Back to all Blogs

What will the upcoming ePrivacy regulation mean for your business?

Published 05 Mar 2019 by Kieran, CANDDi
Read this in about 7 minutes

Roll the clocks back to 25th May 2018.

Many marketers were fearing the worst about the General Data Protection Regulation (GDPR) that was coming into force.

Cue a string of last-minute website changes, consent emails being sent, and records removed from databases.

It was a lot to handle, right? Well for some businesses, it might have been a little too much to handle…

A survey carried out in December by IT Governance discovered that only 29% of firms in the EU are fully GDPR compliant.

With GDPR still very much in the works for some businesses, we might be about to be the bearer of some bad news: There’s another data protection regulation you need to prepare for.

As if GDPR wasn’t enough of a challenge, the new ePrivacy regulation is set to put a spotlight on businesses, rather than the individual-focused GDPR.

You’d be forgiven for not knowing much about ePrivacy, as the regulation remains in European Parliament for approval, with decisions on its future likely being made in the Spring of 2019.

What you do need to know, however, is that ePrivacy will raise the levels of consent needed to target individuals online, in an effort to provide greater transparency on personal data processes.

So how will this affect the world of digital marketing? Let’s dive in.

Be clear on cookies!

ePrivacy… aka The Cookie Monster.

This is going to be a biggie for digital marketing, as many of our most useful tools require cookies to operate effectively. This covers everything from Google Analytics to handy tools such as CANDDi!

Now, ePrivacy will by no means restrict your use of these tools. All it intends to do is make users aware of what data is being processed, and provide transparency around opting in or out.

Now we hate to get all technical, but here’s the text from the impending legislation:

“Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third-party cookies’.”

What does that mean?

It’s essentially addressing the ‘consent fatigue’ everyone has. I mean, it’s impossible to visit a website without a pop-up asking you to opt into cookie tracking or simply a header panel that says you’re being tracked.

Often those boxes don’t accurately explain:

  • - what is being tracked
  • - how that data is going to be used
  • - where you can opt out and change preferences

This has resulted in an interesting position being taken by the EU, whereby they have potentially made cookie control much simpler, but much more difficult for digital marketers.

The ePR suggests that browsers (Chrome, Safari…those guys), offer a blanket opt-in or opt-out on installation.

Granted, this would cut down on the number of requests received, but could also result in mass loss of useful data - such as saving items stored in shopping baskets.

However, the most likely scenario is that cookie consent and control will have to be made much simpler for online users, with a combination of clear language, simple explanation of cookies being used, and positive action needed for compliance.

So what can we do about it? Short answer: get ahead of the game.

  • - List all of the reasons a user might want to have a cookie placed. That could be:
    • - Saved shopping carts that they can come back to
    • - A list of favourites being stored
    • - Previously viewed items stored
    • - More relevant ads (yes, this is a benefit)

  • - Add these reasons to a custom cookie consent banner, that clearly communicates benefits and makes it simple for the user


  • - Create a control centre
    • - Using the same assets created for the banner, create a control centre that communicates benefits and gives users all of the options

All of these will make you more approachable and transparent as an organisation, helping potential customers trust you.

Clean up your marketing lists…including business emails!

Ah the days of legitimate interest…

So, you sell machinery? Let me email you about this new ultra-safe workwear!

Ah, you offer marketing services? Let me email you about this new CRM system!

Wait, you specialize in property? You’ll love this email about our cleaning services!

You get the idea.

If there was a link between two different services that you could exploit, the world of sales was your oyster.

Not anymore.

If we’re honest, GDPR didn’t live up to its hype of reducing the number of spam emails we get.

The ePrivacy regulation aims to address this, with a ban on unsolicited communication through a range of channels.

In the wake of GDPR, many marketers looked to their databases to either confirm the source of their consent to process data on an individual or seek consent.

The result was a huge drop in database sizes for the purposes of email marketing, and the ePR looks to extend the application of this further.

Not only does this apply to individuals anymore, but it also applies to business emails — which could result in a whole host of problems for digital marketers.

Namely, another batch of trying to gather opt-in’s, which if GDPR is anything to go by, could result in database sizes dwindling.

So what can you do now?

  • - Learn the lessons that GDPR taught us. Get consent early! 

  • - Create an engaging campaign that provides real value to your database of contacts, and prompt them to update their details
.
  • - Do this, alongside making sure you have recorded their consent data and which version of your policies apply, and you’re protected.

  • - Don’t worry about the inevitable few that will drop off. Chances are they would have unsubscribed anyway, or haven’t opened an email in the last few years…and that’s no good to anyone!

Get serious about policies

Chances are, you rely on external providers to carry out advertising and messaging.

Facebook, Instagram, WhatsApp; you know who we’re talking about.

Each of those channels, in particular, have been at the forefront of advertising in recent years, as marketers move towards ‘conversational commerce’.

Now, as part of the ePR, the regulations surrounding those channels is about to change.

In technical terms, Facebook Messenger, WhatsApp, Skype etc are called “Over The Top” services.

This means that they essentially do the same job as your mobile phone, but outside of the standard network i.e. you can message and call people using them.

Network providers, such as EE & Vodafone, have to make sure that your call data is anonymised or deleted.

These rules don’t apply to OTT services currently but will do as part of ePrivacy.

Here’s what it means for you:

To be honest, your job is pretty easy here. You need to make sure that your policies are up to date and you have a copy of the channels’ policies should you need them.


The biggest takeaway here is that whilst you need to implement practical steps to remain compliant—such as cleaning your database—you also need to make sure your policies and formal documents are up to date, covering the requirements of the latest regulations.

This will help protect you and demonstrate you have been responsible/aware of regulations should you be investigated.

Author: Kieran McGeehan, Managing Director & Compliance / Data Protection Specialist at Univate

Kieran has over 15 years of experience in data compliance, holding positions within businesses such as AXA Insurance, HSBC, The Co-Operative Insurance, and is currently chairperson of the Global Association of Data Protection Representatives.

For information on the Outsourced Data Protection Office services, or for help creating data protection policies for your business, get in touch on their website.

Back to all Blogs