You've probably had your fill of European regulations involving data, privacy and communications by now. But more is in store for those multinational companies with operations or customers in Europe who have just gone through the May 25 roll out of the General Data Protection Regulation. Next up, the ePrivacy Regulation. While this regulation is still in the approval process without a set implementation date, it is widely expected to go into effect in 2019 or 2020.

Aimed strictly at electronic communications, the ePrivacy Directive, or ePR as it is sometimes called, is meant to be complementary to the GDPR. That said, it covers entirely new ground. The new regulation is meant to update the existing ePrivacy legal framework or Directive, which dates back to 2002 and was updated in 2009. Because it is still in the implementation stage it is difficult to say with certainty the complete scope of the ePR, said ​Lily​ Li, owner of Metaverse Law. But generally, ePR will govern all communications across electronic networks, including the metadata for such communications, up to the point at which the recipient gains control over the content, she said. At that point, the GDPR's rules will take over. Li noted that the latest ePR draft implements the same technical and organizational security standards under ePR as GDPR.

Related Article: GDPR Is Here. So What Comes Next?

What Will the ePrivacy Regulation Include?

The regulation is (optimistically) expected to be finalized by the end of this year, so there is a fairly solid understanding of at least the broad brush requirements that will be in it. For example, Pravin Kothari, CEO of CipherCloud, said the regulation is expected to include specific language “with respect to the confidentiality of communications data such that listening, observing or monitoring a user specifically on a website is prohibited.” So a communications provider could not, for example, scan all telephone traffic for specific keywords, and then identify those users based upon that surveillance, he said.

The ePrivacy regulation also includes very detailed protection against spam, Kothari said, which includes unsolicited email, SMS text messages and automated calling systems. Also, marketers must display their phone number or other identifying codes that indicate it is a marketing call, he said. What that means is that direct marketing communications — be it voice, email, automated messages or text messages — cannot be sent without user consent. “Until someone opts-in to marketing activity, your only outreach must be via general, website based advertising,” according to Kothari.

Related Article: All That GDPR Consent Spam? In Many Cases It's Unnecessary

Learning Opportunities

A Change in the Cookies Rule

As it did in its earlier iterations, the ePrivacy Directive also touches on the use of cookies, said Frederik Mennes, senior manager market and security strategy, Security Competence Center at OneSpan. “Unlike the current directive which requires users to provide consent for cookies and similar technologies on each website the user visits, the regulation proposes that users provide consent through browser settings,” he said.

Related Article: Cookies Are Getting Stale and Forrester Report Points to What's Next

Are US Companies Subject to the ePR?

Yes. It applies to all US companies that provide electronic communications services and to US companies that use these services to send direct marketing communications, collect information and use cookies. For the former, this includes the wide array of apps that have come to market in recent years, such as Skype and WhatsApp, said Paul Bischoff, privacy advocate with Comparitech. “That means both the contents of communications and all metadata regarding those communications must be secured and any such data stored by those companies must be anonymized or deleted,” he said.

As with GDPR, the penalties for non-compliance with ePrivacy can be massive, with penalties expected to range from 10 to 40 million euros (or 2 to 4 percent of global revenue, whichever is greater), depending on the details of the violation, Kothari said.