The ePrivacy Regulation (ePR) is designed for greater regulation of electronic communications within the European Union, in order to increase privacy for individuals and entities. Its full name is “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC” (Regulation on Privacy and Electronic Communications).
In the Netherlands the ePR replaced the Telecommunicatiewet.
The GDPR and ePR are designed to protect the privacy of individuals, part of the member states in Europe. The ePrivacy Regulation works in tandem with the General Data Protection Regulation (GDPR). The ePR focuses on the processing of personal data specifically through online and electronic devices and services, whereas the current GDPR focuses more on the protection of personal data. Online and electronic devices and services are for example: WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and other providers of this type of communication services.
The regulation contains stronger rules to make sure people and businesses in the EU will have the same level of protection of their electronic communications. The communications content and metadata need to be better protected such as the time and the location of a call. Metadata must be anonymised or deleted if users did not give their consent, unless the data is needed for billing.
Cookies and Spam
Cookies are small text files placed on a computer or mobile device by websites the user is visiting. They store information that is widely used to make websites work more efficiently and provide information to the site owners.
The ePR is more user-friendly, as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. No consent is needed for non-privacy-intrusive cookies improving internet experience or cookies used by a website to count the number of visitors.
In regard to spam, the ePR bans unsolicited electronic communications by emails, SMS, and automated calling machines. Depending on Dutch law, people will either be protected by default or be able to use a do-not-call list to avoid receiving marketing phone calls. Marketing callers will need to display their phone number or use a special prefix that indicates a marketing call.
What does it mean for your business?
The scope of the ePrivacy Regulation applies to any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing. It impacts all countries under EU or European law.
In terms of direct messages through social media services, users (e.g. clients or employees) will need to give full consent to receive any promotional material from your organisation (as they would via email) and there must be an option to unsubscribe or unfollow your page or group at any time.
Due to the regulation, some companies have turned away from the use of WhatsApp, Snapchat, and other social messaging services which many deem “inappropriate” for business use since they do not comply with data protection laws. Instead, they have opted for internal messaging apps or email to ensure that they are data compliant.
Nonetheless, with this e-privacy law, your organisation will need to ensure data is compliant or else could face a fine of up to EUR 20 million or 4% of the corporation’s annual revenue.