For the Record Straight-talking treasury
See all articles

What Will Europe's ePrivacy Regulation Mean for Your Business?


As companies continue to scramble to implement the requirements of the European Union’s 2018 General Data Protection Regulation (GDPR), another set of data-protection obligations has appeared on the horizon.

Europe’s ePrivacy Regulation (ePR) is in an advanced stage of preparation and is expected to replace the 2002 Privacy and Electronic Communications Directive (known as the ePrivacy Directive) by late 2019 or early 2020. Its focus is on privacy protection for data when they are transmitted electronically, and its status as a regulation (rather than a directive) means that it can be uniformly enforced across EU member states.

Many executives have not paid much attention to the new regulation. In our view, this inattention is ill advised. In broad terms, the regulation specifies how the general data-protection framework outlined in GDPR¹ will be applied to electronic-communication services provided over telecom networks and the internet. The regulation will apply to direct marketing, the companies that engage in it, the providers of electronic-communication services and the software and directory providers.

Smart leaders will take a strategic view. They will work to help shape the new regulation and develop policies and practices to support compliance along the entire customer journey, especially in direct-marketing activities.

The key elements of the new regulation

The new ePR will repeal and replace the EU’s current e-privacy directive. The new provisions will cover electronic-communication networks; data stored in or sent from end-user equipment such as phones, tablets, and computers (including cookies, device IDs, and other identification software); and methods employed to approach customers over electronic-communication networks for direct-marketing purposes.

The most important aspects of the new provisions in the current version of the draft regulation are summarised as follows:

Data processing

GDPR sets out a list of general lawful purposes for data processing, namely vital interest, legal obligation, contractual necessity, legitimate business interest, public interest, and other purposes with the data subject’s consent.

The new regulation will define specific requirements for different forms of usage. For example, the use of cookies will require consent except when the cookies are necessary for transmitting data, providing a requested service, or measuring a web audience. This means that all marketing-related cookies will require consent.

Consent will also be required for metadata used in digital marketing, unless it is being used for purposes related to service quality, billing, interconnection, or fraud prevention. Under current plans, the regulation will require companies to contact customers twice a year to remind them of their right to opt out or withdraw their consent, whereas GDPR does not specify an opt-in/opt-out schedule.

Direct marketing

Direct marketing via email and telephone also requires consent unless contact takes place within an existing client relationship for a similar type of product. The regulation recommends that individual countries introduce ‘do not call’ registers that companies must check before approaching individuals. It also requires that marketing calls use a specific prefix or code that makes them identifiable as such. Those making marketing calls must also identify the legal entity or individual on whose behalf they are calling.

Control and confidentiality of communications

The new ePR strives to maintain individuals’ control over communications, including blocking numbers, exclusion from public directories and managing privacy settings. Electronic communications in the form of data, metadata, and voice recordings need to be treated as confidential and cannot be disclosed without consent or the presence of a legal obligation. This also applies to machine-to-machine or internet of things (IoT) communications over electronic networks, and to public Wi-Fi communications.

Integrating data privacy into corporate strategy

All signs indicate that the new regulation will deepen the impact of GDPR on most companies. With this challenge, companies need to address the new regulation with urgency while maintaining a strong focus on their business. To prepare for success under the new regulation, companies can consider taking the following actions:

Set up a cross-functional team that involves marketing - Marketing should be a key stakeholder in the implementation programme. Cross-functional teams deliver the best results by looking for solutions that fit the company’s overall business strategy as well as meeting customers’ needs.

Take an active role in developing the regulation - Companies need to analyse the impact of the proposed regulation on their business and treat measures to safeguard data privacy as an opportunity to strengthen their branding and turn compliance investments into a form of strategic marketing.

Optimise customer journeys to obtain consent to future contact - Opt-in programmes can reach much higher levels of success with the right choice of consent strategy and formulation of consent notices, enhancing the customer journey along the way.

Make privacy a competitive differentiator - Privacy is a relative newcomer to top management’s strategic agenda, so companies should seize the chance to evaluate what business opportunities the new requirements may create.

About to come into force in Europe, ePR is part of a broader trend. Successful companies will not only take timely steps to comply with the regulation but will also treat data privacy as an integral part of corporate strategy.

By assessing the possible impact of the regulation, developing a clear and comprehensive road map for addressing it, and managing business implications carefully, companies can turn the regulation from a burden into an opportunity.


Photo of Daniel Mikkelsen, Henning Soller and Malin Strandell-Jansson
Daniel Mikkelsen, Henning Soller and Malin Strandell-Jansson
McKinsey & Company