The ePrivacy Regulation covers a wide range of activities. Those that will be most relevant to the majority of the aviation industry are summarised below, based on the latest draft of the full regulation published by the Bulgarian presidency on May 4, 2018 and the updates to Articles 6, 8 and 10 published by the Austrian presidency on July 10, 2018 and 20 September 20, 2018.
Electronic direct marketing
As the ePrivacy Regulation is intended to be technology-neutral, the activities falling within the scope of direct marketing communications will be broader under the ePrivacy Regulation than under current law and will include in-app advertisements, marketing via instant messaging applications and other new communication channels. However, early suggestions that advertising shown on a website might constitute direct marketing, seem to have been dropped in the latest draft although this does not get around the cookies and online tracking requirements mentioned below.
Whilst the general requirements remain broadly the same, airlines that send marketing via electronic means or telephone should be aware of the following changes that look set to be introduced by the ePrivacy Regulation
- Consent for marketing has to be “GDPR-level” consent, namely freely given by way of affirmative action (i.e. not implied), using language that is clear, specific, granular and distinguishable from other information and tells the individuals what they are consenting to and that they can opt-out in the future.
- The reliance on “soft opt-in”,i.e. where opt-out consent can be relied on in certain limited circumstances, no longer applies to where personal data is collected in the context of a “negotiation” for a sale (as currently applies in the UK, but not in other European jurisdictions). Instead, it must relate to an actual sale.
- Member states are given the option to limit the time period within which “soft opt-in” can be relied on.
- Member states may require organisations sending direct marketing calls to present a specific code/prefix identifying the fact that it is a marketing call.
In addition, it remains unclear whether member states will be permitted to retain their ability to allow B2B marketing without consent. Whilst the ePrivacy Regulation makes it clear that these rules apply to “end-users that are natural persons”, it remains unclear how this would apply when marketing to individuals acting in a professional capacity, for example, using a personalised corporate email address firstname.lastname@example.org.
What is clear from the electronic marketing rules in the proposed ePrivacy Regulation, however, is that the law in this area will still not be fully harmonised. Organisations that operate in multiple different European member states, as many airlines do, will continue to need to have regard to the different member states’ laws, thereby negating one of the key aims of the ePrivacy regulation in the first place.
Cookies and online tracking
The ePrivacy Regulation also introduces some helpful changes and clarification in this area. Firstly, it carves out more circumstances than exist under current law of when consent for cookies is not required. This list now includes cookies used for web audience measuring (i.e. certain analytics cookies), used to detect fraud or technical faults, and those used for certain security purposes, alongside the current exemption that applies to “strictly necessary” cookies. In addition, despite earlier drafts suggesting otherwise, it appears that “cookie walls” (i.e. where access to online services or content is made conditional upon the user agreeing to cookies) may be permitted in some circumstances.
Wi-Fi connection in airport lounges or in-flight
The ePrivacy Regulation clarifies that organisations can collect information emitted by terminal equipment, for example, phones or laptops, for the purposes of connecting to another device or to a network connection, provided that such collection of information is done exclusively, and for the time necessary, for the purpose of establishing or maintaining a connection.
This means that airlines will be able to continue offering WiFi, for example,in their lounges or in flight, but will need to ensure that any data collected to enable this is used and retained solely to the extent necessary for this connectivity purpose.
Tracking individuals’ physical movements through their devices
The ePrivacy Regulation recognises the potential benefits of tracking individuals’ physical movements based on the collection of certain device data, for example, the MAC address. This could be useful, for example, to ascertain the number of people in specific areas and the number of people waiting in line.
The ePrivacy Regulation permits this type of “statistical counting” which would not include collecting data from devices to send commercial messages to end-users, e.g. when they are walking around an airport, without the end user’s consent, provided that: (i) the relevant statistical counting is limited in time and space to the extent necessary for the purpose; (ii) appropriate security measures are put in place in relation to such use; and (iii) a prominent notice is given explaining the purpose of the tracking and how to minimize or stop the collection.