In-app consent requirements are about to get a fresh makeover. In January 2017, the European Union (EU) proposed the ePrivacy Regulation to replace the ePrivacy Directive. Experts anticipate its passage in 2019 or 2020 and there will likely be a year-long transition phase before taking effect. Unless amended, the ePrivacy Regulation will impose broader opt-in consent requirements on publishers with EU-based end-users.
Under the ePrivacy Regulation, obtaining consent from end-users will be required for the processing of their data, metadata, or equipment terminal data. Notice that this consent requirement is broader than under the General Data Protection Regulation (GDPR), which only requires consent for the processing of personal data. In addition, unlike the GDPR, there is no option to process data pursuant to a “legitimate interest” under the ePrivacy Regulation.
Thus, consent will be required even when publishers are merely storing or accessing information on an end-user’s mobile device. Furthermore, the use of any terminal equipment data (e.g. software, hardware, advertising identifiers, etc.) will also require consent. The broadened consent requirement and lack of a “legitimate interest” legal basis for processing under the ePrivacy Regulation leave mobile app publishers with few options but to obtain consent from their end-users.
Obtaining Consent Under the ePrivacy Regulation
Some publishers may wonder how valid consent is obtained. Conveniently, the ePrivacy Regulation adopts the same consent standard set forth in the GDPR. In other words, valid consent under the ePrivacy Regulation must be a clear and affirmative act establishing a freely given, specific, informed, and unambiguous indication of an end-user’s agreement to the processing of his or her data. For mobile app publishers, such valid consent can be easily obtained by creating an in-app consent page pop-up and dialog that allows end-users to affirmatively consent. Relying on pre-ticked boxes or allowing mere app usage to constitute consent is likely insufficient.
Furthermore, if a publisher uses data for multiple purposes (e.g. ad targeting, personalization, etc.), then the consent page pop-up should provide end-users with an option to opt-in/out of processing on a per-purpose basis. For more information in this regard, check out the suggestions starting on page four of our GDPR Consent Page Pop-up and Dialog: Suggestions & Tips resource.
What if a publisher does not get consent? The penalties under the ePrivacy Regulation are harsh. In fact, they are the same fines the GDPR levies. Certain fines go up to a maximum of $10 million EUR or 2% of total worldwide annual turnover, whichever is higher. Non-compliance with a supervisory authority’s instructions doubles the maximum administrative fine to the greater of $20 million EUR or 4% of worldwide turnover. In addition to fines, private rights of action against infringing organizations are allowed. The penalties are too high to be ignored.
Next Steps for App Publishers
What’s next? First, publishers should wait to see the final version of the ePrivacy Regulation and review it with independent legal counsel once it is finalized. It is currently in the amendment and debate stage and several changes may be made to the regulation before it passes. Publishers wishing to stay ahead of the game can develop and implement consent procedures now, building upon efforts already undertaken for the GDPR.
Fortunately, implementing the ePrivacy Regulation and the GDPR consent procedures can maximize app revenue by allowing publishers to serve interest-based, personalized, and non-contextual ads. To read more about the means for obtaining valid consent under the GDPR or ePrivacy Regulation and the monetary benefits of doing so, take a look at Smaato’s GDPR Consent Page Pop-up and Dialog: Suggestions & Tips guide.
In light of the GDPR and other privacy-related developments, we will ensure that serving ads to your app and mobile website end-users through the Smaato platform continues. We strive to provide ongoing GDPR and privacy suggestions and best practices that can enable the highest quality service, and we are committed to assisting our partners with their GDPR and privacy compliance efforts.
For further information, please visit our GDPR webpage or contact us at email@example.com.
Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of any law.