As anticipated from the draft leaked before Christmas, the
proposed e-Privacy Regulation addresses rules on the
confidentiality of electronic communications. Additionally, and for
the first time, over-the-top (OTT) communication service providers,
such as VoIP, are brought within its scope.
The key changes set out are as follows:
1. Third-party tracking (cookies and other similar
Under the proposed Regulation, web browsers need to ask end
users to opt-in to tracking via their privacy settings (in
recognition that under the GDPR, consent must be "freely
given, specific, informed and unambiguous"). This marks a
departure from the current practice of "notification and
implied consent," which is generally achieved via cookie
Privacy Settings Options
Providers of software that permit electronic communications
(e.g. web browsers) must inform users of their option in preventing
information being stored on their devices, as well as how users may
prevent such providers from processing information already stored
on their device(s). Furthermore, the proposed Regulation suggests
that users be offered a number of privacy setting options, ranging
from "never accept cookies" and "reject third party
cookies" to "always accept cookies."
Web browsers must ask users if they wish to allow third-party
tracking to be activated upon installation. Where web browsers are
already installed, consent must be requested at the time of the
next update or, at the latest, by 25 August 2018.
2. Direct Marketing and Telemarketing
Telemarketing phone calls will need to display their phone
number, or use a special prefix to indicate that the call is for
telemarketing purposes. In that regard, users must have the ability
to block calls with such prefixes.
In accordance with consent rules under the GDPR, to engage in
direct marketing, advertisers will need to obtain "freely
given, specific, informed and unambiguous" consent from users,
including for email and SMS marketing. In addition, users must be
informed of the marketing nature of the communication.
The GDPR will introduce a tiered framework for penalties and the
proposed Regulation follows suit; fines of up to EUR 20 million or
4% of annual global turnover for security breaches, with a maximum
fine of EUR 10 million or 20% of annual global turnover for
unsolicited marketing messages.
Commercial considerations and concerns
Concerns have already been raised by many in the advertising
industry and digital media sector about the potential restrictive
effect of the proposed Regulation, particularly regarding online
behaviour advertising. Critics argue that allowing users to select
browser settings to reject third-party tracking at the outset could
lead to a significant reduction in the online advertising audience
There are, of course, some benefits, asthe proposed Regulation
provides fewer restrictions on the way telecoms companies may use
the data that they collect about their customers, with the
potential for monetising such data via digital advertising.
Watch this space...
The proposed Regulation is now before the European Parliament
and the Council for review, with the approval of both bodies
required for the new legislation to take effect. The Commission
seeks to have the proposed Regulation come into force in tandem
with the GDPR on 25 May 2018 – an ambitious aim considering
the various concerns raised by both consumer rights groups and
industry to date.
No doubt new issues and concerns will come to the fore as these
proposals are further scrutinised by these legislative bodies,
industry and consumer interest groups. Keep an eye out for our
future blogs on this topic.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).