The much-publicised General Data Protection Regulation (GDPR) has now been in force for nearly three months. The regulation gives individuals a greater level of control over their personal data, both online and offline, as organisations must now obtain consent for the use, sharing and storage of such information. However, it is not the only new privacy regulation becoming part of EU law, with rules on electronic communications hot on its heels.

The regulation in question is called ePrivacy, and it targets, among other areas, the right to confidentiality and data privacy on all electronic communications. This includes emails, texts, the internet, WhatsApp, Skype, online messaging, VoIP, the Internet of Things (IoT), apps, online advertising networks and telecommunications.

Sometimes known as the cookie law, as it is the law that governs the use of cookies on websites, the regulation will introduce new rules for communications content and communications metadata that will mean that organisations must ensure the confidentiality of all electronic communications and prevent surveillance from third parties.

In the wake of the recent Cambridge Analytical scandal, the regulation should mean that companies such as Facebook are no longer allowed to store information on communications between its users.

When will the ePrivacy regulation come into force?

The regulation is set to replace the Privacy and Electronic Communications Directive 2002, and is expected to come into force sometime this year, with organisations likely to have a one-year transitional period to become compliant.

Although there is some overlap, the key difference between ePrivacy and GDPR is that GDPR covers the handling of personal data in all forms, while the e-Privacy regulation covers online communications more specifically.

ePrivacy will likely require additional compliance, and like GDPR, ePrivacy regulations will involve heavy fines for non-compliance.

Business impact: ePrivacy could be “more turbulent” than GDPR

The most recent regulation looks like it will shake up some industries, particularly advertising, marketing, and the media. This is because marketing communications to individuals will be prohibited without prior consent, meaning some organisations will have to re-think their advertising campaigns and marketing.

As with GDPR, ePrivacy’s impact, and heavy fines, will not be limited to companies based in the EU.

Former Federal Trade Commission staff attorney Julie O’Neill said:

“US companies that thought they were done thinking about European privacy law may be in for a surprise. The upcoming ePrivacy Regulation is likely to affect companies’ online advertising campaigns and analytics solutions. How far the Regulation goes remains to be seen, but there is little doubt that many companies will need to adjust their practices.”

With British businesses spending an average of £1.3m on GDPR compliance, the news that another new regulation could be just around the corner may not be welcomed by some. In fact, some believe that ePrivacy could have an even bigger impact, with tech lobby groups arguing that the regulation could stifle innovation.

Of Counsel at Morrison & Foerster LLP Alja Poler De Zwart believes that implementation of the regulation could be “more turbulent” than GDPR:

“The focus is slowly but surely switching from the GDPR to the upcoming ePrivacy Regulation that will likely have a substantial impact on organisations’ digital marketing and advertising strategies,” adds Brussels-based of counsel. Looking at the current proposals, the ePrivacy Regulation could be a more turbulent journey for the marketing and advertising industry than the GDPR, and should therefore not be underestimated.”