On 10 February 2021, EU member states agreed on the final position for the highly anticipated ePrivacy Regulation. After three years of arduous negotiations, organisations can now plan with certainty how and when they will prepare to meet these new obligations.
Upcoming ePrivacy Regulation
The ePrivacy Regulation seeks to protect the confidentiality of electronic communications and to tackle emerging data protection and privacy issues concerning new technologies within its scope. The ePrivacy Regulation, often known as the Cookie Law, replaces its predecessor of nearly two decades, the ePrivacy Directive 2002. Under the new regulation a number of processes and technologies will fall within its scope including:
- Internet phone calls
- Online personal messaging
- Text messaging
- Cookies
In addition to protecting the confidentiality of electronic communications, ePrivacy legislation also makes provisions for offences relating to unsolicited marketing communications which may be made through various channels such as email, phone, or post. Additional provisions also cover emerging areas of data protection law such as metadata, data processing via terminal equipment and the use of applications such as Whatsapp and Messenger.
Enhanced Cookie Compliance Requirements
ePrivacy regulation seeks to simplify data protection and tackle cookie fatigue. The legislation acknowledges that users are overloaded with numerous requests to provide consent repeatedly. Obligations will now be placed on organisations to allow cookie whitelisting and easier management of cookies. Additional provisions embolden the requirement to offer end-users a genuine choice when providing their consent for cookies.
When will ePrivacy come into force?
This recent update marks a significant move towards the enactment of the regulation and the beginning of its two-year grace period. It is likely that the regulation will fully come into force in the first half of 2023. Organisations should determine as soon as possible how they fall within the scope of this regulation and create a plan for compliance which fits into planned works for this year and the next.
Current Data Protection legislation and ePrivacy
It should be noted that the GDPR and the relevant Data Protection Acts will remain in force. ePrivacy obligations are distinct and address specific areas of data protection such as cookies, electronic communications and location data. For many organisations, the key focus areas for ePrivacy compliance will centre around new cookie compliance requirements and electronic communications.
Applicability within the UK
Although the final regulation will not directly apply under UK law, the scope of the regulation still applies to all end-users within the EU. This means that any organisation which uses cookies or electronic communications with EU end-users, even those based in the UK, must assess the impact of these requirements and integrate aspects of the ePrivacy Regulation into their operations. Data controllers within the UK should also consider that the existing ePrivacy Directive as enacted under UK law will remain in force.
Next steps
The EU Council will now negotiate with the European Parliament to finalise the agreed draft text. Once this final draft is formally adopted, the two-year grace period will commence, providing a concrete deadline for organisations to work towards. For your next steps, we recommend considering the following:
- Ascertain how your organisational processes interact with the ePrivacy requirements.
- Depending on the extent and complexity of how the new regulation applies to your organisation, allocate responsibility and resourcing as appropriate within your 2021 and 2022 compliance plans.
- Ensure that your house is in order with current cookie compliance obligations and review the current process in conjunction with the upcoming requirements.
- Take a proactive role in complying with the regulation early.
Trilateral’s Data Governance and Cyber-Risk Team has extensive experience working with organisations and their digital partners to ensure that their processes and procedures are compliant with the latest data protection and ePrivacy regulation. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support to facilitate compliant processing. Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.
