You've probably had your fill of European regulations involving data, privacy and communications by now. But more is in store for those multinational companies with operations or customers in Europe who have just gone through the May 25 roll out of the General Data Protection Regulation. Next up, the ePrivacy Regulation. While this regulation is still in the approval process without a set implementation date, it is widely expected to go into effect in 2019 or 2020.
Aimed strictly at electronic communications, the ePrivacy Directive, or ePR as it is sometimes called, is meant to be complementary to the GDPR. That said, it covers entirely new ground. The new regulation is meant to update the existing ePrivacy legal framework or Directive, which dates back to 2002 and was updated in 2009. Because it is still in the implementation stage it is difficult to say with certainty the complete scope of the ePR, said Lily Li, owner of Metaverse Law. But generally, ePR will govern all communications across electronic networks, including the metadata for such communications, up to the point at which the recipient gains control over the content, she said. At that point, the GDPR's rules will take over. Li noted that the latest ePR draft implements the same technical and organizational security standards under ePR as GDPR.
Related Article: GDPR Is Here. So What Comes Next?
What Will the ePrivacy Regulation Include?
The regulation is (optimistically) expected to be finalized by the end of this year, so there is a fairly solid understanding of at least the broad brush requirements that will be in it. For example, Pravin Kothari, CEO of CipherCloud, said the regulation is expected to include specific language “with respect to the confidentiality of communications data such that listening, observing or monitoring a user specifically on a website is prohibited.” So a communications provider could not, for example, scan all telephone traffic for specific keywords, and then identify those users based upon that surveillance, he said.
The ePrivacy regulation also includes very detailed protection against spam, Kothari said, which includes unsolicited email, SMS text messages and automated calling systems. Also, marketers must display their phone number or other identifying codes that indicate it is a marketing call, he said. What that means is that direct marketing communications — be it voice, email, automated messages or text messages — cannot be sent without user consent. “Until someone opts-in to marketing activity, your only outreach must be via general, website based advertising,” according to Kothari.
Related Article: All That GDPR Consent Spam? In Many Cases It's Unnecessary
A Change in the Cookies Rule
Related Article: Cookies Are Getting Stale and Forrester Report Points to What's Next
Are US Companies Subject to the ePR?
As with GDPR, the penalties for non-compliance with ePrivacy can be massive, with penalties expected to range from 10 to 40 million euros (or 2 to 4 percent of global revenue, whichever is greater), depending on the details of the violation, Kothari said.