Online messaging and email services such as WhatsApp (FB.O), iMessage (AAPL.O) and Gmail (GOOGL.O) will face tough new rules on how they can track users under a proposal presented by the European Union executive on Tuesday.
The web players will have to guarantee the confidentiality of their customers' conversations and ask for their consent before tracking them online to serve them personalized ads.
The proposal by the European Commission extends some rules that now only apply to telecom operators to web companies offering calls and messages using the internet, known as "Over-The-Top" (OTT) services, seeking to close a perceived regulatory gap between the telecoms industry and mainly U.S. Internet giants such as Facebook, Google and Microsoft (MSFT.O).
Tuesday's proposal would allow telecom companies to use customer metadata - such as the duration and location of calls - to provide additional services and make more money, something they are barred from doing under the current rules.
The review of the so-called e-privacy law will also force web browsers to have their default setting as not allowing personalized online advertising based on browsing habits. Instead, users will be asked to opt in to allow websites to place cookies on their browsers.
"It's up to our people to say yes or no," said Andrus Ansip, Commission vice-president for the digital single market.
Cookies are placed on web surfers' computers and contain bits of information about the user, such as what other sites they have visited or where they are logging in from. They are widely used by companies to deliver targeted ads to users.
Online adverstisers have warned that overly strict rules would undermine many websites' ability to fund themselves and keep offering free services. They say the data they use can not identify the user and is therefore low risk, making asking for consent every time too onerous.
The proposal scraps the obligation on websites to ask visitors for permission to place cookies on their browsers via a banner every time they land on it if the user has already consented through the privacy settings of the web browser.
The "cookie banner" has been lambasted as ineffective because people tend to accept them without necessarily reading what that entails.
Companies falling foul of the new law will face fines of up to 4 percent of their global turnover, in line with a separate data protection law set to enter into force in 2018.
The proposal will need to be approved by the European Parliament and member states before becoming law.