Data-driven advertising is the single largest revenue source for European digital media, making up more than 80 per cent of the online revenues for publisher’s journalistic content and more than 50 per cent of mobile application revenues. The proposed ePrivacy Regulation (“ePR”) threatens to harm European digital media outlets’ economic model by significantly undermining their ability to generate enough revenue to create and provide free online content and services, thus also limiting media pluralism and public debate and discourse online. The free, advertising-funded business model is overwhelmingly preferred by European citizens, 83 per cent of whom prefer free content – with advertising – to being required to pay; indeed 68 per cent of European internet users say they would never pay for news content online, even if no free content were available. This showcases the importance of the data-driven advertising business model to European consumers.

• The ePrivacy Regulation should maintain a clear unqualified permission for private actors to make access to online services conditional on the well-informed consent of the user to data processing for advertising purposes that is not strictly technically necessary for provision of that service but which is necessary for the monetisation model chosen by that service. Any additional requirements, such as having to make available a paid-alternative is to be avoided.
• Article 8(1) ePR should be amended to fully align it with the principles-based approach of the GDPR on lawful processing, including processing necessary for a legitimate interest where the fundamental rights of a data subject are not overriding, instead of a rigid list of specific exceptions to a general consent requirement.
• Article 10 should be significantly amended or deleted in order to avoid requiring browsers to block processing at a technical level. The effect of such a rule would mean in most cases that services requested by users could not function properly without users changing their browser settings. This will result in more user irritation as websites would prompt users to do so.
• Lawmakers should take the necessary time to thoroughly assess and consider any new provisions, also bearing in mind experience and observations gained since the GDPR’s implementation rather than pursuing expedited adoption of the ePrivacy Regulation. Experience with the GDPR has shown the importance of a reasonable transition period of 18-36 months to afford businesses enough time to assess the new rules and make the necessary changes to their privacy policies, products and services, as well as for industry standards to be adapted to enable compliant processing.

Download the updated position paper below.