As everyone is getting a little panicky about GDPR and inboxes fill with research about how unprepared we all are, I thought it would be a good idea to look a little further ahead to the ePrivacy
Regulation (ePR). And it's not just you -- there really has been a delay in it coming in.
It has been lurking in the background as one half of Europe's attempts to update data regulations.
GDPR comes in next May to regulate the legal basis under which personal information can be processed.
The ePR will then step in to say under which basis it can be used for marketing. It was
supposed to come into law at the same time as GDPR. After all, it would make sense for the laws on storage and usage to be timed to coincide with one another.
Nearly everyone in marketing has
been wondering what is going to happen. We had a good year or more of notice with GDPR to get ready, but we haven't even seen the final text of the ePR. How can it possibly be introduced within less
than six months?
So I have been making the calls to pose that very question, and both the ICO -- the UK's information watchdog -- and the industry's lobbyists -- the DMA -- agree. There is no
way that ePR will be introduced at the same time as GDPR. It is virtually impossible for the wording to be agreed upon, and for the industry to be given time to implement the new law and still adhere
to the original deadline.
The DMA is no fan of the ePR. It has a pair of pretty valid points. One is that the laws should have been combined. The other is that GDPR brings in legitimate
interests as a basis for storing data, but it's not mentioned in the ePR as a legal basis for marketing to people.
Reading between the lines -- and this is my take on it -- I wonder whether
the industry's lobbyists suspect the EU is having a second bite at the cherry?
After possibly trying to make marketing all about informed consent -- and failing -- with the GDPR, is the ePR a
second attempt? Legitimate interest got added to GDPR as an alternative to consent -- might Europe be trying to avoid the same concession with the follow-up law?
To be honest, from what I've
seen of the draft wording of the bill, there's nothing to be worried about. It's pretty much business as usual.
There is the much talked about cookie blocking at the browser level, allowing
one request to block to work across every site. Other than that, it's business as usual.
Marketing can be carried out if you have consent or a customer has given you their details and did not
take up the offer to opt-out of being marketed to.
So here are two observations. The ePR will be a damp squib. People will get worried, but it won't be anything like as much of a
compliance challenge as GDPR. And there is no way it's going to happen on time, by next May.