What is the ePrivacy Regulation

What is the ePrivacy Regulation?

The Privacy and Electronic Communications Regulations (PECR) is being replaced next year with another new piece of European legislation – one that is making its way through the legislative process and which will be of significant interest to those who engage in digital marketing.  The ePR 2018, or to give it its full name, the Regulation on Privacy and Electronic Communications (also known as ePrivacy) is a regulation drafted by the EU Commission which will repeal the current Privacy and Electronic Communications Regulations 2003 (as amended) and is aimed at ‘modernising’ the law in light of technological advances and the growth of new data sharing platforms.

This acknowledgment of technology advancement was also a driver for the creation of the General Data Protection Regulations (GDPR) which became law on the 25^th May 2018. The ePrivacy Directive and the GDPR share many characteristics such as their geographical reach.

Nowadays, most companies’ marketing plans run over multiple channels, and obviously it has been important to understand how the GDPR has influenced the more traditional direct marketing campaigns and impacted on the current Privacy and Electronic Communications Regulations (PECR) governing email, internet and cookie consent. For many, it appeared that the decision as to whether to move to a fully consent based strategy or rely on a legitimate interest basis was full of forebodings. Having passed through that interesting phase, it is now time to consider what the ePrivacy regulation has in store for companies utilizing marketing techniques using all things electronic at the point of touch, telephone calling, internet, and email.

When is the ePrivacy Regulation going to change?

The ePrivacy directive should have been passed into law on the 25^th May 2018, but such was the controversy created by proposed changes in relation to direct email marketing and the use of internet cookies, its pace through the legislative process became glacial. The Direct Marketing Association began to lobby the European Commission, opposing the changes, particularly those to the issue of consent and legitimate interest, the focus of this article. In July 2018, the Presidency of the EU commission released some suggested amendments to the draft legislation and whilst some of the proposed constraints around internet cookies have been removed, Article 16, which deals with unsolicited electronic communications, has not (see below).

What will the ePrivacy Regulation change?

Currently, under GDPR, you can use legitimate interests as a basis for processing data for marketing purposes, provided PECR doesn’t require you to obtain consent. Under PECR, consent (that is freely given, specific, informed and unambiguous) is required to conduct direct, electronic marketing to individual subscribers, sole trader and some partnerships. However, you can use the ‘soft opt-in’ in clause if you have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person and you are only marketing your own similar products or services. You must have given the person a simple opportunity to refuse or opt-out of the marketing, both when you first collected the details and in every message after that. This obviates the need for obtaining consent. Having taken all that in, if you are a not-for-profit, charity or political party, this isn’t available to you.

The use of internet cookies provides rich information for marketers, especially in the ability to analyse patterns of browsing and buying behavior. The requirement for consent to drop cookies onto the end user’s equipment has been a requirement under PECR for some years and has created what is now the ubiquitous ‘consent banner’. The new ePR has an ambition to provide consent at a browser level rather than a web page level, giving users the opportunity to reject cookies by default. It remains to be seen how technically feasible this could be, but it could herald the end of the tiresome banner! More positively, rumour has it those analytical cookies such as that used by Google, could be included in the small select list of cookies that do not require consent.

Article 16 of the draft ePR causes more concern about what it doesn’t say than what it does. The requirements of this article focus on the need for consent to be obtained in order to use electronic communication services to send direct marketing communications (remember, we are talking email) to end users who are natural persons. The soft opt-in still stays as described above. However, there is still ambiguity about the position with regards to B2B marketing, including the emailing of individuals with corporate email addresses. The issue as to whether or not consent is required for B2B marketing to end users who are legal persons and individuals with corporate email addresses requires clarification, or we risk a return to the pre May 2018 muddle.

The effects of ePrivacy on Direct Marketing

The GDPR creates a new global landscape for data privacy and underpins the ePR ‘bolt on’ which means both need careful attention, especially when engaging in multi-marketing communications.  Globalisation of data privacy regulation comes with much more informed and aware consumers who are more willing to probe and challenge the use and misuse of their data. Let’s not forget that the consumer was a real driving force behind the GDPR, with as many as 90% in polls wanting more control over the use of their personal information.

Marketers need to accept and face the challenges of engaging with empowered consumers in order to build trust in their brand. This is an opportunity to revisit the data collected, focus in on what preferences the consumer has, build high-quality email databases and segment more effectively. Most importantly, business need to create high-value content that is actually relevant to their target audience.

The new ePrivacy Regulation regulates electronic direct marketing and so has no bearing on direct postal marketing. However, the GDPR must be considered, as data used for postal mailing purposes must be processed in accordance with those particular regulations. Importantly though, the use of ‘legitimate interest’ as the basis to conduct direct marketing is hard coded into recital 47 of the GDPR. Although the legitimate interest assessment and right to object to marketing considerations still exist, getting to grips with one set of rules instead of two will be a welcome relief to many marketing departments.

Mailing Expert is here to help

Whatever the final implications of the proposed ePrivacy Regulation, Mailing Expert will be here to help you stay in contact with existing customers and reach out to new ones. Whatever your direct mailing requirements, get in touch with Mailing Expert or give us a call on 01825 983 033.

This article was written with the expert guidance of Derek Mann MSyI (Dip), CMgr, FCMI

Derek is a Registered Independent Security Consultant and holds a Diploma in Security Management and is a GDPR practitioner. He has a significant background in risk and security management obtained in a law enforcement and private sector context. As a Director of Compliance and Privacy Solutions Ltd, (https://caps-ltd.co.uk) he provides a range of pragmatic and proportionate data privacy consultancy solutions to SME’s, including offering Data Protection Officer services, compliance support packages and training.