It has been lurking in the background as one half of Europe's attempts to update data regulations. GDPR comes in next May to regulate the legal basis under which personal information can be processed.
The ePR will then step in to say under which basis it can be used for marketing. It was supposed to come into law at the same time as GDPR. After all, it would make sense for the laws on storage and usage to be timed to coincide with one another.
Nearly everyone in marketing has been wondering what is going to happen. We had a good year or more of notice with GDPR to get ready, but we haven't even seen the final text of the ePR. How can it possibly be introduced within less than six months?
So I have been making the calls to pose that very question, and both the ICO -- the UK's information watchdog -- and the industry's lobbyists -- the DMA -- agree. There is no way that ePR will be introduced at the same time as GDPR. It is virtually impossible for the wording to be agreed upon, and for the industry to be given time to implement the new law and still adhere to the original deadline.
The DMA is no fan of the ePR. It has a pair of pretty valid points. One is that the laws should have been combined. The other is that GDPR brings in legitimate interests as a basis for storing data, but it's not mentioned in the ePR as a legal basis for marketing to people.
Reading between the lines -- and this is my take on it -- I wonder whether the industry's lobbyists suspect the EU is having a second bite at the cherry?
After possibly trying to make marketing all about informed consent -- and failing -- with the GDPR, is the ePR a second attempt? Legitimate interest got added to GDPR as an alternative to consent -- might Europe be trying to avoid the same concession with the follow-up law?
To be honest, from what I've seen of the draft wording of the bill, there's nothing to be worried about. It's pretty much business as usual.
There is the much talked about cookie blocking at the browser level, allowing one request to block to work across every site. Other than that, it's business as usual.
Marketing can be carried out if you have consent or a customer has given you their details and did not take up the offer to opt-out of being marketed to.
So here are two observations. The ePR will be a damp squib. People will get worried, but it won't be anything like as much of a compliance challenge as GDPR. And there is no way it's going to happen on time, by next May.