Director, FTI Consulting
The ePrivacy regulation has had an uncertain path, and at times it seemed as though there would be no regulation introduced at all. One of the main stumbling blocks is the impact on online behavioural advertising and cookies walls on websites. However, in mid-February, the Council of the European Union’s Presidency announced a breakthrough: member states finally reached an agreement on the draft text. The next stage will be negotiations between the Commission, the Council, and the European Parliament.
If implemented, this will serve as an update to the 2002 directive to bring the rules up to speed with industry and technological changes, including voice over IP (VOIP), emerging messaging services, digital tracking technologies and IoT devices.
The ePrivacy regulation will regulate the privacy of electronic communications, how cookies are used and will provide rules for electronic marketing. It will also introduce rules to manage the confidentiality of communications to “over the top” service providers and define the rules as to how service providers may access data stored on users’ devices. Rules for how metadata related to communications are managed—such as the location of the recipient of a message and the time a message was sent—are also included.
In the latest draft, the issue of cookie walls has not been completely avoided. A cookie wall requires visitors to agree to cookies before being able to access content on a website. Cookie walls may be permitted as an alternative to a website paywall, but only if the user can choose between the paywall and cookie wall and that the paywall does not involve consenting to cookies. The draft text places emphasis on providing the user with a genuine choice. Significantly, users will also be able to give consent to certain types of cookies by whitelisting one or more providers in their browser settings. Enabling users to whitelist providers will impact the look and feel of websites. It may help balance UI and data protection concerns, which may alleviate some of the concerns of businesses that have struggled to achieve an effective balance.
The regulation may not come into effect for some time. Still, businesses should start to consider how the rules may change their compliance obligations and identify the steps required to align their operations with the regulation requirements. U.K. businesses are put in a challenging position, as Brexit has made it so ePrivacy will not be automatically effective in the U.K. Up to this point, the U.K. government has not provided any guidance on whether it will adopt a similar regulation and UK-based businesses should monitor developments.