ePrivacy Regulation: Everything you need to know (incl. timeline!)




After the GDPR is before the ePrivacy Regulation.

And it won't be without it. I can assure you!

The good news first:

Nothing is set in stone yet.

It was originally intended to become applicable together with the GDPR on May 25th, 2018. However, due to a real lobby battle between data protectionists and business representatives, the new regulation is unlikely to be in place before 2020. The working groups charged with this are at odds and many substantive questions are still open.

That it will come, however, is a done deal. If you're an online entrepreneur or blogger, you're going to have to deal with it sooner or later.

So that you can prepare for this, I have put together everything you need to know in this article:

I explain in detail what the new regulation is all about, what effects it could have on your blog or online business and what the current status is (with a clear timeline!).

This blog post is not legal advice! As part of my work as a blogger and WordPress service provider, I have dealt intensively with data protection, but I am neither a lawyer nor a data protection expert. Accordingly, I cannot assume any liability for the completeness, topicality and correctness of the content provided by me.
Table of contents
  • 1.What is the ePrivacy Regulation?
  • 2. Who does the ePrivacy Regulation apply to?
  • 3. What are the implications for online entrepreneurs and website operators?
  • 4. Entry into force and applicability of the ePrivacy Regulation
  • 5. ePrivacy Timeline
  • 6. What penalties can be imposed?
  • 7. Who is responsible for enforcing the ePrivacy Regulation?
  • 8. What is the status quo?
  • 9. ePrivacy Regulation vs. GDPR

1.What is the ePrivacy Regulation?

The ePrivacy Regulation is the so-called  lex specialis to the GDPR. As an overriding special law, it specifies and supplements the GDPR.

It is intended to replace the ePrivacy Directive that has been in force since 2002 and was last updated in 2009 with the so-called Cookie Directive . In the eyes of the EU Commission, this no longer takes current technical advances into account.

It is the next step on the way to the digital single market in the EU and is intended to align and raise the level of data protection in all EU member states.

The focus of the new regulation is on confidentiality and the protection of privacy in electronic communication (such as e-mails, SMS, instant messengers or voice calls).

These are the most important cornerstones:

1.1 Confidentiality of Electronic Communications

Text messages, e-mails or voice calls should not be tapped, listened to, searched or stored without the user's consent.

1.3  Processing of communication content and metadata is subject to consent

Both the content of the communication and metadata (e.g. who was called, the time of the call, location data and call duration, and websites visited) are subject to privacy protection. Metadata must be deleted or anonymized if users have not given their consent.

1.4 No direct mail without prior consent

Users must have consented before "unsolicited commercial communications" are directed at them. This should apply regardless of the technology used (e.g. for automatic call systems, SMS or e-mail) and also for telephone advertising. In the case of marketing calls, the phone number must also be displayed or it must be recognizable as such by a special area code.

2. Who does the ePrivacy Regulation apply to?

While the GDPR only applies to personal data, the ePrivacy Regulation applies broadly to all end users. It is intended to protect data from natural and legal persons alike. So it not only affects the data of individuals but also that of companies or associations!

It applies to all providers of electronic communications that address end users in the European Union. Regardless of where the provider is based and regardless of whether the service is offered free of charge or for a fee.

That means in plain language:

Not only online entrepreneurs, but also clubs, public institutions and hobby bloggers have to stick to them.

3. What are the implications for online entrepreneurs and website operators?

Articles 8, 9 and 10 and recitals 20, 21, 22, 23 and 24, which deal with cookies and tracking (if you want to read up on the regulation yourself), are of particular interest to online entrepreneurs and website operators ).

Here is my summary of possible effects:

3.1 Cookies and Other Tracking Methods

The hurdles for online entrepreneurs and website operators are getting even higher with the ePrivacy Regulation!

Because with the new regulation, it will no longer be possible to justify the use of cookies and other tracking methods with a legitimate interest according to Art. 6 Para. 1 lit interest at all is enough).

With the new regulation, consent (opt-in) is now required for the storage of cookies and the use of other tracking methods (e.g. fingerprinting). This consent must be revocable at any time.

You have to reckon with the fact that around 40-60% of the visitors will refuse to give you their consent.

512 out of a total of 1055 (48.5%) of all respondents chose not to accept cookies. 90 (8.5%) that only cookies from their own domain may be set and 453 (42.9%) that all cookies may be set.

Unbelievable?

Only two types of cookies are exempt from this opt-in requirement:

  1. Technically necessary cookies (e.g. cookies that save the contents of a shopping cart for later retrieval, enable online forms to be filled out across multiple pages or save the login data for the current session)
  2. Cookies for determining visitor numbers

How exactly this consent is to be given, however, is still open. Originally it was planned that browsers should take over this function and serve as "technical gatekeepers".

However, it could be that the related Article 10 could be deleted completely, as proposed by the Austrian Council Presidency in a revised version of June 2018 . This would mean that every website operator would have to obtain consent himself, e.g. B. with WordPress plugins like  Borlabs Cookie  or Cookie Notice .

The outrageous requirement that users be reminded at regular intervals of six months that they can revoke their consent was (thank God!) deleted with the updated draft law of OctobeAccording to Article 8 Paragraph 1 Letter d (in the updated draft law of October 20th, 2017 ), the storage of cookies is permitted and excluded from the obligation to consent, unless...

it is technically necessary for measuring the range of the information society service requested by the user, provided that this measurement is carried out by or on behalf of the operator or by an independent web analysis agency acting in the public interest - including for scientific purposes - provided that the data are aggregated and the user has the opportunity to object to the use, and provided that personal data are not made available to a third party and the fundamental rights of the user are not affected by this measurement, and if audience measurement is carried out on behalf of an information society service provider, may the data collected will only be processed by this operator and must be kept separate from the data collected during audience measurements,carried out on behalf of other operators.

This means that it should also be permissible without consent to measure visitor numbers with Matomo or other software that is installed on your own server (provided you use it with IP anonymization, AV contract, opt-out, etc.).r 20th, 2017 .

3.2 Website Analysis

According to Article 8 Paragraph 1 Letter d (in the updated draft law of October 20th, 2017 ), the storage of cookies is permitted and excluded from the obligation to consent, unless...

it is technically necessary for measuring the range of the information society service requested by the user, provided that this measurement is carried out by or on behalf of the operator or by an independent web analysis agency acting in the public interest - including for scientific purposes - provided that the data are aggregated and the user has the opportunity to object to the use, and provided that personal data are not made available to a third party and the fundamental rights of the user are not affected by this measurement, and if audience measurement is carried out on behalf of an information society service provider, may the data collected will only be processed by this operator and must be kept separate from the data collected during audience measurements,carried out on behalf of other operators.

This means that it should also be permissible without consent to measure visitor numbers with Matomo or other software that is installed on your own server (provided you use it with IP anonymization, AV contract, opt-out, etc.).

However, I think it is unlikely that the use of Google Analytics will continue to be possible without an opt-in. Because Google probably does not belong to an "independent web analysis agency that works in the public interest - also for scientific purposes".

But the same applies here:

The last word has not yet been spoken. Changes to this passage in the regulation have already been discussed. In its revised version of June 2018 , the Austrian Council Presidency added that third-party providers should be allowed for tracking:

it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party on behalf of the provider of the information society service provided that conditions laid down in Article 28 of Regulation (EU) 2016/679 are met.; or

3.3 Affiliate Marketing

Affiliate marketing will also be made more difficult by the ePrivacy Regulation. Cookie tracking is the predominant method of attributing a sale to a specific affiliate.

If you now have to ask for consent before setting the cookie, an estimated 40-60% of all sales will not be attributed, which will lead to a corresponding 40-60% loss of sales.

However, I don't think that affiliate marketing will die out as a business model and that it will still be usable. First, there are various other methods of attributing sales, such as e.g.:

  • URL tracking that works without cookies
  • Session tracking, which works with cookies, but which may fall under the "technically necessary cookies".
  • the use of personalized voucher codes
  • Creating your own landing pages for affiliates

On the other hand, a lot of the ePrivacy Regulation can and will change before the final draft. It can be assumed that the list of permitted processing purposes without consent will become longer rather than shorter.


3.4 Prohibition of direct marketing without consent

As far as I can tell, the comprehensive ban on direct mail without consent does not change much in Germany:

Because  § 7 UWG already regulates that advertising is only permissible if it does not constitute an unreasonable nuisance .

And this not only includes advertising calls to potential private customers that are made without their express consent (so-called cold calling ), but also (with a few exceptions) advertising calls to traders. In addition, § 7 UWG also includes advertising via electronic communication (e-mail, SMS, etc.).

4. Entry into force and applicability of the ePrivacy Regulation

In order for a final bill to be drafted, it is necessary for the EU Commission, the EU Parliament and the Council of the European Union to meet in so-called trilogue negotiations.

When that will happen is not yet foreseeable. Because in the associated working groups on the ePrivacy Regulation, progress is slow.

The process was severely slowed down by the Austrian Council Presidency in the second half of 2018, which proposed major changes and deletions of entire articles in favor of the digital economy and then delayed the process. This action was preceded by numerous meetings with lobbyists .

In its Legislative Train Schedule , the EU Parliament assumes that the European Council will reach a consensus in the first half of 2019 under the Romanian Council Presidency. According to the schedule, however, the trilogue negotiations will only take place after the European elections at the end of May 2019.

It is therefore unlikely that the ePrivacy Regulation will come into force before 2020 .

In addition, it can be assumed that there will be a transitional period of at least one year before the regulation is also applicable. According to a statement of July 10, 2018  (see answer from State Secretary Claudia Dörr-Voß on page 68), the German federal government even considers a transitional period of 2 years necessary.

More about the individual stations in the timeline:

5. ePrivacy Timeline

2021-2022

Applicability of the ePrivacy Regulation?

2020

May 25: According to Art. 97 GDPR, the EU Commission must submit a report on the evaluation and review of the GDPR to the EU Parliament by this date. This could also affect the planned ePrivacy regulation.

1st – 2nd Quarter:  Entry into force of the ePrivacy Regulation?

2019

3rd – 4th Quarter: Trilogue negotiations by the Council, Parliament and Commission on the final draft?

1 July: Finland will take over the EU Council Presidency.

May 23-26: 2019 European elections, which will elect 705 new MEPs to the European Parliament (could delay ePrivacy regulation even further).

1st Quarter: Further negotiations and consensus on the final draft in the European Council?

1 January: Romania takes over the EU Council Presidency.

2018

November 23:  The Austrian Council Presidency publishes a progress report on the status of the consultations. In this, concerns are again expressed that the ePrivacy Regulation in its current form is slowing down innovation.

10 July:  A few days after the start of the Austrian Council Presidency, a  revised version is  presented. Among other things, this proposes a complete deletion of Article 10 so that browser manufacturers are released from the obligation to provide the technical implementation for consent to cookies.

July 10: The federal government comments  (see answer from State Secretary Claudia Dörr-Voß on page 68) on the current draft of the ePrivacy Regulation. There she advocates a transitional period of two years after the entry into force until the ePrivacy Regulation becomes applicable.

1 July: Austria takes over the EU Council Presidency.

12 June: An updated version is released  with minor changes and potential points of contention in Articles 6, 8 and 10.

18 May:  The Bulgarian Presidency publishes a new progress report . Articles 8 and 10, among others, are questioned there.

March 22: The Bulgarian Presidency publishes an  updated text . Among other things, it is proposed that end users should be informed about privacy settings when installing software for the first time and have to choose a setting.

January 11:  The Bulgarian Presidency publishes a  status report  with possible changes and points of contention to "create a better compromise between privacy protection and incentives for innovation".

1 January: Bulgaria takes over the EU Council Presidency.

2017

5 December:  An  updated draft  is presented by the Estonian Presidency.

17 November: The Estonian Presidency presents a  progress report  on the ePrivacy Regulation. The report concludes that 'much work remains to be done on most issues' and that there are 'some other issues that need to be addressed'. So there is no end in sight for a long time.

October 20:  The European Parliament passes a  revised draft law of the ePrivacy Regulation by a vote of 318 to 280.  In addition to other consumer-friendly changes, the ban on so-called cookie walls  (also  tracking walls ) will be introduced there.

1 July: Estonia takes over the EU Council Presidency.

9 June: LIBE ( Committee on Civil Liberties, Justice and Home Affairs) publishes proposed amendments to the draft ePrivacy Regulation .

January 10: The EU Commission publishes a first draft for the ePrivacy Regulation. A  press release  sets out the rationale for the bill. It is planned that the regulation can be applied together with the GDPR on May 25th, 2018.

2016

August 04 : The results of the consultation are presented.

April – July : A public consultation is held on the revision of the ePrivacy Directive as part of the Digital Single Market strategy.

2009

November 25th : The so-called Cookies Directive  supplements the existing ePrivacy Directive in order to adapt it to the rapid development of the market and technology. With it, the storage of cookies is only permitted if a user has given his consent (opt-in), but not expressly .

2002

July 12 : The  ePrivacy Directive  (“Privacy Directive for electronic communications”; 002/58/EC) comes into effect.

6. What penalties can be imposed?

As with the GDPR, the competent supervisory authorities can impose fines of up to 20 million euros for violations of the regulation or, in the case of a company, up to 4% of its total global annual turnover of the previous financial year, whichever is higher .

7. Who is responsible for enforcing the ePrivacy Regulation?

The same data protection authorities in the Member States that are already responsible for enforcing the GDPR are responsible for enforcing the ePrivacy Regulation.

In Germany, these are the respective state data protection authorities.

8. What is the status quo?

Until the ePrivacy Regulation is applicable, the  ePrivacy Directive of 2002 applies , which was amended in 2009 to include the requirements for cookies under Recital 25 (since it is also called the Cookie Directive  ).

The ePrivacy Directive defines the minimum requirements for data protection in electronic communications to be implemented by legislation.

However, in contrast to the new ePrivacy regulation, it is not automatically valid in all EU member states. It must be transposed into national law by each individual member state. In Germany, the directive was transformed into German law in 2004, for which the Telecommunications Act (TKG) was amended.

However, the  directive for changing the data protection directive for electronic communication (so-called "cookie directive") of November 25, 2009 was not implemented into German law.

9. ePrivacy Regulation vs. GDPR

What exactly are the differences between the General Data Protection Regulation (GDPR) and the new ePrivacy Regulation?

Let's summarize again:

9.1 Basic Regulation vs. Special Law

As the name suggests, the GDPR is a basic regulation. This means that it represents the data protection foundation and provides a general direction for handling the personal data of EU citizens.

The ePrivacy Regulation, on the other hand, is a special law (so-called lex specialis ) that supersedes the general law in a certain area and takes precedence over it. This area is electronic communications .

9.2 Extended Scope

The GDPR focuses on the protection of personal data, i.e. the data of individuals. The ePrivacy Regulation, on the other hand, applies to all users of electronic devices .

That means it not only includes communication between companies and individuals , but also between individuals and individuals and between companies and companies .

The new regulation also gives citizens and companies concrete protection and certain rights that are not contained in the GDPR. So e.g. B. the confidentiality and integrity of end devices (PC, smartphone, tablet, etc.) is guaranteed. These end devices may only be accessed with the prior consent of the user.

9.3 Effect point in the flow of information

Although the GDPR is the basis for the ePrivacy Regulation, the ePrivacy Regulation takes precedence in the flow of information.

While the GDPR gives users more rights and control over their personal data, the ePrivacy Regulation protects user data from becoming personal in the first place.

Or as defined in the status report dated June 08, 2018 :

In the Presidency's view, the protection of content during end-to-end exchanges between end-users should be guaranteed up to the moment when the recipient gains control over the content. From this moment on, the protection provided by the General Data Protection Regulation comes into effect.