• On May 25, 2018*, the ePrivacy Regulation (the "eP Reg") may replace the existing EU ePrivacy Directive (colloquially known as the "EU Cookie Directive")

    • Many EU lawyers say this proposed "in force" date is not achievable and don't expect the eP Reg to become law until 2020
    • The eP Reg was officially published by the European Commission only on January 10, 2017 and is a law separate from the GDPR
  • It complements and is aligned with the GDPR in that

    • a breach can attract the same severe financial penalties – i.e., up to the greater of €20 million or 4% of worldwide turnover
    • it will be enforced by the same supervising authorities – i.e., the national privacy and information regulators of EU Member States
  • The eP Reg attempts to reinforce trust and security in EU's digital market
  • It will establish a new privacy legal framework for electronic communications
  • It has a very wide scope and will broadly apply to any organization that provides any form of online communication service, or that utilizes tracking technologies, or that engages in electronic direct marketing
  • Specifically, the eP Reg will apply to

    • organizations anywhere in the world that provide publiclyavailable "electronic communications services" to users in the EU or that gather data from the devices of users in the EU. It applies even if there is "no charge" for the services
    • traditional ISPs and telcos ... but also to so-called "overthe- top" providers, such as VOIP services, text messages and email providers that are not subject to the current ePrivacy Directive
    • all electronic communications data which includes both content (i.e., what was said) and metadata (i.e., who said it, when, where, and other related info about the communication)
    • anyone using cookies or similar tracking technologies
    • IoT and machine-to-machine communications
  • Among other things, the eP Reg

    • enhances "consent" requirements in line with the GDPR ... and end-users must be reminded every 12 months of their right to withdraw consent
    • requires website providers to present users with cookie consent choices

      • some EU legal commentators say this may lead to the end of cookie banners in that clear affirmative action will be required to signify freely given, specific, informed and unambiguous consent to the storage and access of third party tracking cookies
      • consumers will be the ones setting their privacy settings via their browsers or any mobile apps they use
    • keeps exemption for analytics cookies
  • For direct e-marketing, the eP Reg provides that

    • if B2C, the sender must obtain the opt-in consent of the recipient ... but consent will not be required when marketing similar products and services so long as the recipient is given the opportunity to object and opt-out
    • if B2B, each Member State may put in place whatever it deems appropriate to ensure that the legitimate interests of corporate end-users are sufficiently protected from unsolicited e-communications

To view the full article, please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.