In addition, to GDPR the EU are planning to issue the Regulation on Privacy and Electronic Communications (ePR). ePR will replace the 2002 ePrivacy Directive and the UK’s Privacy and Electronic Communication (EU Directive) Regulations 2003. The Directive was due to come into force on the same day as GDPR and the EU Directive although due to the stage of its development it may be delayed (but unfortunately GDPR will not be).
The new law has a wider scope than the previous legislation and like GDPR aims to improve privacy. Some of the main proposals are:
- The default position for marketing to individuals is that you would need to opt in.
- The annoying cookie banners will no longer be needed at the top of your website. Instead the settings on browsers will dictate acceptance or rejection of cookies. This may mean you will not get access to certain sites depending on your cookie settings. It is also foreseen that consent wont be needed for “non-privacy intrusive cookies”.
- The scope of the new directive is wider as it will cover communication means that were not available when the previous legislation was issued such as “over-the-top” (OTT) providers such as instant messaging apps and voice over internet protocols (VoIP).
- Maximum fines would also increase to the same levels that apply under GDPR.
The ePR still need to be finalised but is likely to be introduced sooner rather than later.