ePrivacy: Two Ways the Net is Tightening on Digital Marketers

The following two tabs change content below.

With GDPR taking all of the attention, digital marketers need to be aware that ePrivacy, though still not finalized, could have a greater impact on strategy and practices in across the digital marketing ecosystem…

Digital marketers are in very real danger of being blindsided by European data privacy regulations. While much of this year will see a cluster of departments focused on working towards GDPR compliance ahead of the 25th May deadline, its indecisive, unassuming partner regulation is readying a somewhat stealthy attack on the digital marketing industry. And to add insult to injury, it could interfere with your GDPR compliance checklist too, as some of the proposed regulations conflict with what has already been established by GDPR.

For the uninitiated or uncertain, ePrivacy has a focus on privacy in personal communications, but this now extends to electronic communication providers (including social media) and impacts on direct marketing. However, at the time of writing, the ePrivacy Regulation has yet to be finalized. That’s right: with only 4 months to go – the proposed deadline of 25th May 2018 has been suggested as unrealistic, but there has been no official suggestion of a postponement – and one year after the original proposal was published, nobody is yet sure of what the final regulations will be.

Two specific areas of the ePrivacy Regulation in its current draft have great impact on digital marketing, and these areas in particular have been highlighted among those under consideration in a discussion paper from the Bulgarian Presidency of the Council of the European Union dated 11 January 2018. These are:

  1. Data processing – the current draft of the ePrivacy Regulation requires consent for the processing of metadata (which contains personal data). The paper proposes that some of the alternative purposes established under GDPR be considered, to allow for data processing:
  • by legitimate interest;
  • by ‘purpose compatibility’ (Article 6(4) of GDPR); or
  • in situations where the processing would be permitted under GDPR.
  1. Cookies (, etc.) – the current draft proposes browser-level consent for tracking cookies and similar technologies, with few exceptions being allowable outside of consent (such as first-party analytics). The paper proposes a discussion on:
  • whether to include the basis of legitimate interest for the use of these cookies; or
  • whether the law should explicitly detail the acceptability of using consent to cookies as a condition for website access;
  • whether the exceptions to the consent requirement in the current draft be extended; or
  • whether instead a harm-based approach should be used.

While the Council has yet to provide any decisions, these talking points do highlight the threat digital marketers face, firstly to their ongoing work towards GDPR compliance, and also to the industry as a whole, particularly to the technology upon which it is reliant. With no firm decisions, it is of course hard to plan, but, even if ePrivacy is not to be implemented within the proposed timeframe, it is worth bearing in mind the worst-case scenario presented by the current draft, namely:

  1. The need for consent – surely by now your legal team has formulated arguments that are watertight for the use of legitimate interest as the purpose for much of your data processing, and you are in the process of implementing this into your wider strategy? With ePrivacy in its current form, much of those arguments will most likely be void, so if your strategy does not embrace provisions for consent as the central mechanism for your data processing, ePrivacy could make your current efforts for naught.
    Teavaro’s suggestion: Devise a fallback plan to allow you to transition from legitimate interest to your consent mechanism with minimal effort.
  1. The death of the cookie – with browsers (Safari, for example) already making changes to their user permissions that would see the inevitable death of the third-party cookie, ePrivacy in its current form will be the final nail in an already well-constructed coffin. Most studies suggest that when prompted (and reminded, as ePrivacy requires) to engage with tracking settings, users aren’t keen on allowing the free-for-all that has buoyed the digital marketing industry for so long. So, like creepy men, creepy ads and the practices that facilitate them are long overdue curtailment, and 2018 would seem like the year that will happen.
    Teavaro’s suggestion: If you are a data controller and haven’t already considered the wider use of cookies with your data under the privacy requirements of GDPR, there’s no time like yesterday; a first-party strategy will provide you means to control and secure your data, without limiting your use in the wider ecosystem.

Despite the discussion paper offering a glimmer of hope that the concerns of digital marketers are being discussed, considering the time it has taken for these matters to be recognised and the time that is left before the proposed ePrivacy deadline. It would be a brave company that does not consider contingency for the worst case scenario. Even if the regulators loosen the net, there are plenty of indicators that, in the case of cookie restrictions at least, the current scenario ePrivacy suggests will happen organically with or without regulation.

Posted by Ben McDermott

Leave a Reply