uncomfortable bedfellows.
Debbie McElhill, September 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.