The Next Big One for the Software Industry. Is Your ePrivacy Preparedness Kit Ready?
10 Pages Posted: 21 Jun 2019
Date Written: May 17, 2019
Abstract
As we mark the one-year anniversary of the General Data Protection Regulation (the “GDPR”) coming into effect, major enforcement cases with multi-million dollar fines have been largely absent. But as Helen Dixon recently noted, these cases are “not overnight.” Many investigations are still in progress, and large fines are expected. Companies with an international presence may also be tracking the numerous aftershocks in the form of omnibus privacy laws taking form outside the EU. But what comes after such a sweeping privacy regulation like the GDPR?
In a post-GDPR world, technology companies are now realizing they are stewards of their customers’ data. The ability to build and maintain customer trust is becoming a critical ingredient to the reputation and success of companies that depend on data. They have more motivation than ever to meet customers’ expectations not only as a compliance matter but also as a competitive advantage. Software companies can, and routinely do, collect a remarkable amount of data through their offerings and services, including user profile data, attributes about the end-user’s device, crash logs, licensing and entitlement information, details about command and feature usage, communications data, authored content and related metadata. The scope of data software providers can collect from users’ devices extends far beyond personal data.
For technology companies with a footprint in the EU, the ePrivacy Regulation has the potential to trigger the next big tectonic shift in how they manage collection and use of inbound data. While social media companies, advertisers and electronic communications service providers may find themselves closer to the epicenter, all technology companies that develop or leverage software may feel the impact. Based on current drafts of the ePrivacy Regulation, its material scope will cover a broader surface area than just web cookies and electronic marketing. It is still unclear exactly when the ePrivacy Regulation will be adopted and take effect. With all of the uncertainty around both the language and the timing of the regulation, it has received far less attention than GDPR. But technology companies, in particular, shouldn’t underestimate the complexity introduced by this regulation and its potential impact on software offerings and data practices.
In this article, we highlight the potential scope of the ePrivacy Regulation, its requirements for consent, and anticipated timing of the regulation. We also explore certain challenges that software companies may face in their attempts to implement the provisions of the ePrivacy Regulation, particularly focusing on on-premises or desktop application development. This article provides a starting point to help in-house counsel kick off the ePrivacy discussion in their companies, call out some key considerations, and contribute to the strategic discussions that will invariably bring in product development, data governance teams and executive leadership.
Keywords: GDPR, ePrivacy Directive, ePrivacy Regulation, Personal Data, Electronic Communications Data, Terminal Equipment, Software Companies
Suggested Citation: Suggested Citation