As already previously covered in my blog, 2002 ePrivacy Directive may be beefed-up, in order to:
- Extend the scope of ePrivacy rules to VoIP (voice over Internet providers) and OTT (Over the Top), as well as telecommunication providers
- Apply rules to new tracking and e-marketing technologies.
- Align privacy concepts (consent, data breaches, territorial scope, fines,…) with the GDPR
- Amend the rules on secrecy of communication metadata to require record deletion right after the communication has been made, provided no exceptions would apply.
The new proposal will be shaped as a Regulation (hence directly applicable), will involve services provided in EU (regardless of where the process takes place).
The opt-in rule will be bolstered (before consent is granted to third parties) and software device must, by-default, be configured to restrict these cookies by default (yuppie!). Even Pixel tags across e-mail will be included (yay! x2).
Communications must be erased unless exceptions apply (billing duties, cybersecurity, clearconsent by the user).
Direct marketing will not be permitted and opt-out rights must be clearly granted in case of subscription. Breach notification duties will be aligned to GDPR (72 hours, if I am not wrong).
Regarding the potential fines. a breach could result in 4% of the yearly worldwide revenues.