As the world prepares for the implementation of the General Data Protection Regulation (GDPR) on May 25th, the next wave of legal changes in the realm of privacy and data protection comes with the implementation of the ePrivacy Regulation (ePR). The ePR, which has not yet been finalized, will replace the ePrivacy Directive and is expected to be implemented in early 2019. The Regulation, like the GDPR, institutes stiff fines for non-compliance, puts into place stricter enforcement standards and, is a legal act which is immediately enforceable as a law in all member states of the European Union. This law will apply to any business that provides any form of online communication service, uses online tracking technologies or engages in electronic direct marketing.
The GDPR regulates the processing of personal data by both EU and non-EU organizations. The ePR is intended to complement the GDPR and introduces stricter rules that organizations must follow when sending electronic direct marketing communications and changes the current rules in relation to the use of cookies and similar tracking technologies.
The main goals of the ePR are updates to privacy laws to provide enhanced protections in the context of:
- Ensuring that the same level of protections provided under GDPR to general data processing are carried over to electronic communication services, direct marketing and cookie usage;
- Ensuring that Internet-based communication service providers such as; WhatsApp, Facebook Messenger and Skype, which are presently unregulated under the current ePrivacy Directive, are held to the requirements as traditional telecom operators when processing the content of communications and related metadata;
- Simplifying the rules on cookie usage; browser settings must provide for an easy way to accept or refuse tracking and making clear that no consent is needed for strictly-necessary and first-party analytical cookies;
- Forcing marketing callers to display their phone number or use a special prefix that indicates a marketing call to cut down on Robo-calling.
No matter what, whether the current eDirective or the new ePR applies, organizations need an individual's consent before they can send an electronic direct marketing communication, unless the below-described exceptions apply.
Valid consent
Processing personal data, for any reason, under the GDPR requires a valid legal ground. Among other requirements, this includes that the individual has consented to the processing of his or her data for specific purposes. For consent to be valid under the GDPR, it must be freely given, specific, informed and unambiguous and must be signified by a clear statement of affirmative action. The ePR follows the same approach.
The practical impact — if an organization is to rely on consent under the GDPR and/or the ePR — is that anything other than clear and concise consent to an electronic marketing communication is unlikely to be valid. Silence, pre-ticked boxes, and opt-out consent (whereby a user must take an active step to say "no" rather than "yes") are now, therefore, almost guaranteed to be invalid.
Nonetheless, an exception to gaining consent is allowed, referred to as the "soft opt-in," which means that an organization can send direct email marketing if:
- They have obtained the contact details of the recipient in the course of a sale of a product or service to that person (or under the ePrivacy Directive only, in relation to negotiations for a sale);
- They are only marketing their own similar products or services (not a third party's or group company's products and services); and
- They gave the recipient a simple opportunity to refuse or opt-out of receiving direct email marketing, both when first collecting the details and in every marketing communication after that.
No matter what, when an organization is simply sending marketing communications in the scope of doing business, and this involves the processing of personal data, the GDPR comes into play and there needs to be a legal basis for processing the personal data. The bases of having received "consent" and having "legitimate business interests" are acceptable grounds under GDPR to distribute electronic marketing communications.
Notice requirements
In addition to the significant definitional change, the GDPR mandates a much more granular approach to consent collection. This will likely require consent collection which indicates the channels through which an individual can be contacted (email, SMS, social media, etc.) and clear details regarding from whom the electronic message will come (the organization itself and/or third parties).
In sum, organizations need to consider how technically, and granularly, to synthesize consent requirements and to practically see how compliance can be achieved. Furthermore, organizations need to review and consider GDPR-compliant consent process management and/or updating of information notices.
Consent management — Looking forward, not just at Implementation Day
It is important not only to consider consent management, but the management of vendors who carry out direct marketing on behalf of your company and how all of this will be tracked, managed, maintained and purged, as needed, post-collection. That is why it is important to:
- Maintain a robust consent and/or customer identity management system;
- Maintain a third-party vendor risk management system;
- To have regularly updated data retention and privacy policies;
- To have updated trackers in customer and vendor informational platforms.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
