Back in the months leading upto GDPRmaggedon there was talk of a new ePrivacy Regulation that would replace PECR in the UK and streamline cookie and electronic marketing rules (along with some other stuff) and that this would come into force at the same time of GDPR, making a tidy transition to a new GDPR and ePrivacy regime across the EU. It was accompanied with rumours of significant changes to cookie controls for end-users as well as the end of B2B marketing without consent.
But the new ePrivacy regulation never happened, just GDPR came into force in May 2018 and since the initial proposal published in 2017, the regulation has had it’s ups and downs in terms of progress with lots of speculation it would appear in 2019, maybe 2020, maybe not at all. The problem appears to have been different presidencies of the EU having different views on its importance, but in October 2019 the Finnish Presidency published some updates and amendments to the Regulation, so it would appear it’s back from the dead.
In a general sense the key (interesting) changes appear to be:
- Users can’t be forced to accept cookies to access content (so called “cookie walls”)
- Reaffirmation that you need to provide cookie information and collect consent accordingly (as per the UK’s cookie guidance)
- Opt-in consent is needed for direct marketing, unless it’s for marketing similar products/services to someone who an organisation already has a business relationship with (i.e. they’ve bought something, so you can continue to market to them without consent). What’s still not clear, although the indications are hopeful, is what will happen with B2B marketing, with some suggesting it could stay as it is now, i.e. left to member states to decide
So, back from the dead. It would seem we may well see a new ePrivacy regulation on the horizon at some point and the two key areas of consent re: cookies and digital marketing will be covered, but to what extent remains to be seen.
But before you start getting excited, the current drafting has to go through the usual EU trilogue negotiations (Council, Commission, Parliament) probably in 2020, and if the new regulation is approved it is likely to have a 2 year implementation period (just as GDPR did), so it’s not likely to take affect until 2022 at the earliest. And from a UK perspective there’s the small matter of Brexit – if we leave the EU before it’s agreed or before it comes into force, we’ll need to see how the UK government plans to implement (if at all), although I very much see it as a key part of the ICO’s work and tied into GDPR so much that it’s unlikely the UK won’t implement most, if not all of it.