Since it was first announced in January 2012, the General Data Protection Regulation (GDPR) has dominated the marketing industry agenda. And with its effective date now only ten months away, it’s easy to see why the debate has now risen to a clamor. But the GDPR isn’t the only new rule book companies should be prioritizing, especially when it comes to marketing.
The ePrivacy Directive (ePD) — commonly known as the “cookie law” — must also be taken into account. It’s certain this will be challenging, given that a legislative overhaul is still in progress, but the stakes will be high and that means it’s essential for marketers to start making their preparations now.
With that in mind, let’s take a look at what it is and why it matters.
The ePrivacy Regulation (ePR) in Brief
While the full details are not yet known, what we do know is enough to make the digital marketing industry sit up and take notice. Of course, there is already an ePrivacy Directive in existence, but this upgrade is set to be tougher and will become a Regulation, meaning there will be one pan-European cookie law marketers must observe – the ePR. It will not become part of the GDPR, but will be another law to comply with in parallel to the GDPR.
What Will It Mean for the Industry?
The ePR will adopt two critical aspects of the GDPR, which could make it even more important to marketers and publishers. Firstly, the ePR will adopt the GDPR’s definition and approach to consent. This means consent will have to be specific to the cookies being used, as well as freely given and unambiguous. There will be a number of technical details that need to be defined but the it’s already clear that marketers will not be allowed to load tracking cookies until consent is given. That’s a tough nut to crack, but by deploying a data specialist with the right expertise, marketers can make sure they’re equal to the challenge.
The second critical thing to know is that the ePR will adopt the GDPR’s penalties: namely up to 4% of a company’s global turnover or €20 million, whichever is greater.
For marketers, the risk level for non-compliance just jumped manifold, particularly as the inconsistent content standards of the current ePR are sparsely enforced and failure to adhere rarely results in significant penalties. Now there will be a higher benchmark for consent and heavier fines if marketers fall below it, which means there are more opportunities for things to go wrong.
Privacy officers are already under pressure to comply with the GDPR and, with the realization that ePR alignment could be even more complex, it’s not surprising some are hoping it won’t be finalized in time for its target enforcement date: 25 May 2018, the same as the GDPR.
Why Is Speedy Preparation So Important?
Privacy officers already under significant pressure to comply with the GDPR will now have to work at double speed to bring practices in line with a law that brings its own complexities and isn’t even in its final form yet.
Some are taking solace in the idea that the ePR won’t be finalized in time for it to take effect in tandem with the GDPR. But this is a misapprehension. A nuanced and overlooked aspect of the present ePD is that it accepts whichever data protection framework is currently in place. This means even if the new ePR is not finalized on schedule, the existing ePD will automatically adopt the GDPR’s definition of consent, and penalties. In light of recent changes, the UK has introduced its Data Protection Bill to reiterate the need for the consumer’s control over their personal information held by organizations.
We should expect robust enforcement right out of the gate — many data protection authorities have signaled that they intend to take ePR implementation seriously. Furthermore, as checking how companies gain consent is easiest, it’s the most likely element authorities will assess first. This is because they can simply go to website or apps and look for notice and consent tools that meet GDPR standards, instead of asking companies for records or evidence of compliance.
Time is of the essence, but there is still enough left for marketers to develop a mature ePR strategy that includes a cogent digital governance framework. It is vital to ensure that they know what cookies are on their sites and apps, and have control over them, while also ensuring their tools exceed the ePR thresholds. Notice and consent is the law of the land, and while the finer details remain to be revealed companies need to start aiming for higher regulatory standards now. Certainly, compliance with the ePR will be tough, but shying away from it is not a good strategy for anyone, especially when the stakes are so high.