After two years of tightening policies and processes in readiness for General Data Protection Regulation (GDPR) enforcement, marketers may think it’s finally time to start winding down. But they would be wrong. Following hot on the heels of the GDPR is its counterpart: the ePrivacy Regulation (ePR), due for implementation in 2019.

It wasn’t meant to be this way; the ePR was originally intended to act as a GDPR-extension that would go live simultaneously. But the wheels of the law turn slowly and it seems this regulation and its firm privacy rules — including restrictions on emails and SMS — are set to keep the compliance drive rolling.

So, there is another new rulebook marketers must live by if they want to maintain strong consumer relationships and abide by the law. That means it’s time to get a grip on the ePR.

What is the ePR?

In short, the ePR is an update of the EU’s previous ePrivacy Directive — first applied in 2002 and often referred to as the ‘Cookie Law’. This also means it supersedes the UK’s Privacy and Electronic Communications Regulations (PECR). Its arrival shouldn’t therefore be a surprise; its predecessor was created to accompany the EU’s original Data Protection Directive (DPD), so it follows that with a new version of the DPD there must also be new ePrivacy guidelines. Furthermore, the two regulations are designed to work in tandem; the GDPR and ePR have the same scope — encompassing the data of all EU citizens — and penalties.

GDPR: the key differences

There are elements of crossover between the laws, aside from a shared remit. For instance, the ePR aims to ensure online privacy standards are equal to those of the GDPR. It also uses GDPR definitions of data and privacy, and seeks to expand them. But there are differences too. While the GDPR covers the overall processing of personal data, the ePR sets specific rules for how privacy must be safeguarded when providing electronic communications. This means it applies to marketing emails, SMS, phone calls, site tracking cookies, as well as instant messaging apps, and interactions via the Internet of Things (IoT).

It is also worth noting that the regulations enshrine two separate articles of the European Charter of Human Rights. The GDPR observes Article 8 — protecting personal data — and the ePR relates to Article 7, with an emphasis on respecting individual privacy.

How does it impact marketers?

Of course, the ePR terms are still going through an approval process and many revisions; see the latest draft here. But the key changes proposed so far look likely to have a significant impact on all companies, and especially marketers. Chiefly in three central areas:

1. No more cold contact

Under the ePR, consent provisions apply to all direct contact with identified individuals, from email to text. This means that the days of unsolicited digital messaging could soon be over: marketers will need clear consent from individuals before delivering communications. Yet though this may seem like a challenge, particularly for the 58% of brands habitually using email marketing, it’s only a small step up from current measures. Most businesses are already asking permission to access personal data — and explaining how and why it will be used. So, expanding requests to include communications isn’t a great stretch.

2. Cookie control: shifting responsibility

Cookies are a fundamental driver of online marketing, with 43% of brands always using them and 63% of that number leveraging them to fuel display ads, paid search, and retargeting. Yet, as most brands are aware, cookie deployment is now subject to greater restrictions: with the GDPR classifying any that render individuals indefinable as personal data and thereby necessitating a lawful basis for processing. According to the new draft of the ePR in July, which came from the Austrian presidency of the Council of the EU, the entity storing cookies or similar identifiers will be responsible for obtaining consent from the user. Organisations may also obtain consent via a third party vendor. Ultimately, the ePR works to give individuals the ability to dictate their specific cookie preferences through the need for consent.

3. A harder line on metadata

Digitalisation has profoundly impacted how we connect — interaction via instant messaging alone has increased by 40% over the last five years. To reflect this, the ePR proposes to hold online communication companies, such as WhatsApp and Facebook Messenger, to the same standards as telecommunications providers. This means they must meet equally stringent requirements when it comes to data security. For marketers, the most crucial aspect of this is that metadata — insight such as the numbers users contact, when, how long for, location, and their IP address — must be given identical protection to message content.

Moreover, online communication providers must gain consent to retain metadata after it is used to transmit communication, unless it is needed for billing. Without that permission, their only options will be deletion or anonymisation. So, marketers will be dependent on the compliance of instant messaging apps to obtain the insight required for personalisation.

For now, many marketers are under the false impression that the arrival of the GDPR will put an end to data scrutiny. But this is far from the case. In 2019, the ePR will mark the latest step in a growing movement towards giving consumers greater control over their data and online privacy.

Yet it would also be a mistake to assume increased regulation is a negative development for the industry. Trust is vital to retain consumer favour and foster relationships that last — and after multiple data breaches and high profile cases of misuse, faith in online data safety is low. By making it obligatory for brands to be transparent about data practices and request consent before using personal information or making contact, the GDPR and ePR are helping marketers rebuild consumer confidence. And this is also helping to cultivate an online environment where data is freely shared in return for genuinely valuable communications.

The compliance drive isn’t over, and nor is its ability to bring trust and transparency to the future of marketing.

Gabe Morazan

Gabe Morazan


Gabe Morazan is Director of Product Management at Crownpeak.