In January, the European Commission proposed a new Regulation on Privacy and Electronic Communications. This draft e-Privacy Regulation is intended to replace the existing e-Privacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC) and supplement the General Data Protection Regulation (“GDPR”) as of May 25, 2018.
The draft e-Privacy Regulation has a broad scope and applies to: (i) the processing of electronic communications data carried out in connection with the provision and use of electronic communication services, and (ii) information related to terminal equipment of end-users, which means virtually any kind of information related to devices that can be used for electronic communication by sending, processing or receiving information.
The rules governing direct marketing activities, including the use of voice-to-voice calls and email, will not change the basic consent requirement already set out by the e-Privacy Directive. Under the broad definition of electronic communications, the consent requirement applies to the use of all kinds of messaging functions (i.e., functions contained in applications or internet portals) containing text, voice, video, sound or images.
Using e mail for direct marketing of products or services will still be permitted, provided the “electronic contact details” have been obtained from a customer in the context of the sale of a product and the customer is clearly and distinctly given the opportunity to object to such use, free of charge and in an easy manner. The right to object shall be given at the time of collection and each time a message is sent.
Metadata is specifically mentioned in the draft regulation. The basic rule is that both the content and metadata of e-communications are confidential and that all interference is prohibited. Service providers will need users’ consent to in order to use the metadata, such as location data, to provide services.
The draft e-Privacy lays out rules that apply to cookies, spyware, web bugs, hidden identifiers and device fingerprinting. It prohibits the use of “processing and storage capabilities of terminal equipment and the collection of information from users’ terminal equipment, including about its software and hardware”, unless consent – or some other narrow conditions – are met. Similarly to the GDPR, “consent” is defined as freely given, specific, informed, active and unambiguous consent expressed by a statement or clear affirmative action. However, in the context of cookies, such consent may be expressed by browser settings and the draft regulation places specific obligations on browser providers to ensure that appropriate consent settings and options are given to individuals.