If you thought that with complying with the RGPD and LOPD regulations you were finished, I am sorry to tell you that you still have to know and comply with the new ePrivacy law.
Fortunately, with this guide I will help you step by step so that you know and know everything you must take into account to comply with the ePrivacy regulations in WordPress.
The good news first: Nothing is carved in stone yet.
Originalmente, debía ser aplicable junto con la RGPD el 25 de mayo de 2018. Debido a una verdadera batalla de grupos de presión entre los protectores de datos y los representantes de la industria, es poco probable que el nuevo reglamento se espere antes de 2020. Los grupos de trabajo encargados de esta tarea están divididos y muchas cuestiones de contents siguen abiertas.
Despite everything, it has been decided what ella vendrá. Si eres un emprendedor en línea o un blogger, tarde o temprano conseguirás que lidiar con ello.
So that you can prepare for this, I have compiled everything you need to know in this article:
Explicaré en detalle qué tiene que ver el nuevo reglamento con esto, qué efectos podría tener en su Blog o negocio en línea, y cuál es el estado actual (¡con una línea de tiempo clara!).
I will update this article normally and add new developments.
Attention: This blog post is not legal advice! In the context of my work as a WordPress blogger and service provider, I have dealt intensively with data protection, but I am not a lawyer or a data protection expert. Therefore, I cannot take any responsibility for the completeness, topicality and correctness of the content provided by me.
1.What is the Electronic Privacy Regulation?
The regulation on electronic privacy is the so-called lex specialis of the GDPR. As a higher special law, it specifies and complements the RGPD.
Its purpose is to replace the Directive on privacy and electronic communications, which has been in force since 2002 and was last updated in 2009 by the so-called Directive on cookies. In the eyes of the European Commission, this no longer takes into account current technical progress.
It is the next step on the path to the digital single market in the EU and its purpose is to align and raise the level of data protection of all EU Member States.
The new Regulation focuses on the confidentiality and privacy of electronic communications (a modo de ejemplo, correo electrónico, SMS, mensajería instantánea o llamadas de voz).
These are the most important cornerstones:
1.1 Confidentiality of electronic communications
Los mensajes de texto, correos electrónicos o llamadas de voz no serán interceptados, interceptados, buscados o almacenados sin el consentimiento del Username.
Cookies and other tracking methods must require the consent of the user, so the options are mandatory
This does not apply to cookies, which are used for smooth browsing and do not compromise privacy. At the same time, cookies can be set to determine access numbers without consent.
1.3 Tratamiento de los contenidos y metadata de las comunicaciones sujeto a autorización
Tanto el contenido de la comunicación como los metadatos (a modo de ejemplo, quién fue llamado, la hora de la llamada, el lugar y la duración de la llamada, los sitios Web visitados) están sujetos a la protección de la privacidad.
1.4 Direct marketing is not possible without prior consent
Los usuarios deben haber dado su consentimiento antes de que se les dirijan «comunicaciones comerciales no solicitadas». Esto debería aplicarse sin tener en cuenta la tecnología utilizada (a modo de ejemplo, para los sistemas de llamada automática, SMS o correo electrónico) y al mismo tiempo a la advertising telefónica. Para las llamadas de marketing, el número de teléfono al mismo tiempo debe ser mostrado o debe ser identificable como tal por un código de área especial.
2. Who is covered by the Electronic Privacy Regulation?
Mientras que la RGPD sólo se aplica a los datos personales, el Reglamento sobre la privacidad electrónica se aplica de forma exhaustiva a todos los usuarios finales. Tiene por objeto proteger por igual los datos de las persons físicas and legal. It not only refers to the data of individuals, but at the same time to those of companies or associations
It will apply to all providers of electronic communications targeting end users in the European Union. Regardless of where the provider is located and whether the service has no cost or payment.
That means in plain language:
Not only online entrepreneurs, but at the same time clubs, public institutions and amateur bloggers must adhere to them.
3. What impact does it have on online entrepreneurs and website operators?
Articles 8, 9 and 10 and recitals 20, 21, 22, 23 and 24 on cookies and tracking (if you want to read yourself in the Regulation) are of particular interest to online entrepreneurs and website operators.
Here is my summary of the possible effects:
The obstacles for online entrepreneurs and website operators will be even greater with the Electronic Privacy Regulation
With the new regulation it will no longer be possible to justify the use of cookies and other tracking methods with a legitimate interest in accordance with Article 6, paragraph 1, letter f), of the GDPR (although it has not yet been fully clarified to what extent this legitimate interest actually extends).
Para el almacenamiento de cookies y el uso de otros métodos de seguimiento (como la toma de huellas dactilares), el nuevo reglamento exige ahora el consentimiento (opt-in). Este consentimiento debe ser revocable en cualquier momento.
Usted tiene que contar con el hecho de que alrededor del 40-60% de los visitantes rechazarán su consentimiento. Aquí hay una pequeña prueba que hice con el plugin de WordPress Borlabs Cookie:
512 de 1055 (48,5%) de todos los encuestados han optado por no aceptar cookies. 90 (8,5%) que sólo se pueden configurar cookies de su propio domain y 453 (42,9%) que se pueden configurar todas las cookies.
It's amazing right?
Only two types of cookies are excluded from this voluntary inclusion requirement:
- Technically necessary cookies (eg cookies that save the contents of a shopping cart for later retrieval, that make it possible to fill in online forms on several pages or that save the login data of the current session)
- Cookies to determine the number of visitors
Pese a todo, aún está abierta la cuestión de cómo se va a dar este consentimiento. En un principio se había previsto que los browsers asumieran esta función y sirvieran de «controladores de acceso técnicos».
Nevertheless, it could be that the associated Article 10 could be deleted entirely, as proposed by the Austrian Presidency in a revised version of June 2018. This would mean that each website operator would have to obtain their own consent, by way of example , with WordPress plug-ins such as Borlabs Cookie or Cookie Notice.
The hanebüchene condition that users are reminded at regular six-month intervals of the possibility of revocation of their consent, was removed (thank goodness!) With the updated bill of 20.10.2017.
3.2 Website analysis
According to article 8 paragraph 1 lit. d (in the updated bill of 20.10.2017) the storage of cookies is allowed and excluded from the obligation of consent, unless ...
es técnicamente necesario para medir el scope del servicio de la sociedad de la información solicitado por el usuario, siempre que dicha medición be realizada por el operador o en su nombre o por un organismo independiente de análisis web que actúe en interés público, incluso con fines científicos, siempre que los datos sean agregados y que el usuario tenga la posibilidad de oponerse a su uso, y siempre que los datos personales no se pongan a disposición de terceros y que los derechos fundamentales del usuario no se vean afectados por dicha medición, y cuando se lleve a cabo una medición pública por cuenta de un prestador de servicios de la sociedad de la información, los datos recogidos sólo podrán ser tratados por dicho prestador y deberán mantenerse separados de los datos recogidos en mediciones públicas realizadas por cuenta de otros prestadores.
Esto significa que al mismo tiempo debería permitirse sin consentimiento medir el número de visitantes con Matomo u otro software instalado en su propio server (siempre que lo utilice con anonimato IP, contrato AV, exclusión voluntaria, etc.).
Pese a todo, creo que es poco probable que Google analytics pueda seguir utilizándose sin la inclusión voluntaria. Debido a que Google probablemente no pertenezca a una «agencia independiente de análisis web, activa en el interés público -también con fines científicos-«.
But the same applies here:
The last word has yet to be said. Modifications to this part of the Regulation have already been discussed. In its revised version of June 2018, the Austrian Council Presidency added that third-party tracking service providers should be allowed:
is necessary for the measurement of the audience, provided that said measurement is carried out by the provider of the information society service requested by the end user or by a third party on behalf of the provider of the information society service, provided that the conditions established in article 28 of Regulation (EU) 2016/679 are met; O well
3.3 Affiliate Marketing
Even the affiliate marketing se verá dificultado por el Reglamento de privacidad electrónica. El seguimiento de cookies es el método predominante para adjudicar una venta a un affiliate specific.
If you now have to ask for consent before setting the cookie, it is estimated that 40-60% of all sales are unallocated, leading to a 40-60% loss in sales.
Regardless, I don't think affiliate marketing will disappear as a business model and remain usable. On the one hand, there are many other methods of awarding sales, such as
- URL tracking without cookies
- Session tracking, which works with cookies, but which may fall within the «technically necessary cookies
- the use of custom coupon codes
- Creating your own affiliate landing pages
Apart from this, the ePrivacy-VO can change a lot until the final draft. It can be assumed that the list of processing purposes allowed without consent will be longer than shorter.
3.4 Prohibition of direct marketing without consent
In my opinion, the total ban on direct mail without consent does not change much in Germany:
Article 7 of the UWG already stipulates that advertising is only allowed if it does not constitute a bullying unreasonable.
This includes not only advertising calls to potential private clients without their express consent (the cold calls), but at the same time (with some exceptions) the advertising of calls to companies. At the same time, Article 7 of the UWG at the same time covers advertising through electronic communication (email, SMS, etc.).
4. Entry into force and applicability of the Regulation on electronic privacy
For a final bill to be passed, it is necessary for the European Commission, the European Parliament and the Council of the European Union to meet in so-called triadic negotiations.
It is not yet clear when this will happen. This is because progress in the associated working groups on the Electronic Privacy Regulation has been slow.
The Austrian Council Presidency significantly slowed down the process in the second half of 2018, proposing major changes and deletions of entire articles in favor of the digital economy, delaying the process. This approach was preceded by numerous lobbying meetings.
In its legislative train schedule, the European Parliament assumes that the European Council will reach a consensus in the first half of 2019 under the Romanian Presidency. Despite everything, according to the calendar, the three-way negotiations will not take place until after the European elections at the end of May 2019.
Consequently, the Electronic Privacy Regulation is unlikely to enter into force. before 2020.
According to its statement of July 10, 2018 (see the response of Secretary of State Claudia Dörr-Voß on page 68), the German Federal Government even considers a transitional period of two years necessary.
More information about the individual stations on the timeline:
5. timeline of electronic privacy
2021-2022
Applicability of the Regulation on electronic privacy?
2020
25. May: In accordance with Article 97 of the GDPR, the EU Commission must submit a report on the assessment and review of the GDPR to the EU Parliament by that date. This at the same time could have an impact on the draft Regulation on privacy in electronic communications.
1. - 2nd quarter: Entry into force of the Regulation on electronic privacy?
2019
3. - 4th quarter: negotiations in the framework of the trialogue between the Council, the Parliament and the Commission on the final draft?
1. July: Finland will assume the Presidency of the EU.
2. 3. - May 26: 2019 European elections in which 705 new MEPs will be elected (could further delay the Regulation on electronic privacy).
1. Bedroom: Additional negotiations and consensus on the final draft in the European Council?
1. January: Romania assumes the Presidency of the Council of the EU.
2018
23. November: The Austrian Presidency publishes a progress report on the state of the discussions. This report again expresses concern that the Electronic Privacy Regulation, in its current form, is holding back innovation.
10. July: Pocos días posteriormente del inicio de la Presidencia austriaca, la Presidencia presenta una versión revisada. Entre otras cosas, propone una supresión completa del artículo 10 para eximir a los fabricantes de navegadores de la obligación de facilitar la app técnica del consentimiento en las cookies.
10. July: The Federal Government comments on the current draft of the Regulation on Electronic Privacy (see Secretary of State Claudia Dörr-Voß's response on page 68). It advocates a transitional period of two years from the entry into force until the Regulation on privacy and electronic communications becomes applicable.
1. July: Austria takes over the presidency of the Council of the EU.
12. June: An updated version is published with minor changes and possible discussion points in articles 6, 8 and 10.
18. May: The Bulgarian Presidency publishes a new progress report. Articles 8 and 10, among others, are questioned.
22. March: The Bulgarian Presidency publishes an updated text. Among other things, it suggests that end users are informed about privacy settings when they first install the software and choose a setting.
11. January: The Bulgarian Presidency publishes a progress report with possible changes and issues to "create a better compromise between privacy protection and incentives for innovation".
1. January: Bulgaria takes over the Presidency of the Council of the EU.
2017
5. December: The Estonian Presidency presents an updated project.
17. November: The Estonian Presidency presents a progress report on the Regulation on electronic privacy. The report concludes that "much work remains to be done on most points" and that "there are other points that need to be addressed". So the end is far from in sight.
20. October: The European Parliament adopts by 318 votes in favor and 280 against a revised bill of the Regulation on electronic privacy, which introduce the ban on so-called cookie walls (at the same time known as walls of tracing) among other amendments easily accessible to the consumer.
1. July: Estonia takes over the Presidency of the Council of the EU.
9. June: The LIBE (Committee on Civil Liberties, Justice and Home Affairs) publishes the amendments to the draft Regulation on electronic privacy.
10. January: The European Commission publishes a first draft of the Regulation on electronic privacy. A press release sets out the reasons for the bill. It is expected that the regulation can be applied together with the GDPR on May 25, 2018.
2016
04. August: The results of the query are presented.
April July: Se lanza una consulta pública sobre la revisión de la Directiva sobre la privacidad y las comunicaciones electrónicas como parte de la strategy del mercado único digital.
2009
25. November: The so-called Directive on cookies complements the current Directive on privacy and electronic communications to adapt it to the rapid evolution of the market and technology, and only enables the storage of cookies if the user has given their consent (opt-in), but not of explicitly.
2002
12. July: The Directive on privacy and electronic communications enters into force ("Directive on privacy and electronic communications"; 002/58 / EC).
6. What sanctions can be imposed?
The competent supervisory authorities may, as in the case of the GDPR, impose fines of up to 20 million euros or, in the case of a company, of up to 4% of its total annual worldwide turnover for the previous financial year, if this figure is higher, in case of violation of the RGPD.
7. Who is responsible for the Electronic Privacy Regulation app?
The Electronic Privacy Regulation app is the responsibility of the same data protection authorities in the Member States that are already responsible for the GDPR app.
In Germany they are the respective state data protection authorities.
8. What is the status quo?
Until the Regulation on privacy and electronic communications is applicable, the Directive on privacy and electronic communications of 2002 applies, which was amended in 2009 in recital 25 to include the requirements regarding cookies (since then to the same It has long been called the Cookie Policy).
The Directive on privacy and electronic communications establishes the minimum requirements for data protection in electronic communications that the legislation must apply.
However, unlike the new regulation on electronic privacy, it is not automatically valid in all EU Member States. Each Member State must transpose it into national law. In Germany, the Directive was transformed into German law in 2004, for which the Telecommunications Law (TKG) was amended.
Nevertheless, the Directive amending the Directive on privacy and electronic communications ("Directive on cookies") of 25 November 2009 was not incorporated into German law.
9. regulation of electronic privacy vs. GDPR
What exactly are the differences between the Basic Data Protection Regulation (RGPD) and the new Electronic Privacy Regulation?
Let's sum it up again:
9.1 basic regulation vs. special law
As can be seen from the name, the GDPR is a basic regulation. This means that it represents the legal basis for data protection and provides general guidance on the processing of personal data of EU citizens.
The Regulation on electronic privacy, in addition to this, is a special law (the so-called Lex specialis) that replaces the general law in a given area and takes precedence over it. This area is the electronic communication.
9.2 Extension of the scope of application
The RGPD focuses on the protection of personal data, in other words, people's data. In addition to this, the Electronic Privacy Regulation applies to all users of electronic terminals.
This means that it includes not only communication between companies and individuals, but at the same time between individuals and individuals, as well as between companies and companies.
The new regulation at the same time offers citizens and companies concrete protection and certain rights that are not included in the GDPR. This guarantees, by way of example, the confidentiality and integrity of the end devices (PC, smartphone, tablet, etc.). These terminal devices can only be accessed with the prior consent of the user.
9.3 Point of effect on information flow
Although the GDPR is the basis of the Electronic Privacy Regulation, the Electronic Privacy Regulation has a precedent in the flow of information.
While the GDPR gives users more rights and control over their personal data, the Electronic Privacy Regulation protects user data so that it does not become personal at all.
Or as defined in the status report of June 08, 2018:
The Presidency considers that the protection of content during end-to-end exchanges between end users must be guaranteed until the time the recipient obtains control of the content. From this moment the protection by the basic data protection regulations comes into force.
