Everything you need to know about Europe’s data privacy regulations
Data privacy regulation is getting messier. Regulators’ attempts to prioritize consumer privacy and curb unlicensed use of personal data in the name of business monetization has spawned a bunch of different laws and accompanying acronyms that are getting harder to untangle.
To align with the consent needs required under the General Data Protection Regulation, existing laws have had to be revised — like the Privacy and Electronic Communications Regulation. Meanwhile, businesses are preparing for the U.S. version California Consumer Privacy Act. Now, along comes the ePrivacy Regulation, a stricter revision of the current ePrivacy Directive (also known as the Cookie Directive).
Each law is different yet all are intrinsically linked by common factors. To avoid mining through the legal jargon, we’ve broken down the essentials of what you need to know about the differences and similarities between GDPR and the ePrivacy Regulation.
Who the laws affect
The rules of consent
The key difference between GDPR and the ePrivacy Regulation is the latter requires “informed consent” to process data using cookies. There are some exceptions being negotiated which relate to not needing consent for areas like cyber security and audience measurement, and also to complete certain transactions such as completing online purchases, according to policy advisor sources. GDPR has wiggle room, with six legal bases given to collect and use people’s data. Two main ones are used within advertising: legitimate interest and consent. All consent must be informed and freely given, so users need to understand what and to whom they’re consenting to. Although, the ePrivacy Regulation has no “explicit” consent stipulation, which GDPR reserves for processing particularly sensitive data like sexuality, political leaning, ethnic origin.
This is where the rubber meets the road. The ePrivacy Regulation is all about the cookies. Some rules still need to be worked out around treating different types of cookies differently. But as the rules stand, third-party cookies will be severely restricted.
“Online news content is freely accessible to all because of its underlying cookie-based advertisement business model,” said Iacob Gammeltoft, policy adviser at News Media Europe. “If advertisement cookies are undermined, journalism could ultimately be pushed behind paywalls, making it only available to those who can afford it.”
The consent gatekeepers
Under GDPR, publishers and any company that has a direct relationship with the end consumer also controls the consent-request process. They can choose how they communicate their consent needs to consumers, which ad tech partners they are willing to disclose to the user in order to gain consent and for what specific purposes, like ad targeting, campaign measurement or analytics. Under the ePrivacy Regulation proposals, this is more complex because users must set their preferences in their browser settings. That has caused publisher trade bodies concern that publishers may be cut out of the dialogue and instead the browsers will be the consent gatekeepers. There has been to-ing and fro-ing on this for months, with the result that this article has been deleted from the current version. But according to policy advisor sources, a large number of European Union member states want to reintroduce it. That has sent shivers down the spine of publishers across Europe.
“It [ePrivacy] would also further promote the development of so-called walled-gardens, strengthening the position of dominant players,” said Gammeltoft. “As for the proposal to introduce browser settings, it brings about more issues than it claims to solve, it is both inconsistent with the GDPR and technically difficult to implement.”
However, publishers can in fact ask for consent, and if given that should prevail over what is said in the browser settings.
GDPR took years to implement, and it will be years still before the full extent of its enforcement will manifest, as data protection regulators slowly make their way through cases. It’s looking likely that the ePrivacy Regulation will also come under the remit of country-specific data regulators, and there is no set timeline yet as the final parts are still being finalized. Bottom line: Despite the dire warnings, it will be years before any of the ePrivacy Regulation is fully enforced. The fines will be in line with GDPR: 4% of global annual revenue or €20 million ($22 million), whichever is higher.
‘None of this is celebrity for celebrity’s sake’: How publishers are trying to scale virtual events with high-profile star power
Scale "matters when making a media buy" for virtual events, according to Barry Lowenthal, CEO of media agency the MediaKitchen, and celebrity appearances help to achieve that.
‘An unprecedented period of Darwinian experimentation’: As sports return, Twitter eyes ad boost
The lack of match-day revenue has forced clubs to better understand the commercial value of platforms like Twitter.
‘The more culture you own’: Condé Nast pursues more revenue growth with new brand-strength metric
Condé Nast is hoping its new advertising measurement framework can drive growth for its digital ad and commerce businesses.
SponsoredThe race to frictionless consumer journeys is expanding beyond marketplaces
Compressing consumers’ path-to-purchase is the holy grail of advertising and marketing. When Jeff Bezos authored 1-Click in 2011, advertisers began to realize that in some cases — especially for consumables — awareness, consideration and purchase can all happen in seconds. Since then the rise of e-commerce marketplaces has forced a major shift in the design […]
‘Permission to think long term’: The Atlantic digs for deeper, smarter client partnerships
Atlantic Brand Partners will account for all The Atlantic’s business-to-business revenue, which is currently two-thirds of The Atlantic's overall revenues.
‘We’re about hiring journalists’: Insider Inc. launches third global news hub in Singapore
Programmatic ad revenue in the APAC region for August has doubled year-over-year.