App Association members increasingly need to be aware of (sometimes rapidly changing) legal and regulatory requirements and responsibilities as they look to expand to new markets to grow their customer base. As regulators around the globe continue to grapple with the growth of an internet-based economy powered by apps, data security and privacy have become more importance. New policies in this space can (and very often do) have a deep impact on app makers and their business models. Staying on top of the laws and regulations that apply to a dynamic internet-based business can be challenging, particularly for small businesses that don’t have unlimited resources to dedicate to legal compliance. Take, for instance, the newly-proposed ePrivacy Regulation in the European Union.
In order to understand the ePrivacy Regulation, a bit of background information on the two main instruments the EU currently uses to address data protection:
- The Directive on Privacy and Electronic communications (ePrivacy Directive), adopted in 2002, requires user consent before cookies are utilized and mandates the reporting of data breaches.
- The General Data Protection Regulation (GDPR), adopted in May 2016, which places a variety of requirements on organizations collecting or processing EU citizen data, grants certain rights to EU citizens and establishes penalties for failing to comply with the GDPR.
Continuing the reform of data protection legal instruments, the European Commission introduced a proposal on January 10, 2017, to replace the ePrivacy Directive with a new ePrivacy Regulation designed to complement the GDPR by addressing the rights of EU citizens using any electronic communication services. Specifically, the ePrivacy Regulation aims to modernize EU privacy law to address internet of things (IoT) devices and over-the-top (OTT) communications services, neither of which was regulated under the ePrivacy Directive.
The new ePrivacy Regulation will likely include the following main provisions:
- Expanded Scope: the new ePrivacy Regulation have an expanded scope, covering all electronic communications service providers, including OTT service providers and other edge products and services. The Regulation seeks to expand individuals’ rights to privacy and security in all of their online communication. Any company, even one located outside of the EU, that provides electronic communication services or process the data of EU citizens must comply.
- Restrictions on Use of Electronic Communications Data: under the new ePrivacy Regulation, generally, communications content and metadata would only be permitted to be processed if it is (a) required to transmit the communication or (b) required to keep the communication secure.
- Changes to Privacy Settings and Data Tracking – “Cookies”: the proposed ePrivacy Regulation preserves the ePrivacy Directive’s requirement that electronic communications services must gain informed consent from users to use cookies and similar tracking technologies. In addition, the Regulation relaxes how the electronic communications providers can get consent to avoid “banner fatigue.”
- Direct e-Marketing: direct e-Marketing rules would be expanded to all electronic communication means, including phone calls, SMS, social media messaging, emails, etc. Under this new proposal, end users must give prior opt-in to receive a direct marketing communication. Companies may use contact information for customers who have purchased from them previously, but they must provide end users with the clear option to opt-out on each direct marketing transmission.
- Machine-to-Machine (M2M) Communications: the type of data covered by the ePrivacy Regulation proposal includes machine-to-machine communications, typical of the IoT.
- Penalties: the new ePrivacy Regulation would use the same two-tiered system of fines as the GDPR, and violations can cost companies up to four percent of the company’s annual global profits.
The EU seeks to provide simplicity in its approach to data protection, but in reality, compliance with its Regulations and Directives can be complex and expensive. App Association members should not take lightly the extension of the proposed Regulation’s scope to include non-EU companies that process the electronic communications data of EU individuals. We will continue to work with our members to make sure they are aware of coming policy changes and how their business practices may be affected. For those seeking more detail on the ePrivacy Regulation, we recommend starting with the EC’s announcement of this proposal.
What’s next for the proposed ePrivacy Regulation? Before going into effect, the ePrivacy Regulation faces further steps, including potential negotiated revisions to finalize text. However, those negotiations are unlikely to alter the significant changes the Regulation put forth (e.g., scope expansion). The App Association will closely track the movement of the ePrivacy Regulation moving forward and update this blog as we learn more.
While some unknowns remain, App Association members can be assured that changes to privacy law in the EU are coming. We are committed to helping our members understand important legal and policy developments that generally impact their ability to do business.
Written with Emily Baker