A draft of the Commission's proposal to reform the existing e-Privacy Directive (aka the "Cookie Directive") has today been leaked. The draft is available here.
Keep in mind at this point that it is just an initial leaked draft and will be subject to change as it goes through the legislative process. Here at Fieldfisher we are still digesting the proposal (no pun intended), but by way of some early headline points:
1. Like the GDPR, the new e-Privacy law is proposed as a Regulation, with the aim of improving harmonisation across Member States.
2. Also like the GDPR, the proposed e-Privacy Regulation has extraterritorial effect and can attract fines of up to 4% of annual worldwide turnover.
3. Rules on cookies are getting considerably more strict. While there is a new limited exemption for first party analytics, the draft law proposes that consent must be obtained "prior" to cookies being served, and explicitly extends cookie consent rules to device fingerprinting too. It also proposes that device manufacturers and browser/software providers should block third party cookies by default.
4. On the communications side, the draft law explicitly distinguishes between communications content and communications metadata, defining each. There is express allowance for processing of communications metadata by electronic communications service providers in order to maintain security, detect technical faults and to prevent fraud or abuse of the service. Communications metadata is generally expected to be deleted or anonymised once a communication has taken place, except where there are lawful grounds for retaining it (e.g. billing, etc.).
5. There are no changes to direct e-mail marketing rules, and "soft opt-in" (i.e. opt-out) first party e-marketing is still permitted. However, direct marketing phone calls will be subject to a new opt-in requirement, although Member States are permitted to legislate to allow for voice-to-voice marketing calls to take place on an opt-out basis instead.
6. Once finally adopted, the Regulation will have a 6 month lead-in period – so don't expect a two year lead-in like the GDPR.
Lots to digest and consider here. If you have any questions, then please do contact your usual Fieldfisher privacy contact.