Online messaging and email services such as WhatsApp (FB.O), iMessage (AAPL.O) and Gmail (GOOGL.O) will face tough new rules on how they can track users under a proposal presented by the European Union executive on Tuesday.
The web players will have to guarantee the confidentiality of their customers' conversations and ask for their consent before tracking them online to serve them personalized ads.
The proposal by the European Commission extends some rules that now only apply to telecom operators to web companies offering calls and messages using the internet, known as "Over-The-Top" (OTT) services, seeking to close a perceived regulatory gap between the telecoms industry and mainly U.S. Internet giants such as Facebook, Google and Microsoft (MSFT.O).
Tuesday's proposal would allow telecom companies to use customer metadata - such as the duration and location of calls - to provide additional services and make more money, something they are barred from doing under the current rules.
However the telecoms industry said the proposal still imposed stricter obligations on them than on web companies.
"Unlike others, telcos risk being prevented from expanding consumer choice by using traffic and location data for big data analytics, IoT (Internet of Things) and connected driving services," said Lise Fuhr, director general of ETNO, the European telecoms lobby.
The review of the so-called e-privacy law will also require web browsers to ask users upon installation whether they want to allow websites to place cookies on their browsers. A previous leaked version would have forced browsers to set the default settings as not allowing cookies.
"It's up to our people to say yes or no," said Andrus Ansip, Commission vice-president for the digital single market.
Cookies are placed on web surfers' computers and contain bits of information about the user, such as what other sites they have visited or where they are logging in from. They are widely used by companies to deliver targeted ads to users.
Online advertisers have warned that overly strict rules would undermine many websites' ability to fund themselves and keep offering free services. They say the data they use can not identify the user and is therefore low risk, making asking for consent every time too onerous.
"It will particularly hit those companies that ... find it most difficult to talk directly to end users and what I mean by that is tech companies that operate in the background and sort of facilitate the buying and selling of advertising rather than the ones that the user directly engages with," said Yves Schwarzbart, head of policy and regulatory affairs at the Internet Advertising Bureau.
Companies falling foul of the new law will face fines of up to 4 percent of their global turnover, in line with a separate data protection law set to enter into force in 2018.
The proposal will need to be approved by the European Parliament and member states before becoming law.