Commentary
GDPR And Electronic Privacy Regulation -- Two Things You Should Know
- by Sean Hargrave , Staff Writer, December 11, 2017
It has been lurking in the background as one half of Europe's attempts to update data regulations.
GDPR comes in next May to regulate the legal basis under which personal information can be processed.
The ePR will then step in to say under which basis it can be used for marketing. It was supposed to come into law at the same time as GDPR. After all, it would make sense for the laws on storage and usage to be timed to coincide with one another.
Nearly everyone in marketing has been wondering what is going to happen. We had a good year or more of notice with GDPR to get ready, but we haven't even seen the final text of the ePR. How can it possibly be introduced within less than six months?
So I have been making the calls to pose that very question, and both the ICO -- the UK's information watchdog -- and the industry's lobbyists -- the DMA -- agree. There is no way that ePR will be introduced at the same time as GDPR. It is virtually impossible for the wording to be agreed upon, and for the industry to be given time to implement the new law and still adhere to the original deadline.
The DMA is no fan of the ePR. It has a pair of pretty valid points. One is that the laws should have been combined. The other is that GDPR brings in legitimate interests as a basis for storing data, but it's not mentioned in the ePR as a legal basis for marketing to people.
Reading between the lines -- and this is my take on it -- I wonder whether the industry's lobbyists suspect the EU is having a second bite at the cherry?
After possibly trying to make marketing all about informed consent -- and failing -- with the GDPR, is the ePR a second attempt? Legitimate interest got added to GDPR as an alternative to consent -- might Europe be trying to avoid the same concession with the follow-up law?
To be honest, from what I've seen of the draft wording of the bill, there's nothing to be worried about. It's pretty much business as usual.
There is the much talked about cookie blocking at the browser level, allowing one request to block to work across every site. Other than that, it's business as usual.
Marketing can be carried out if you have consent or a customer has given you their details and did not take up the offer to opt-out of being marketed to.
So here are two observations. The ePR will be a damp squib. People will get worried, but it won't be anything like as much of a compliance challenge as GDPR. And there is no way it's going to happen on time, by next May.
Sean Hargrave is MediaPost's London Editor. You can reach him at seanhargrave@btinternet.com.
Sean,
The aspect of GDPR and ePR that really concerns the marketers, adtech and big data companies we talk to was just casually mentioned here. You say "Marketing can be carried out if you have consent .. ".
Gathering and managing informed consent is going to be a huge problem for marketers. Johnny Ryan's recent research indicates that when they actually understand what marketers plan to do with their private data, less than 10% of users give their consent. The martech world is very complex, which is why the EU IAB recently floated a tech proposal that will allow consent to be properly managed by content owners and martech partners that may be three or four layers away from the original data controller. It's a really complex problem.
Both GDPR and EPR require marketers to explain what they are going to do, and if private data is provided to third parties (networks, auction sites, analytics, retargeting), those third parties must ensure consent is in place each time they use the data.
I'm happy to discuss this with you in detail if you'd be interested.
Roy