What does the ePrivacy Regulation mean for the online industry?

It is called a specter or a sword of Damocles and upsets the online industry: the ePrivacy Regulation of the European Union. ePrivacy GmbH summarizes for you what has happened so far and what impact the regulation may have on the online industry. 

What happened so far

The first official draft of the new ePrivacy Regulation (ePR) was presented by the EU Commission on 10 January 2017: The proposed EU regulation should replace the old ePrivacy Directive (Directive 2008/58/EC) and clarify and supplement the General Data Protection Regulation (GDPR), which will come into force in May 2018, with regard to personal electronic communications data. This draft of the planned ePrivacy Regulation has been forwarded to the EU Parliament and Council.

After lengthy negotiations, the LIBE Committee responsible for the ePrivacy Regulation in the EU Parliament voted on the draft on 19 October 2017. To the surprise of the online industry, this draft text agreed in the Committee was adopted by the EU Parliament one week later, virtually unchanged. At the same time, the EU Council also discussed the draft in a working group. Member States were invited to submit their opinions by 14 August 2017. 

With the adoption of the draft by the EU Parliament, the mandate for the next procedural step - the EU Parliament's negotiations with the EU Council - was given. In 2018, the so-called trialogue negotiations between the Commission, Parliament and the Council are to be concluded and the regulation is to enter into force. However, it is highly unclear whether the Commission can keep its target date of May 2018. Experts expect implementation in 2019.

Crucial provisions for the online industry

The new definition of the term "direct marketing" in Art. 4 (3) f ePR makes it clear that online advertising is also understood as direct marketing communication.

Cookies may only be processed without explicit consent if they are "strictly necessary" or absolutely technically indispensable to provide a service (Art. 8 para. 1a, 2).

The use of "cookie walls" is to be prevented and a forced consent is to be ineffective, because multiple requests for consent are considered misuse. In order to prevent this, users should be able to instruct service providers to remember their objections. The providers shall ensure that the user's decision is saved by means of technical specifications. For example, this could be a "Dont ask me again" button, which allows the user to exclude a service provider from asking from time to time whether the non-approval is still valid.

In the event that cookies are rejected, the user must be given an alternative option to use the respective offer without the use of cookies (Art. 9 para. 2). 

The use of cookies is permitted if the user has given his or her consent. However, the new wording now states that consent must be given for specific purposes and must not be a condition of access to the service.

The draft stipulates that when the browser (or a new update) is installed for the first time, users must "set" whether they accept cookies and, if so, what kind of cookies. Since 90 % of users will choose a restrictive setting, thus in particular not allow third party cookies, "the regulation effectively shuts off the device" (according to VPRT, the German Association of Private Broadcasters and Telemedia). The regulation does not provide for an automatic mechanism which, with the user's subsequent consent, releases the browser. In fact, this means that cross-domain tracking and the storage of information about the end device by third parties are prohibited. Retargeting models are virtually impossible to implement.

It must be possible to revoke given consent at any time. In addition, this possibility must be recalled at regular intervals of six months.

Cookies are only allowed in exceptions, namely (Art. 8 I):

(a) they are necessary for the sole purpose of carrying out an electronic communications operation via an electronic communications network; or

b) the end user has given his consent in accordance with Article 9 (i. e. - very unlikely - via the browser) or

(c) they are necessary for the provision of an information society service desired by the end-user; or

(d) they are necessary for measuring the web audience, provided that the operator of the information society service requested by the end-user carries out this measurement; or

e) they are required for the security and integrity of the service.

Pursuant to Art. 10, in the future, when installing a browser, the end user must be informed of the privacy settings and give his or her consent to a setting before the installation is continued.

Software that allows access to the Internet (i. e. a browser) must in the future "by default"[...] prevent other parties from transmitting or storing information about a user's terminal device and from processing information that has already been stored on or collected by the terminal device. By default, this setting prevents the use of all cookies, unless this is technically essential for the functioning of an online service.

A new paragraph has been introduced which states that no user shall be refused access to information society services or functions, whether or not they are remunerated, on the ground that they have not given their consent to the processing of personal data and/or the use of the processing or storage capacity of their devices, which is not necessary for the provision of such services or functions. In the opinion of the BVDW (IAB Germany), this would probably continue to allow publishers to exclude users from using their service as long as they allow access to their website without collecting data within the framework of a payment model.

The exception to the measurement of reach has been changed so that it is no longer limited to the measurement of web audiences but can also be carried out by a first party or on behalf of the first party or a web analytics agency in the public interest. Third parties who carry out range measurements on behalf of third parties are prohibited from merging data with data of others.

Do you have any further questions about the ePrivacy Regulation? Then feel free to contact us!

Dr Frank Eickmeier 

Do you have questions or recommendations for us?

We are glad to receive your comments.