On January 10, the European Commission proposed new legislation that would update and supplement current ePrivacy rules and extend their scope to all providers of electronic communication services.

The following is a summary of certain key proposed rules:

Confidentiality of all Electronic Communications

Listening to, tapping, intercepting, scanning, and storing of electronic communications will not be allowed without the prior consent of the user. The proposed rules further indicate when processing of communications data is permitted without the consent of the user.

Guaranteed Confidentiality of Users' Online Behavior and Devices

Accessing information on a user's device requires the user’s prior consent. Providers must also obtain prior user consent before using HTTP “cookies” (small pieces of data sent from a website and stored in a user's web browser while the user is browsing that website) or other technologies on websites to access information stored on a user’s computer or to track online behavior. However, no consent is required for non-privacy intrusive cookies that improve users’ internet experience (such as saving shopping cart history, auto-filling online forms, or saving login information during a single session). Also, cookies set by a website that counts visitors will not require consent.

Consent Required to Process Communications Content and Metadata

Privacy must be guaranteed with respect to the content of communications, as well as metadata (e.g., who was called; the timing, location, and duration of a call; and websites visited). Without user consent, all metadata linked to electronic communications must be deleted or made anonymous (except where required for billing purposes).

Consent Required for Spam and Direct Marketing Communications

Providers must obtain prior user consent before any unsolicited commercial communication is addressed to the user—regardless of the technology used. This also will apply to marketing phone calls for customers who have not opted-out of marketing calls (such as through “do-not-call” registrations). Telemarketers must display their phone number or use a special prefix number that indicates a marketing call.

See the European Commission’s Fact Sheet for more details.

Harmonization with GDPR and Effective Date

The Commission seeks to harmonize the proposed rules with the European Union’s updated General Data Protection Regulation (GDPR), which is schedule to take effect in 2018. In doing so, the stringent fines for data protection violations set forth in the GDPR (up to 4% of a company’s annual worldwide revenue) will also apply to providers that breach ePrivacy rules.

To become law, the proposed rules must first be approved by the European Parliament and EU member states. The Commission seeks adoption by May 25, 2018.