Just as marketers learn to survive in a post-GDPR world, the deadline for the ePrivacy Regulation — the successor to the ePrivacy Directive (also known as “The Cookie Law”) — inches closer.
Stated for a release in 2019, the impending ePrivacy Regulation, like
the GDPR, is applicable to any business targeting EU customers… Which means pretty much ALL of us need
to comply!
And just as in the prelude to the GDPR,
lawmakers and lobbyists are taking on each other with explosive charges, open
letters, and movies hinting at how the world will become an app-wasteland post
its implementation.
So what is the ePrivacy Regulation all about?
And why do we need it when we already have a stringent GDPR in place? And what
the heck does it mean
for marketers like us?
Let’s find out.
“The GDPR is Not Enough… ”
… Says Ms. Birgit Sippel, a European
Parliamentarian and drafter of the ePrivacy Legislation — and the lead negotiator for the ePrivacy Regulation.
Many other lawmakers also echo the same belief
that while the GDPR is a strong regulation concerning data protection; ensuring
data privacy — which is the key premise of the ePrivacy Regulation — needs more specifics.
Jan Philipp Albrecht, a German Parliamentarian (who was the lead
negotiator on the GDPR), puts this really nicely. He explains that the GDPR sets the
“global standard for protecting
personal data,” and that ePrivacy is the “missing brick in this wall.”
The ePrivacy Regulation is, in fact, the “lex specialis” to the GDPR, as even the proposal states:
“This proposal is lex specialis to the GDPR and will particularise and complement it as regards electronic communications data that qualify as personal data. All matters concerning the processing of personal data not specifically addressed by the proposal are covered by the GDPR.” — The ePrivacy Regulation proposal
Originally meant to release on the same day as
the GRPR, this lex specialis to the GDPR
addresses a few specific subject matters covered by the GDPR. For marketers
like us, the most important of these specifics are communications and cookies.
Let’s take a look.
Communications & Cookies Under the ePrivacy Regulation
The ePrivacy Regulation aims to protect data confidentiality over a
wide range of electronic communications.
Originally, the ePrivacy Legislation focused mainly on the email
and SMS channels. The upcoming regulation, however, expands its ambit to cover
newer communication services such as WhatsApp, Facebook Messenger, Skype,
Gmail, iMessage, etc. And also IoT devices and countertop
terminals among others.
So if you ever have a user raising a concern
about why they got a message from you on their Facebook Messenger app, you’ll
have to look at the ePrivacy
Legislation. And not the GDPR as the ePrivacy Regulation offers more specific rules on communications.
Also, along with the actual content of the
communications, the revised ePrivacy
Regulation will also need you to anonymize and delete any related metadata as well, if the users
haven’t consented to its use or processing.
“Both content and metadata will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes.” — The Presentation of the ePrivacy Regulation
Other than ensuring communications’
confidentiality, the upcoming ePrivacy
Regulation also targets how companies use cookies to collect and track data for
behavioral analysis. It needs you to seek explicit consent from your users
before installing any cookies on their browsers.
So for instance, if you run experiments on your website or offer personalized web experiences, then you’re going to need some cookies. But with the ePrivacy Regulation in place, you’ll have to explain the cookies you use and seek explicit consent before installing them on your users’ browser.
As you
can imagine, this can result in a lot of consent fatigue.
The solution?
Choosing non-intrusive and privacy-friendly marketing solutions.
At Convert Experiences,
for instance, where we build one of the most privacy-friendly A/B testing
software, we only use first-party performance cookies that don’t collect any
personally identifiable information about website visitors.
All the information our cookies collect is
aggregated and anonymous.
The ePrivacy Regulation doesn’t even need you to seek explicit
consent for using such cookies on your users’ browsers (as these cookies can be
listed and explained in your Privacy Policy).
With such marketing solutions, you don’t just go in the direction of compliance, you also offer a better product experience to your users by eliminating consent fatigue.
Embracing Privacy by Design and Default
If there’s one thing the GDPR and the upcoming ePrivacy Regulation want from any business that collects, processes, uses, and manages data over any communication channel, then it’s this:
Privacy by design and privacy by default.
To make this possible, Sippel asks businesses
to help consumers make informed choices about their data and privacy, even if
they aren’t tech-savvy.
So whether it’s running your marketing
campaigns or choosing your marketing tech stack, sticking to non-privacy
intrusive means will work the best. You should also support these with explicit
consent forms using the simplest possible explanations about the data you’re
collecting or the consent you’re seeking.
Sure, complying with the ePrivacy Regulation will need work, but if you’re GDPR-compliant already — which you should be — you have a considerable head start.
Originally published June 10, 2019 – Updated December 15, 2021
Mobile reading?
Authors
