Security Experts:

First Came GDPR, Then Comes ePrivacy - What to Expect with Global Data Regulations

Ever since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, many have wondered how the law may evolve and potentially add further regulations. One of these evolutions that is still in early stages is ePrivacy, which was born from the GDPR.

While the GDPR was designed to ensure protection for personal data related to European Union (EU) citizens, ePrivacy takes this approach a step further by ensuring personal and family privacy in relation to data collection, storage and usage. Put more simply, ePrivacy protects your right to a personal life and personal existence.

These new regulations will affect how companies communicate with individuals, and the types of permissions needed to “stay in touch.” Specifics are still being debated by EU parliament, but for now the fundamental principles are:

• Marketers will not be allowed to send emails or SMS messages without explicit permission from the owner/account holder of each email address or mobile phone number being targeted. 

• We’re all familiar with the “can we use cookies?” requests that appear on so many websites today. ePrivacy will make it possible to track cookies with software, and for users to manually change cookie settings inside their browser. This is a change to current regulations and will reduce the number of “cookie request” popups that we see today.

• The regulation also includes additional requirements for online communication privacy; namely, the same level of protection will have to be applied to customer data as is today expected of traditional communication providers. This will affect major messaging platforms including Google, Skype, Facebook Messenger, WhatsApp and many others. It also prohibits interception of online communications except where authorized under law by an EU member state.

So what does this mean? ePrivacy is an extension of GDPR – it covers specific use cases around how data must be handled to ensure the privacy of users. For companies who rely on online targeted advertising for revenue, this could significantly impact their business. Since it will not be possible to effectively track users with cookies, it will essentially no longer be possible to place targeted ads on websites. Non-compliance with this new regulation has the potential to result in the same steep fines as for violation of the GDPR, up to 4 percent of annual revenue or €20 million ($23.5 million).

We have already seen the large tech firms, such as Google, Facebook and Amazon, changing policies to comply with the GDPR requirement for explicit consent of the collection and use of their data. This is costly and time consuming and will prove challenging for smaller US-based companies, some of whom we may see removing their business from EMEA altogether if the cost/benefit from these changes outweighs the investment required to make it happen.

Even a simple change to something as seemingly innocuous as cookies could have major ramifications. It’s likely that cookies often haven’t been top of mind for the average internet user. With ePrivacy and other regulations making people more aware of the type of data they are choosing to share, with whom and for how long, we can expect to see more attention paid to the cookie – both from a positive perspective as organizations are required to protect their customers’ data, and even potentially from bad actors. As with any major change in regulation, we can expect there to be growing pains when organizations struggle to adapt, consumers face confusion, and more than likely, hackers find a way to exploit vulnerabilities. 

This is just one of the many reasons why we can expect ePrivacy and other data regulations to have a significant impact on global business. For now, all we can do is watch and wait.

RelatedFirst GDPR Enforcement is Followed by First GDPR Appeal

RelatedYou Should Still Care About GDPR

RelatedThe Future of GDPR - Dead, Diluted, Detested or Accepted?

view counter
Laurence Pitt is Global Security Strategy Director at Juniper Networks. He joined Juniper in 2016 and is the security subject matter expert for the corporate marketing team. He has over twenty years of cyber security experience, having started out in systems design and moved through product management in areas from endpoint security to managed networks. In his role at Juniper, he articulates security clearly to business and across the business, creating and having conversations to provoke careful thought about process, policy and solutions. Security throughout the network is a key area where Juniper can help as business moves to the cloud and undertakes the challenge of digital transformation.