Are the EU Cookie rules a Direct Marketing killer?
On 10 January 2017, the European Commission presented its proposal for a Regulation on Privacy and Electronic Communications. The current EU e-Privacy Directive is thus to be replaced by a Regulation, directly applicable in all EU Member States.
The goal is to have the e-Privacy Regulation adopted by 25 May 2018, the date on which the EU General Data Protection Regulation 2016/679 (“GDPR”) will become applicable. The proposal for the new e-Privacy Regulation contains important changes at three levels: (1) new cookie rules, (2) electronic direct marketing and telemarketing, and (3) enforcement (increased fines).
The most striking novelty at first glance is the choice for a Regulation instead of a Directive. This should however not come as a big surprise, given that Directive 95/46/EC has also been replaced by a Regulation (the “GDPR”). This is to ensure a thorough harmonization throughout the EU with little discrepancies between Member States’ national approaches. As a result of the direct applicability of the Regulation, there will be no (or very little) need for national implementing legislation.
A second striking novelty is the broader scope of application of the Regulation, in line with what is foreseen in the Directive establishing a European Electronic Communications Code. Where, in the past, e-Privacy legislation, as far as it concerned obligations for telecom service providers, only targeted traditional mobile and fixed-line communication services, the proposed Regulation now also targets internet-based (VoIP) communication services such as Skype and WhatsApp, irrespective of whether a payment from the end-user is required or not.
The proposed e-Privacy Regulation is to be considered as a lex specialis with regard to the GDPR. Hence, it only contains the provisions necessary to regulate the matters within its scope, and relies on the GDPR for all other aspects in relation to personal data processing. At several occasions, the text of the proposed Regulation specifically refers to the GDPR.
While there is of course more to the proposed Regulation than cookies and direct marketing, those two aspects have the broadest reach. Any company using either or both of them, will be affected by this legislative reform. The other aspects of the Regulation are primarily important for electronic communications network and service providers, and require an in-depth understanding of the electronic communications regulatory framework, which would be beyond the scope of this newsletter.
A main point of interest are of course the new cookies rules (even if at no point in time the text of the Regulation actually uses this specific term, it is only referred to in the preamble to the Regulation). Cookies are allowed in either of 4 situations: (1) carrying out a transmission over an electronic communications network, (2) upon consent given by the user, (3) providing information society services requested by the user or (4) web audience measuring by the provider of an information society service requested by the user. With regard to (2), changes are most notable.
At present, consent for cookies is obtained (or, rather, forced) through cookie consent banners. The public consultation carried out by the European Commission indicated that most persons considered these banners as an unnecessary burden and as missing the mark. Users get fatigued of seeing them on almost every website, and just click to get rid of them, without actually reading the underlying cookies policy.
The proposal now is to replace such consent banner by internet browser pre-sets. The option to pre-set browser cookie settings, where technically possible and feasible, must be offered to all users and these users must actively choose a pre-set. There will be no grandfathering clause for existing browsers and, more importantly, for current browser settings. Internet browsers must offer the option to pre-set browser cookie settings at the time of their next update or, at the latest, by 25 August 2018.
The main question here is whether these settings will suffice for Internet users to actually manage cookies and to improve their user experience. Especially as the parties issuing the cookies are not obliged to rely on browser settings. They can still decide to rely on cookie banners.
Electronic direct marketing / telemarketing
Direct marketing directed at natural persons is a second domain where the proposed e-Privacy Regulation intervenes. At present, there is an extensive body of rules on (electronic) direct marketing, mainly with regard to the prior “opt-in” consent and the right to object (‘unsubscribe’).
The proposed Regulation once again posits prior consent as a mandatory requirement for sending unsolicited electronic communications in a B2C context (e.g. direct marketing emails, pop-up messages, push notifications, SMS). Express reference is made to the requirements for a valid “opt-in” consent under the GDPR. A limited exception still applies for electronic marketing messages to existing customers, provided that the right to object is given at the time of collection of the customers’ contact details, and each time a message is sent.
What is also new, is the mandatory caller-line identification for direct marketing calls. Currently, most direct marketing firms hide their phone numbers from the recipient. In the future, they will not only have to enable caller-line identification, they will also have to use a specific prefix or code to designate a direct marketing call. Considering that end-users should have to option to refuse calls from certain caller-line identifiers, one can understand the potential impact of this proposed requirement.
The proposed e-Privacy Regulation aligns its non-compliance regime with the relevant provisions of the GDPR. Depending on the nature of the breach, administrative fines can amount to 10.000.000 / 20.000.000 EUR or 2% / 4% of a company’s annual global turnover.
In addition, individuals who suffer material or non-material damage as a result of infringement of the e-Privacy Regulation, benefit from a presumption that the infringing company is indeed responsible for such damage (unless the contrary is proven).
The European Commission did not content itself with a simple review of the e-Privacy Directive. It choose to rebuild the e-Privacy framework incorporating old and new elements in an effort to present rules fit for today’s world. A world which has changed significantly compared to that of the e-Privacy Directive’s inception.
As we are only at the beginning of the legislative process, the current text is of course still subject to change. We will keep you posted on further developments! Stay tuned…
For specific questions relating to the possible impact of this proposed e-Privacy Regulation on your company’s activities, please contact the members of our Privacy and Data Protection Team or your regular contact person at Loyens & Loeff.
StéphanieDe SmedtSenior associate Attorney at Law
Stéphanie De Smedt is senior associate within the Litigation & Risk Management Practice Group of our Brussels office.
She is head of the IP/IT & Data Protection Team in Belgium and is team leader of the firm-wide Healthcare and Life Sciences Team.