With so much noise surrounding the General Data Protection Regulation (GDPR), the equally impactful e-Privacy regulation seems to have been forgotten about.
It might only be a draft regulation at the moment, but it is due to be enacted in May 2018. So, what is this regulation and why do marketers need to pay careful heed to its contents?
Let’s get started with what the e-Privacy regulation is
The e-Privacy Regulation is a complementary piece of European legislation to the GDPR. It is designed to address specific scenarios that exist in the electronic communications world and at the same time ensure that the principles of the GDPR are still valid.
Why is the e-privacy regulation important for marketers like me?
Much of the regulation is focused on securing the privacy of electronic data and communications that travel across the internet and other electronic services. However, the regulation also covers direct marketing activity via electronic means. This activity is currently regulated in the UK by the Privacy and Electronic Communications Regulation (PECR), which sets the familiar requirements for opt in, opt out and unsubscribe rights of the individual among other things.
What is set out in this regulation will have a fundamental impact on how marketers can communicate to their customers after May 2018.
Another law! Why do we need it?
When PECR was passed as a law in the UK it needed to complement the Data Protection Act 1998 which is the current privacy law that came before the GDPR. However, the GDPR has raised the bar on privacy rights and has meant that the current laws that specialise in electronic communications do not meet the needs of the wider use of electronic communications today.
Do we know what this law will say?
In a word, no. The current proposal is under negotiation in Europe and it is possible that some of the text may change. However, the GDPR is law, so any changes made should not contradict the GDPR or its principles. The proposal is all that we have at the moment and as the target to get it approved is May 2018, it is important to understand the possible implications and make plans accordingly.
What could be the implication to marketers?
One of the main changes that this regulation will bring, is likely to be the impact on business-to-business marketing (B2B). In line with the GDPR’s wider scope of personal data, data relating to someone at their place of business is that person’s personal data. This is reflected in the new directive, where there is no distinction between B2B and B2C personal data.
If we put that in the context of B2B email marketing, whereas before you could email someone as long as you gave them the opportunity to opt out, now the rules are the same as B2C.
This means that you need to use either consent, or the so-called ‘soft opt in’ principle. Both the Article 29 working party and the European Data Protection Supervisor have asked that the regulation makes this treatment of B2B personal data clear. The idea that a right can be given to you by one hand with the GDPR and taken away with the other under the e-Privacy regulation is counter intuitive.
What exactly is a ‘soft opt in’ approach?
The GDPR concept of legitimate interest is reflected in the e-Privacy regulation by allowing the soft opt in process for both B2B and B2C marketing, so long as the following conditions apply;
- The business obtains the electronic contact details during the sale of goods or services
- The business only promotes its own similar goods or services
- The business must give the customer the opportunity to object at the time and in an easy manner
- The business must present that opportunity to object with each communication (e.g. an unsubscribe link)
This legal basis for sending direct marketing is valid for all electronic channels, namely email, SMS, social media and instant messaging apps. However, you must tell the customer which channels you intend to use at the point of collecting the information.
Consent is not just a tick box
The other legal basis for sending electronic marketing is consent. Consent relating to the e-Privacy regulation is the same as in GDPR. Consent is therefore defined as;
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Let’s break that down into something we can all understand!
You will need to provide comprehensive information (specific, informed) about what the person is consenting to, as well as ensuring they wouldn’t be disadvantaged if they didn’t consent (freely given). There must also be no doubt as to what they are consenting to (unambiguous) and no doubt as to whether they have actually given consent (clear affirmative action).
Voice-to-voice marketing calls
Voice-to-voice marketing calls can still be undertaken as long as the end user has not objected to voice calls. Therefore, all marketing voice calls must be screened against TPS as well as CTPS first, to ensure the person has not opted out of marketing calls. You will need to provide caller line identification or a mandatory prefix (yet to be decided).
The e-Privacy regulation not only covers transmission channels, but will also impact the tracking that goes on relating to many technologies. Cookies, web beacons, hidden identifiers, device fingerprinting and any other device that is developed to track the activity of the individual will need consent from the end user.
Unlike the previous e-Privacy directive, the new regulation acknowledges the usefulness of browser based settings for obtaining consent for web based tracking. Although it would mean the default settings for browsers would be to restrict intrusive cookies.
The use of beacons in store will now require that notices are placed in prominent places, informing the customer of the tracking that is going on and telling them how they can object to it.
Regulation versus directive
Finally, the fact that the new law will be a regulation will mean that it will be more or less written into UK law in its entirety. The previous EU e-Privacy law, was a directive, so the individual member states were able to create local laws based on their own interpretation of the directives. With the GDPR, there is not much wriggle room for local Governments to water down the legislation.
You cannot make plans to change your processes and update your legacy customer data to be GDPR compliant without also taking the e-Privacy regulation into account. The fact that it is still not set in stone will make this hard to do, but those who start preparing with what we know now will be in a better place on May 24th 2018.