ePrivacy Regulation: wider implications than the GDPR

Following implementation of the EU General Data Protection Regulation in the spring of this year, another amendment of the law is in the works, which could have an even more drastic impact on digital business. The ePrivacy Regulation aims to ensure sufficient respect for the privacy of every user on the internet. The associated issues were previously laid out in an e-privacy directive and a cookie directive (and implemented in the German Telemedia Act and Telecommunications Act). As these date back to 2002 and 2009, however, it would make sense for the EU to try to create a modern regulatory framework.

At first glance, all this sounds quite reasonable and harmless – the ePrivacy Regulation is only binding for those companies that provide communications services and would make many regulations into European law that are already included in the strict German data protection law (such as a ban on unauthorized advertising calls). In practice, however, this will also include all those who operate a “commercial media service” if online advertising and cookies are used for user identification.

A challenge for tracking cookies

An opt-in solution for setting tracking cookies is currently under discussion, which would mean that internet users would have to set all consents for storing cookies on each website either individually or at least within the framework of blacklisting and whitelisting in the browser settings. On an average news portal, this would amount to an average of between 30 and 50 consents for advertising networks or data processing instances. It would also make it more difficult to control campaigns, since one would have to match the consent clicks of different portals to measure reach.

So anyone who is already annoyed (and rightly so) by having to click on data protection consent buttons could soon have much more to do – and this can be especially challenging on mobile screens. Furthermore, the default setting in the browser would have to be complete denial, so that users would have to accept each individual tracking cookie on each website. At least they would also be able to activate this by default for everything.

Another new stipulation would require publishers, who currently defend themselves against adblockers and tracking cookie rejectors by not delivering the content of the website to such users in the first place, to refrain from this practice. This is good news for consistent advertising rejectors, but catastrophic for publishers whose business model is primarily based on online advertising.

Companies are defending themselves

So, when should companies, agencies and technical service providers expect the new situation and how likely is it that the new ePrivacy Regulation will take effect? For one thing, that depends on political timing. European elections will be held next May and their outcome will probably influence the speed and outcome of decisions taken in this regard. When reading the reports on the developments surrounding the ePrivacy Regulation, it becomes clear that no more corresponding decisions can be expected in this legislative period, as too many details are unresolved, while others are still being disputed. In addition to this, there will presumably be a transition period of two years, which the respective EU states will have time to implement.

Adoption of the Regulation was originally planned for the end of the transition period to the GDPR in May 2018, by the way, but the data protection officers in the companies already had their hands full. However, 2019 should not be boring for them either. After all, the new law will take effect in some form sooner or later no matter how loud the protests. You can find out what effects this would have in the second part of our series on the ePrivacy Regulation.