The Council of the European Union published a new draft of the ePrivacy Regulation (link here) for discussion purposes on 22 March. This draft aims to facilitate discussions as we are moving towards the final version of the ePrivacy Regulation. As such, the changes outlined below are not final, but rather indicative of the direction that the ePrivacy Regulation is taking. Of particular interest to companies are the provisions relating to cookie settings, and direct marketing communications:
Cookie Settings
The new draft clarifies that a one-off consent for a cookie in the context of one website is possible. This was not clear from the previous versions of the ePrivacy Regulation, however the new draft provides that a user’s consent to store a cookie or similar device may also be considered a valid consent for subsequent visits of the same website.
Further, the ePrivacy Regulation allows companies to place cookies that can be used for statistical purposes (e.g. number of end-users, number of pages visited etc.) provided that they do not personally identify the individual who is using the site.
Finally, the ePrivacy Regulation clarifies that user consent is not necessary for processing information needed to fix security related bugs or protect the integrity of a website
Direct Marketing Communications
The revised draft ePrivacy Regulation defines electronic message as including e-mail, SMS, MMS and functionally equivalent applications. This means that any type of message transmitted electronically for the purpose of marketing falls into the scope of these provisions. Further, and in response to the WP29 feedback, the new draft expands the definition of direct marketing to include communications sent or presented to an individual, and not just sent. The reasoning behind this expansion is that often companies present a tailored promotional message (e.g. a targeted ad in a social media website, a mobile push notification etc.) to a user, without necessarily sending a message.
At the same time, the revised draft clarifies that direct marketing communications do not apply to any other form of marketing, e.g. advertisements to the general public on a website that are not targeting individuals.
The revised draft also clarifies that withdrawing consent must be as easy as giving consent, and free of charge, in line with the provisions otherwise found in the General Data Protection Regulation.
Finally, an interesting national derogation is introduced, since the draft ePrivacy Regulation encourages Member States to implement national law that regulates that a direct marketing message to an existing customer cannot be sent more than 12 months after the sale of a product or a service. This time-limit of 12 months attempts to introduce a cut-off point so that companies do not contact individuals a long time after the customer’s last purchase under the pretext of an existing customer relationship.
Alston & Bird and its Brussels-based EU Privacy Team is closely following the progress of the ePrivacy Regulation towards its finalization. For more information, contact Jim Harvey or David Keating.