Here are some key things to know about the ePrivacy Regulation:
✨ Regulation replaces Directive ✨
Another important point you may not be aware of: the ePrivacy Regulation and the ePrivacy Directive are two different things, not two different names for the same thing. Now, the directive is dusty and out of date — the most recent update was a decade ago. The regulation is so new that it’s not out yet, and will replace the directive.
That’s the basics out of the way; now for a closer look…
It’s possible that the ePrivacy Regulation is taking so long to implement because the cookie rules are so wildy different to what we have at the moment; websites would have to radically change the ways in which they manage their cookies.
Under GDPR, you have to get active, informed consent from your users if you are dropping cookies that are not directly related to dealing with your users’ requests: in other words, non-essential cookies.
This is a big ask, if you consider how a lot of websites rely on third-parties, and how managing what cookies they drop can be a huge challenge.
The ePrivacy Regulation bridges this awkward gap by stipulating that things like cookie banners are actually not necessary to gather consent. The regulation states that methods for gathering consent should be as transparent and user-friendly as possible, advocating a system in which users can easily manage privacy settings in their browser.
🔮 What this could mean for the future of the internet: website owners no longer pepper their sties with interruptions designed to ask users to consent to cookies; cookies are instead intercepted by the browser, which means users could block and manage cookies right at the source. In other words: these rules have the potential to put and end to cookie banners.
This regulation has a lot of emphasis on keeping communication data secret, and therefore not used for tracking purposes. There are exceptions, such as when metadata is looked at for network maintenance and optimisation. So in the ePrivacy Regulation, communication data is stuff like:
🔮 What this could mean for the future of the internet: for one, Facebook would need to get a move on with their end-to-end encryption for Messenger. It also means that metadata would no longer be used together with other data to make inferences about users — it would close down a key channel of data for Big Tech, and potentially see the beginning of the end of persistent and systematic ad profiling.
The broad-stroke version of this rule is: no unsolicited marketing communications of any kind. That seems great and everything, but let’s break it down:
Unsolicited means without consent. So marketing communications are simply not allowed, unless a user has consented to them. There is no exception for this.
☝️ Key point: this removes the ability to hide behind legitimate interests, which is listed in the GDPR as an exception for when consent is needed. E.g. you don’t need explicit consent to process credit card information if a user has given you that data to process a payment, because it is in their legitimate interest that this data is used.
‘Marketing communications of any kind’ is not clearly scoped yet: we know it includes things like emails, where the email is from someone you’ve never bought anything from. If you’re an existing customer, emails are okay 👌. They are also still not sure whether online ads are included in this. Seems like a very serious thing to omit, but it’s possible they’re having trouble with how to implement the ‘getting consent’ part.
🔮 What this could mean for the future of the internet: is a headache for marketers, and less spam for the rest of us.
This regulation is not in effect yet, with no official date set. There are drafts still being proposed, and these are trying to get around some complex problems. A lot of this regulation is quite radical, and has the potential to set new standards in how we manage data privacy — more so than the GDPR.