In January 2017, the European Commission (the “EC”) published its proposal for a new ePrivacy Regulation (the “ePrivacy Proposal”), which will replace the ePrivacy Directive of 2002 (2002/58/EC) and the Cookie Directives of 2009 (2009/136/EC). Currently, the draft is pending in the European Parliament and the Council. The EC’s goal is to adopt the new ePrivacy Regulation by May 25, 2018, when the General Data Protection Regulation (the “GDPR”) will become effective.
Like the GDPR, the ePrivacy Proposal also provides for strict enforcement measures in cases of non-compliance, with administrative fines up to EUR 20 Million or, alternatively, 4 percent of the total worldwide annual turnover of the preceding financial year.
In a nutshell, the most relevant provisions can be summarized as follows:
The EC’s ePrivacy Proposal shows that companies should not only focus on the GDPR when making their European operations privacy-compliant, but also should keep the supplementary regulations in mind. In terms of risk management, obtaining and tracking of (opt-in) consent will be essential in the future. To limit their risk exposure, companies are advised to implement reliable procedures and mechanisms to obtain and track consent of potential recipients, users, and customers.
The full draft of the ePrivacy Proposal is available on the EC’s website here.