What is the ePrivacy Regulation?

It has exactly what the GDPR is missing: rules that will actually put a stop to cookie banners.

Here are some key things to know about the ePrivacy Regulation:

1. It’s still in draft mode and the regulation is not yet in effect
2. Its rules concerning cookie consent are a lot more comprehensive than the GDPR
3. The rules around spam mean that unsolicited marketing communications are not allowed
4. Where the GDPR seeks to protect personal data, the ePrivacy Regulation seeks to protect any data relating to communications and tracking.

✨ Regulation replaces Directive ✨

Another important point you may not be aware of: the ePrivacy Regulation and the ePrivacy Directive are two different things, not two different names for the same thing. Now, the directive is dusty and out of date — the most recent update was a decade ago. The regulation is so new that it’s not out yet, and will replace the directive.

That’s the basics out of the way; now for a closer look…

The cookie rules

It’s possible that the ePrivacy Regulation is taking so long to implement because the cookie rules are so wildy different to what we have at the moment; websites would have to radically change the ways in which they manage their cookies.

Under GDPR, you have to get active, informed consent from your users if you are dropping cookies that are not directly related to dealing with your users’ requests: in other words, non-essential cookies.

This is a big ask, if you consider how a lot of websites rely on third-parties, and how managing what cookies they drop can be a huge challenge.

The ePrivacy Regulation bridges this awkward gap by stipulating that things like cookie banners are actually not necessary to gather consent. The regulation states that methods for gathering consent should be as transparent and user-friendly as possible, advocating a system in which users can easily manage privacy settings in their browser.

🔮 What this could mean for the future of the internet: website owners no longer pepper their sties with interruptions designed to ask users to consent to cookies; cookies are instead intercepted by the browser, which means users could block and manage cookies right at the source. In other words: these rules have the potential to put and end to cookie banners.

Secrecy of communication data

This regulation has a lot of emphasis on keeping communication data secret, and therefore not used for tracking purposes. There are exceptions, such as when metadata is looked at for network maintenance and optimisation. So in the ePrivacy Regulation, communication data is stuff like:

• The content of messages sent over mobile networks (like SMS) as well as the content of messages sent via communication platforms that sit on top of mobile networks. So that would be stuff like WhatsApp and Messenger.
• The metadata of such messages, which is all the peripheral data relating to messages, not the message content itself. E.g. time stamps, how many people in a group chat, etc. This data is anonymous, but big tech companies have the resources to get a lot of insight from it.
• Communications between IoT devices, which are communications that no human controls directly (because they are automated, or programmed to communicate in some way). E.g. your Amazon Echo ‘speaking’ to your smart kettle. There are also other, non-consumer based implications; the IoT network is vast and complex.

🔮 What this could mean for the future of the internet: for one, Facebook would need to get a move on with their end-to-end encryption for Messenger. It also means that metadata would no longer be used together with other data to make inferences about users — it would close down a key channel of data for Big Tech, and potentially see the beginning of the end of persistent and systematic ad profiling.

Rules on spam

The broad-stroke version of this rule is: no unsolicited marketing communications of any kind. That seems great and everything, but let’s break it down:

Unsolicited means without consent. So marketing communications are simply not allowed, unless a user has consented to them. There is no exception for this.

☝️ Key point: this removes the ability to hide behind legitimate interests, which is listed in the GDPR as an exception for when consent is needed. E.g. you don’t need explicit consent to process credit card information if a user has given you that data to process a payment, because it is in their legitimate interest that this data is used.

‘Marketing communications of any kind’ is not clearly scoped yet: we know it includes things like emails, where the email is from someone you’ve never bought anything from. If you’re an existing customer, emails are okay 👌. They are also still not sure whether online ads are included in this. Seems like a very serious thing to omit, but it’s possible they’re having trouble with how to implement the ‘getting consent’ part.

🔮 What this could mean for the future of the internet: is a headache for marketers, and less spam for the rest of us.

Important concluding points 👇

This regulation is not in effect yet, with no official date set. There are drafts still being proposed, and these are trying to get around some complex problems. A lot of this regulation is quite radical, and has the potential to set new standards in how we manage data privacy — more so than the GDPR.

Georgia Iacovou

Content Writer