If you thought that with complying with the RGPD and LOPD regulations you were finished, I am sorry to tell you that you still have to know and comply with the new ePrivacy law.
Fortunately, with this guide I will help you step by step so that you know and know everything you must take into account to comply with the ePrivacy regulations in WordPress.
The good news first: Nothing is carved in stone yet.
Originally, it was supposed to be applicable in conjunction with the GDPR on May 25, 2018. Due to a real lobbying battle between data protectors and industry representatives, it is unlikely that the new regulation will be expected before 2020. The working groups charged with this task are divided and many content questions remain open.
Despite everything, it has been decided what she will come. If you are an online entrepreneur or a blogger, sooner or later you will get to deal with it.
So that you can prepare for this, I have compiled everything you need to know in this article:
I'll explain in detail what the new regulation has to do with this, what effects it could have on your blog or online business, and what the current state is (with a clear timeline!).
I will update this article normally and add new developments.
Attention: This blog post is not legal advice! In the context of my work as a WordPress blogger and service provider, I have dealt intensively with data protection, but I am not a lawyer or a data protection expert. Therefore, I cannot take any responsibility for the completeness, topicality and correctness of the content provided by me.
1.What is the Electronic Privacy Regulation?
The regulation on electronic privacy is the so-called lex specialis of the GDPR. As a higher special law, it specifies and complements the RGPD.
Its purpose is to replace the Directive on privacy and electronic communications, which has been in force since 2002 and was last updated in 2009 by the so-called Directive on cookies. In the eyes of the European Commission, this no longer takes into account current technical progress.
It is the next step on the path to the digital single market in the EU and its purpose is to align and raise the level of data protection of all EU Member States.
The new Regulation focuses on the confidentiality and privacy of electronic communications (for example, email, SMS, instant messaging or voice calls).
These are the most important cornerstones:
1.1 Confidentiality of electronic communications
Text messages, emails or voice calls will not be intercepted, intercepted, searched or stored without the consent of the user.
Cookies and other tracking methods must require the consent of the user, so the options are mandatory
This does not apply to cookies, which are used for smooth browsing and do not compromise privacy. At the same time, cookies can be set to determine access numbers without consent.
1.3 Treatment of the content and metadata of communications subject to authorization
Both the content of the communication and the metadata (for example, who was called, the time of the call, the place and duration of the call, the websites visited) are subject to privacy protection.
1.4 Direct marketing is not possible without prior consent
Users must have given their consent before "unsolicited commercial communications" are addressed to them. This should apply regardless of the technology used (for example for automated calling, SMS or email systems) and at the same time to telephone advertising. For marketing calls, the phone number must at the same time be displayed or it must be identifiable as such by a special area code.
2. Who is covered by the Electronic Privacy Regulation?
While the GDPR only applies to personal data, the Electronic Privacy Regulation applies comprehensively to all end users. It aims to equally protect the data of natural persons and legal. It not only refers to the data of individuals, but at the same time to those of companies or associations
It will apply to all providers of electronic communications targeting end users in the European Union. Regardless of where the provider is located and whether the service has no cost or payment.
That means in plain language:
Not only online entrepreneurs, but at the same time clubs, public institutions and amateur bloggers must adhere to them.
3. What impact does it have on online entrepreneurs and website operators?
Articles 8, 9 and 10 and recitals 20, 21, 22, 23 and 24 on cookies and tracking (if you want to read yourself in the Regulation) are of particular interest to online entrepreneurs and website operators.
Here is my summary of the possible effects:
The obstacles for online entrepreneurs and website operators will be even greater with the Electronic Privacy Regulation
With the new regulation it will no longer be possible to justify the use of cookies and other tracking methods with a legitimate interest in accordance with Article 6, paragraph 1, letter f), of the GDPR (although it has not yet been fully clarified to what extent this legitimate interest actually extends).
For the storage of cookies and the use of other tracking methods (such as fingerprinting), the new regulation now requires consent (opt-in). This consent must be revocable at any time.
You have to reckon with the fact that around 40-60% of visitors will reject your consent. Here's a little test I did with the WordPress Borlabs Cookie plugin:
512 out of 1055 (48.5%) of all respondents have chosen not to accept cookies. 90 (8.5%) that only cookies from your own domain can be configured and 453 (42.9%) that all cookies can be configured.
It's amazing right?
Only two types of cookies are excluded from this voluntary inclusion requirement:
- Technically necessary cookies (eg cookies that save the contents of a shopping cart for later retrieval, that make it possible to fill in online forms on several pages or that save the login data of the current session)
- Cookies to determine the number of visitors
Despite everything, the question of how this consent will be given is still open. Browsers were originally intended to take over this role and act as 'technical gatekeepers'.
Nevertheless, it could be that the associated Article 10 could be deleted entirely, as proposed by the Austrian Presidency in a revised version of June 2018. This would mean that each website operator would have to obtain their own consent, by way of example , with WordPress plug-ins such as Borlabs Cookie or Cookie Notice.
The hanebüchene condition that users are reminded at regular six-month intervals of the possibility of revocation of their consent, was removed (thank goodness!) With the updated bill of 20.10.2017.
3.2 Website analysis
According to article 8 paragraph 1 lit. d (in the updated bill of 20.10.2017) the storage of cookies is allowed and excluded from the obligation of consent, unless ...
is technically necessary to measure the scope of the information society service requested by the user, provided that such measurement is carried out by the operator or on his behalf or by an independent web analysis body acting in the public interest, including for purposes scientific data, provided that the data is aggregated and that the user has the possibility of opposing its use, and provided that the personal data is not made available to third parties and that the fundamental rights of the user are not affected by said measurement, and When a public measurement is carried out on behalf of an information society service provider, the data collected may only be processed by said provider and must be kept separate from the data collected in public measurements carried out on behalf of other providers.
This means that at the same time it should be allowed without consent to measure the number of visitors with Matomo or other software installed on your own server (provided you use it with IP anonymity, AV contract, opt-out, etc.).
In spite of everything, I think it is unlikely that Google Analytics can continue to be used without voluntary inclusion. Because Google probably does not belong to an "independent web analytics agency, active in the public interest - also for scientific purposes -".
But the same applies here:
The last word has yet to be said. Modifications to this part of the Regulation have already been discussed. In its revised version of June 2018, the Austrian Council Presidency added that third-party tracking service providers should be allowed:
is necessary for the measurement of the audience, provided that said measurement is carried out by the provider of the information society service requested by the end user or by a third party on behalf of the provider of the information society service, provided that the conditions established in article 28 of Regulation (EU) 2016/679 are met; O well
3.3 Affiliate Marketing
Even affiliate marketing will be hampered by the Electronic Privacy Regulation. Cookie tracking is the predominant method of awarding a sale to a specific affiliate.
If you now have to ask for consent before setting the cookie, it is estimated that 40-60% of all sales are unallocated, leading to a 40-60% loss in sales.
Regardless, I don't think affiliate marketing will disappear as a business model and remain usable. On the one hand, there are many other methods of awarding sales, such as
- URL tracking without cookies
- Session tracking, which works with cookies, but which may fall within the «technically necessary cookies
- the use of custom coupon codes
- Creating your own affiliate landing pages
Apart from this, the ePrivacy-VO can change a lot until the final draft. It can be assumed that the list of processing purposes allowed without consent will be longer than shorter.
3.4 Prohibition of direct marketing without consent
In my opinion, the total ban on direct mail without consent does not change much in Germany:
Article 7 of the UWG already stipulates that advertising is only allowed if it does not constitute a bullying unreasonable.
This includes not only advertising calls to potential private clients without their express consent (the cold calls), but at the same time (with some exceptions) the advertising of calls to companies. At the same time, Article 7 of the UWG at the same time covers advertising through electronic communication (email, SMS, etc.).
4. Entry into force and applicability of the Regulation on electronic privacy
For a final bill to be passed, it is necessary for the European Commission, the European Parliament and the Council of the European Union to meet in so-called triadic negotiations.
It is not yet clear when this will happen. This is because progress in the associated working groups on the Electronic Privacy Regulation has been slow.
The Austrian Council Presidency significantly slowed down the process in the second half of 2018, proposing major changes and deletions of entire articles in favor of the digital economy, delaying the process. This approach was preceded by numerous lobbying meetings.
In its legislative train schedule, the European Parliament assumes that the European Council will reach a consensus in the first half of 2019 under the Romanian Presidency. Despite everything, according to the calendar, the three-way negotiations will not take place until after the European elections at the end of May 2019.
Consequently, the Electronic Privacy Regulation is unlikely to enter into force. before 2020.
According to its statement of July 10, 2018 (see the response of Secretary of State Claudia Dörr-Voß on page 68), the German Federal Government even considers a transitional period of two years necessary.
More information about the individual stations on the timeline:
5. timeline of electronic privacy
2021-2022
Applicability of the Regulation on electronic privacy?
2020
25. May: In accordance with Article 97 of the GDPR, the EU Commission must submit a report on the assessment and review of the GDPR to the EU Parliament by that date. This at the same time could have an impact on the draft Regulation on privacy in electronic communications.
1. - 2nd quarter: Entry into force of the Regulation on electronic privacy?
2019
3. - 4th quarter: negotiations in the framework of the trialogue between the Council, the Parliament and the Commission on the final draft?
1. July: Finland will assume the Presidency of the EU.
2. 3. - May 26: 2019 European elections in which 705 new MEPs will be elected (could further delay the Regulation on electronic privacy).
1. Bedroom: Additional negotiations and consensus on the final draft in the European Council?
1. January: Romania assumes the Presidency of the Council of the EU.
2018
23. November: The Austrian Presidency publishes a progress report on the state of the discussions. This report again expresses concern that the Electronic Privacy Regulation, in its current form, is holding back innovation.
10. July: A few days after the start of the Austrian Presidency, the Presidency presents a revised version. Among other things, it proposes a complete deletion of article 10 to exempt browser manufacturers from the obligation to provide the technical app with consent to cookies.
10. July: The Federal Government comments on the current draft of the Regulation on Electronic Privacy (see Secretary of State Claudia Dörr-Voß's response on page 68). It advocates a transitional period of two years from the entry into force until the Regulation on privacy and electronic communications becomes applicable.
1. July: Austria takes over the presidency of the Council of the EU.
12. June: An updated version is published with minor changes and possible discussion points in articles 6, 8 and 10.
18. May: The Bulgarian Presidency publishes a new progress report. Articles 8 and 10, among others, are questioned.
22. March: The Bulgarian Presidency publishes an updated text. Among other things, it suggests that end users are informed about privacy settings when they first install the software and choose a setting.
11. January: The Bulgarian Presidency publishes a progress report with possible changes and issues to "create a better compromise between privacy protection and incentives for innovation".
1. January: Bulgaria takes over the Presidency of the Council of the EU.
2017
5. December: The Estonian Presidency presents an updated project.
17. November: The Estonian Presidency presents a progress report on the Regulation on electronic privacy. The report concludes that "much work remains to be done on most points" and that "there are other points that need to be addressed". So the end is far from in sight.
20. October: The European Parliament adopts by 318 votes in favor and 280 against a revised bill of the Regulation on electronic privacy, which introduce the ban on so-called cookie walls (at the same time known as walls of tracing) among other amendments easily accessible to the consumer.
1. July: Estonia takes over the Presidency of the Council of the EU.
9. June: The LIBE (Committee on Civil Liberties, Justice and Home Affairs) publishes the amendments to the draft Regulation on electronic privacy.
10. January: The European Commission publishes a first draft of the Regulation on electronic privacy. A press release sets out the reasons for the bill. It is expected that the regulation can be applied together with the GDPR on May 25, 2018.
2016
04. August: The results of the query are presented.
April July: A public consultation is launched on the revision of the Directive on privacy and electronic communications as part of the Digital Single Market strategy.
2009
25. November: The so-called Directive on cookies complements the current Directive on privacy and electronic communications to adapt it to the rapid evolution of the market and technology, and only enables the storage of cookies if the user has given their consent (opt-in), but not of explicitly.
2002
12. July: The Directive on privacy and electronic communications enters into force ("Directive on privacy and electronic communications"; 002/58 / EC).
6. What sanctions can be imposed?
The competent supervisory authorities may, as in the case of the GDPR, impose fines of up to 20 million euros or, in the case of a company, of up to 4% of its total annual worldwide turnover for the previous financial year, if this figure is higher, in case of violation of the RGPD.
7. Who is responsible for the Electronic Privacy Regulation app?
The Electronic Privacy Regulation app is the responsibility of the same data protection authorities in the Member States that are already responsible for the GDPR app.
In Germany they are the respective state data protection authorities.
8. What is the status quo?
Until the Regulation on privacy and electronic communications is applicable, the Directive on privacy and electronic communications of 2002 applies, which was amended in 2009 in recital 25 to include the requirements regarding cookies (since then to the same It has long been called the Cookie Policy).
The Directive on privacy and electronic communications establishes the minimum requirements for data protection in electronic communications that the legislation must apply.
However, unlike the new regulation on electronic privacy, it is not automatically valid in all EU Member States. Each Member State must transpose it into national law. In Germany, the Directive was transformed into German law in 2004, for which the Telecommunications Law (TKG) was amended.
Nevertheless, the Directive amending the Directive on privacy and electronic communications ("Directive on cookies") of 25 November 2009 was not incorporated into German law.
9. regulation of electronic privacy vs. GDPR
What exactly are the differences between the Basic Data Protection Regulation (RGPD) and the new Electronic Privacy Regulation?
Let's sum it up again:
9.1 basic regulation vs. special law
As can be seen from the name, the GDPR is a basic regulation. This means that it represents the legal basis for data protection and provides general guidance on the processing of personal data of EU citizens.
The Regulation on electronic privacy, in addition to this, is a special law (the so-called Lex specialis) that replaces the general law in a given area and takes precedence over it. This area is the electronic communication.
9.2 Extension of the scope of application
The RGPD focuses on the protection of personal data, in other words, people's data. In addition to this, the Electronic Privacy Regulation applies to all users of electronic terminals.
This means that it includes not only communication between companies and individuals, but at the same time between individuals and individuals, as well as between companies and companies.
The new regulation at the same time offers citizens and companies concrete protection and certain rights that are not included in the GDPR. This guarantees, by way of example, the confidentiality and integrity of the end devices (PC, smartphone, tablet, etc.). These terminal devices can only be accessed with the prior consent of the user.
9.3 Point of effect on information flow
Although the GDPR is the basis of the Electronic Privacy Regulation, the Electronic Privacy Regulation has a precedent in the flow of information.
While the GDPR gives users more rights and control over their personal data, the Electronic Privacy Regulation protects user data so that it does not become personal at all.
Or as defined in the status report of June 08, 2018:
The Presidency considers that the protection of content during end-to-end exchanges between end users must be guaranteed until the time the recipient obtains control of the content. From this moment the protection by the basic data protection regulations comes into force.
