Page 120 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 120
3. So is ePrivacy just about getting more consents? Consent certainly is a firm cornerstone of the
ePrivacy Regulation. Most of us are familiar with the current consent (opt-in) requirements for email
marketing and the use of cookies on websites. This will remain in place. However, in order for consent to
be valid going forward, it is unlikely companies will be able to (continue to) rely on implied or inferred
consents. Like GDPR, ePrivacy will require consents to consist of a “clear affirmative act” from the
individual. So, for example, in the context of cookies, relying on the continued use of a website to
constitute acceptance of cookies is unlikely to be sufficient anymore.
Speaking of cookies, the ePrivacy Regulation may also contain a specific prohibition on cookie walls:
denying access to a website, service, or functionality when the user does not provide consent will not
result in valid cookie consent. And once any consent is obtained, the ePrivacy Regulation will likely
require companies to remind the individuals of the option to withdraw consent at periodic intervals of
either six or twelve months.
But it is not just about more consents. For example, the legislative proposals also suggest imposing an
obligation on companies to offer online privacy settings (such as privacy dashboards) through which
users can set and manage their online privacy preferences. Building such privacy dashboards would not
only be a costly affair for any company, but could bring along a host of other issues. This may be one of
the reasons that it is still in flux whether this obligation will make its way into the final text of the ePrivacy
Regulation.
4. Does ePrivacy say anything about marketing phone calls? Yes, the ePrivacy Regulation will also
cover telephone-based marketing. The legislative proposals suggest that voice-to-voice calls should only
be allowed if the recipient has not opted out. This doesn’t necessarily suggest an opt-in for marketing
calls, but it does make sure that individuals have an opportunity to un-list from being approached by
phone for commercial purposes. Many EU countries currently already provide for a similar requirement.
In addition, companies conducting voice-to-voice calls may also have to adopt new transparency tactics,
such as displaying their calling numbers and using a specific code or prefix identifying the call as a
marketing call.
5. So what are the risks? Like GDPR, the ePrivacy Regulation will also bring about substantially higher
fines. The legislative proposals mention fines that could run up to 2% of a company’s total worldwide
annual turnover or €10 million (whichever is higher).
However, unlike GDPR, the ePrivacy rules don’t mind where a company is established, but rather where
the individuals (the recipients of emails, visitors to your website, etc.) are located. So even if your
company has no physical presence in the EU, the ePrivacy Regulation may still apply, particularly if you
market to individuals in the EU, or use cookies and/or similar technologies on their devices.
6. Where do we go from here? The ePrivacy Regulation is still a work in progress. It is uncertain when
it will be finalized, but the latest prognoses are for end of 2018/early 2019. What is certain is that once
120
