Progress with the European e-Privacy Regulation?
Since the European Commission unveiled a proposal for an e-Privacy Regulation in January 2017, this new piece of legislation, aiming to adapt rules on electronic communications and cookies, has undergone many iterations. On 26 July 2019, the Finnish government issued a revised proposal for the e-Privacy Regulation with some amendments that will be discussed
at a Council meeting during September.
Splitting Content and Metadata
This law regulates processing of electronic communications data by telecommunications operators. Before this amendment all electronic communications data was treated under the same rules, it is now proposed to split the rules to cover different types of data. This will mean that content can have different rules to metadata. The term metadata is used to describe a set of data that provides information about other data. For example, a digital photo could have metadata embedded into the file that contains the date and time, filename, camera settings and geolocation. By separating them it can treat them differently, as the use of metadata has become an increasing area of concern about privacy.
Cookies and similar files/tags
This draft of the e-Privacy Regulation also provides comprehensive rules for use of web cookies and similar files or tags, considerably extending the current regulations. referring now to any use of the storing or processing capabilities of the device (and not merely the storage or retrieval of information). In other words, cookies and stored information remain covered, but so do certain scripts and tags (which today largely falls outside of the scope of the current ‘cookie’ rules).
As far as ‘cookie walls’ are concerned (the practice of blocking access to content until a user gives consent to e.g. advertising cookies), the Council continues down the path it set a few iterations ago, not prohibiting cookie walls in principle provided the user is offered an ‘equivalent offer‘ that does not involve the need for such consent. It remains to be seen which of these proposals make it through the lengthy process and become EU law.
New UK Guidance on Cookies
The ICO has updated its guidance on cookies with a news item and updated web pages.
The guidance provides a reminder on the key issues including:
- The rules in PECR apply to all cookies other than those that are “strictly necessary” or used solely for carrying out the transmission of a communication;
- “Strictly necessary” is interpreted narrowly. For example, a cookie necessary to enable the operation of an online shopping cart is necessary, but advertising cookies are not;
- Individuals must be provided with clear and user-friendly information on how cookies will be used and the purpose for which they will be used;
- Users or subscribers must give consent prior to cookies being placed or used;
Regulatory Fines
The ICO has proposed fines for British Airways (£183m) and Marriott hotels (£99m) for personal data breaches.
The ICO also fined EE Limited £100,000 for sending over 2.5 million direct marketing messages to its customers, without consent.
The key point being that, if promotional material is included with a service message then the whole thing becomes a marketing message and subject to rules on consent. Ofcom has fined GiffGaff £1.4m for overcharging customers.
O2 is also subject to a new Ofcom investigation under the metering and billing directive for incorrectly charging some of its customers over a long period of time.
Ofcom Changes
Personal numbering – Review of the 070 number range - Ofcom will impose a charge control on all 070 providers, to be set at the same rate as the mobile termination rate. This will come into effect on 1 October 2019.
Helping consumers get better deals - end-of-contract and annual best tariff notifications to be introduced by 15th February 2020.
