ePrivacy Regulation – What Monsters Lie Beneath?
12 months ago, GDPR was B2B marketing’s big scary monster. May 25th came and went, and we all survived. But as we approach Hallowe’en, another monster lurks on the horizon. Monster, only because we are yet to discover exactly what demons lie beneath the surface and what the ramifications for B2B marketing will be.
The monster in question is called the ePrivacy Regulation and it’s intended to ‘complete’ the GDPR with its focus on electronic communications. It will supersede the 2002 ePrivacy Directive (PECR) and the difference is minimal, but at the same time substantial.
The privacy of personal communications is a fundamental right. The ePrivacy Regulation delivers on the need for a legal framework to defend against technological erosion of citizens’ rights.
What will its impact be?
The ePrivacy regulation will have more clout than the directive it replaces. A regulation is a more powerful legislative instrument as it is binding across all Member States and comes into legal force on a set date, without needing to be transposed into national laws. A directive, on the other hand, allows Member States a little more flexibility, as they can choose how they interpret (and implement) the substance of the directive.
Essentially, eprivacy is a powerful implement for change.
Why isn’t the GDPR enough?
It’s not quite that simple.
The GDPR deals with general (personal) data. The proposed ePrivacy Regulation is intended to supplement the GDPR and will address, in detail, the confidentiality of electronic communications, and the tracking of Internet users.
The EU Commission states “the new law was necessary to ensure ePrivacy rules are consistent with GDPR and reinforce trust and security in the EU’s digital single market, a flagship policy”.
The ubiquitous nature of the Internet is a major driver behind the legislation. The ethos of digital marketing means consumers’ interactions with marketeers are now, more often than not, over the ether rather than via traditional methods such as telemarketing and direct mail. Additionally, the emergent IoT (Internet of Things) and the rise of smart home technologies means machine to machine comms are having a more significant impact on our lives than ever before. The intention to regulate such activity will ‘resonate’ with anyone who saw episode 6 of the BBC drama ‘Press’ recently – could the government really spy on us through our smart TVs and mobile devices?
The draft ePrivacy Regulation covers all electronic communications, a range of web tracking technologies, (including cookie consent) and is intended to combat problems like spam, over-zealous profiling and behavioural advertising by requiring transparency and affirmative consent by the consumer.
The challenge is, no-one really knows the extent of data gathering, collection and usage in electronic communications. We just know we lack transparency on how our personal data is being used. Whilst we understand, adopt and accept general usage when it works in our favour, we are quick to reject it when its usage becomes potentially sinister.
How is the approval process going?
The EU Commission initially proposed the new regulation in January 2017. As we approach 2019, EU institutions are still trying to reach a consensus. Right now, it’s not even certain whether ePrivacy will get the green light.
Consumer protection groups are determined that ePrivacy should be a vehicle for further strengthening the data protection framework put in place by GDPR. Data scandals such as the Facebook-Cambridge Analytica debacle demonstrate that data-driven business models need closer checks to protect consumers.
It’s a slow process.
What’s causing the delay?
Although we all agree that consumer privacy and data protection are paramount, there are many contested issues as ePrivacy seeks to align B2B with B2C data protection and privacy.
The advertising technology industry is concerned that ePrivacy could have a seriously detrimental effect on its business model. This industry relies on cookies and tracking technologies in order to monetize targeted ads. If consumers need to opt-in to being tracked this would significantly hinder the tracking and interactions of behaviourally target ads at web users and could destroy the adtech industry as we know it.
Consumers want the functionality, sophistication and personalisation that behavioural advertising and targeting brings. The challenge is they don’t really understand what companies are doing with their data. It is this conspicuous lack of transparency which ePrivacy seeks to address.
GDPR very clearly sets out an expectation of privacy by design and default. Gone are the murky waters of soft opt-ins and opt-outs for the B2C world. It should be noted here that, in the B2B world post-GDPR, marketing can still be carried out under the basis of legitimate interest – commons sense prevailed!
Following the principle of privacy by design and default, it could be argued that cookie consent should be, by default, opt-out. This would mean that any website must be required to gain a positive opt-in from a visitor for any tracking cookies. It’s a radical step, one which the adtech industry is opposed to, but one which is becoming familiar.
The silver lining to the new regulation could be that if you increase consumers’ trust in the Internet by respecting their privacy there should be a symbiotic positive effect on ecommerce. Web users should be more comfortable transacting online as the fear of misappropriation of their personal data and usage will have gone.
ePrivacy should mean that trust in the online world and the IoT will be enhanced. A goal worth working towards.
But hang on, why is ePrivacy such a big deal for B2B marketing?
Under PECR, direct marketing can be sent to employees working for corporates or public authorities without consent, on an opt-out basis. The new law would reverse this and align B2B marketing with B2C. Therefore, consent would be required for B2B marketing, no contact could be made without prior permission.
If consent were to be required for all marketing activity this would severely hamper the ability of B2B marketers to prospect for new business. The DMA argues that this would also be anti-competitive as “SME’s don’t have large amounts of customer data and therefore often rely on using third-party lists bought from a supplier. They then contact people without permission but offer them the chance to opt-out. SME’s would be at a disadvantage in comparison to large companies that already have large customer databases.”
Which key B2B marketing areas will be most affected?
1. Anyone for Coffee and Cookies?
2. Marketing with a soft opt-in
B2B marketers can currently use the soft opt-in approach to continue to market similar products and services to people who have previously bought (as long as they offer an opt-out). ePrivacy does preserve this, but places a time limit of 12 months on any further marketing.
Live marketing calls are encompassed within electronic communications, however, there is a provision allowing Member States to adopt an opt-out consent regime at a national level for telemarketing. This would mean Britain could continue to use its current approach which requires marketers to screen against the Telephone Preference Service (TPS). The DMA supports maintaining the TPS as moving to an opt-in regime would not affect the rogue traders that already flout the law to make nuisance calls.
4. OTTs and VoIPs
Communications such as instant and social media messaging services (such as WhatsApp) and VOIP (voice over internet protocol) providers (such as Skype), will soon fall under the same EU laws as telephone calls, email communications, and SMS messages.
So, what are the Legal grounds for processing information?
Whilst B2B marketing can use the legitimate interest as its grounds for processing personal data – as recognised in Recital 47 of the GDPR - the only legal ground referred to in the ePrivacy Regulation is consent. While consent may be appropriate in certain circumstances, in general, it offers less flexibility to marketers than legitimate interest. The DMA is arguing for all legal grounds to be referenced in ePrivacy, in particular legitimate interest, to ensure consistency between ePrivacy and the GDPR.
What does the DMA have to say on the matter?
The DMA, together with over 70 organisations from across Europe, are calling for EU policy makers and Member States to review the implications of the draft ePrivacy Regulation. The DMA is concerned about the potential impact on UK business of the current draft legislation and the knock-on effect to customers.
In September 2018, a letter was written by the DMA and the Federation of European Direct Marketing Associations (FEDMA). It called for the review of six issues within the proposed text, which require further work from policy makers to reach a balanced framework. These include:
the definition of direct marketing and of automated calling systems
clarifying the rules for business-to-business and communications from charities
maintaining the existing flexibility surrounding communications to a company’s existing customers
Chris Combemale, CEO of the DMA and Co-Chair of FEDMA, said: “The marketing industry is a very important part of the European economy and its future. It provides customers with personal experiences and enables direct communication between businesses and their customers, contributing to the success of the European economy as a whole. The provisions related to our industry in the ePrivacy Regulation must be carefully crafted to achieve the correct balance between privacy and innovation.”
The aim of the group is to ensure that the final text provides the right balance between protecting individuals’ privacy and continued economic development across Europe. Dr. Sachiko Scheuing, FEDMA’s Co-Chair, adds: “The ePrivacy is not just about online tracking and confidentiality of communications. The proposal also provides a fundamental framework for the personalised marketing and advertising industry. This framework must be balanced and reflect the interest and the protection of users as well as enable the direct marketing industry to grow.”
When can we expect the alleged bombshell to hit?
The European Commission hopes ePrivacy will be agreed before the May 2019 deadline. Following that, we will either have a 6- or 12-month grace period, depending on what is agreed. However, if the May deadline is missed, delays will be significant. This is good news for the marketing industry, which is already besieged by GDPR.