Recently, I was speaking to a group of crazy smart graduate tech students – who were clearly more intelligent than me – about privacy, and a simple question from one of the students brought everything into focus. I was banging on about the brilliance of the General Data Protection Regulation (GDPR) and the potential changes to the ePrivacy Directive, what many call the “cookie law”, when the student piped up with “Can’t you just tell me what we need to do?”
I realized at that moment that I’ve been so caught up in all things privacy, not everyone is as wonkish as I am about privacy and changes that new legislation will require. She was right, of course, but unfortunately there isn’t a straightforward answer to her simple question. However, let’s at least take a moment to compare the two so the tech folks can have an understanding of each law.
The GDPR, which comes into effect on 25 May 2018, is a game changer. It is much more than an overhaul of existing EU privacy laws, many of which are long in the tooth. Rather, the GDPR goes back to the basics of treating personal data as a fundamental human right by empowering people with renewed control over their digital selves. It does so by codifying new individual rights, such as the right to access, correct, and port data away. Data controllers, those companies we all do business with that collect our personal data have many new obligations, but there are simply two main principles that these companies need to adhere to: accountability and transparency.
I’m making it sound all so simple, and of course operationalizing the GDPR will be a nightmare and will cost many millions, but the principles are immutable. In order for companies to be accountable, it pre-supposes that they must turn inward for a comprehensive review all their data practices, understanding what they collect, how they use it, and what the privacy impact is to the person. Once this is accomplished, the company needs to turn outward and be transparent, or open and honest, about all of this, including empowering the person to exercise his or her new rights. The GDPR is all about “power to the people”, a noble aim, but one that carries huge downside for non-compliance, in some cases up to 4% of global revenue or €20 million, whichever is more. That hurts.
In comparison, the present ePrivacy Directive (ePD) is a family of EU legislation that requires websites and apps to disclose their technologies and obtain consent. It’s a narrow set of country specific laws that haven’t been consistently enforced. This is all about to change. The ePrivacy Regulation (ePR), may replace the ePD. While at the beginning of the legislative process, it is ambitiously being pushed to go into effect with the GDPR. If that happens, we’ll have two separate and parallel privacy laws to comply with at the same time. Assuming the final version of the ePR looks like what is presently proposed, it could be more significant than the GDPR. Here’s why.
The ePR, as proposed, will still be a notice and consent law, requiring a person’s consent before a website or app can drop a cookie on his or her browser. That means companies must have a full understanding of all the invisible and dynamic tracking behind the digital curtain, disclose it in an easy way, and give the person the ability to consent. Fair enough. The tricky part is keeping up with the morphing trackers in order to disclose it properly, having the right governance controls in place to manage who gets on the websites or apps and then providing an easy to use consent tool.
The startling thing, though, is that the ePR adopts the GDPR’s penalties. That’s right, so if you stub your toe by not disclosing all of the trackers on your site, you could be exposed to a penalty of up to 4% of your global gross revenue. That is quite a jump from where we were before – sparse and inconsistent enforcement at best – and serves as a signal to not only websites and apps, but also everyone along the digital vendor supply line that this is serious.
Watch out for speedy enforcement; many regulators are already signalling their intent to first enforce on the low hanging fruit, under both the GDPR and ePR. Enforcement will look for the things they can see when they visit your site. What is the easiest thing for them to see, or not see? A notice, that’s what. So I pity the poor owners of the website or app that ignores the ePR. The GDPR has a lot of moving pieces, and although it can be reduced to a couple of high level principles of accountability and transparency, it will require a sustained enterprise-wide effort to comply. Not so with the ePR. It’s easy to get right, but really easy to get wrong.
So, while I wish I could answer the student’s question, just tell me what to do, all I can really say is "do the right thing". Take care of the easier tasks first, those that are under your control, such compliance with the ePR, while the heavy lifting from the GDPR gets worked out over time.