Doing business in Europe? Your beleaguered legal team will have more to do than parse the General Data Protection Regulation (GDPR), the privacy law that takes effect next year. It will also have to interpret the PECR Privacy and Electronic Communications Regulations (PECR) -- a revised directive was leaked in December, and could become law the same time as the GDPR.
In some areas, the PECR seems softer than you might expect. In others, violations could get you into trouble and result in fines. For example, the draft would force technology providers to “include default settings which must all be set to preclude third parties from storing information on, or using information about, an end-user’s device,” according to an analysis posted by Giles Kirkham, Information Security Officer at Occam DM Ltd.
In practical terms, this means “browsers will have to be pre-configured so that cookies used for frequency capping of ads or ad-serving will be blocked by default unless a user opts to enable them,” the article adds.
Then there is the “general prior consent (i.e. opt-in) requirement whenever electronic communications services are used to transmit direct marketing,” the piece continues. And “the cost of getting cookie compliance wrong in the future will be much more significant,” Ruth Boardman and Guadalupe Sampedro write in a post for IPWatchdog.
But let’s get to the good news. The existing distinctions between corporate and individual subscribers (or B2B and B2B) will not be retained, the Occam article states. But the rules still allow for “called ‘soft opt-in’ for email marketing for similar products and services in limited circumstances,” it continues.
Granted, that bit of softness will not be extended to outbound calling. “Direct (voice) marketing calls will be required to use a specific marketing prefix number, so that end-users can recognize them as marketing calls,” the Occam exegesis continues.
And there are differing views about the B2B-B2C split. “The proposal distinguishes between B2C and B2B communications,” Boardman and Sampedro write.
What’s the difference? “For B2C communications, the proposal requires the sender of the communication to obtain the consent of individuals for direct e-marketing purposes,” Boardman and Sampedro explain. “For B2B communications, however, the proposed Regulation leaves it to the Member States to ensure that the legitimate interest of corporate end-users are sufficiently protected from unsolicited communications.”
The bottom line, as we understand it: You can market similar products and services without consent, but must give individuals the right to object.
Some or all of this could change prior to the PECR becoming law. But that’s where it stands right now.
It may be that you have no overseas customers. But you’d do well to keep abreast of these ideas, because you never know when they’ll make their way into the U.S. legal framework.