ePrivacy Directive and GDPR impact cookie law - 2022
GDPR EU explains the regulations governing cookies and data privacy including GDPR, the current ePrivacy Directive and the future ePrivacy Regulation as devised by the European Union.
Businesses use cookies to gain valuable insight into Internet users’ activity. As such, cookies are extremely important as a tool for businesses and corporations. However, cookie consent is not necessarily straight forward.
Despite the importance of this tool, the regulations covering cookies are divided between the ePrivacy Directive and the General Data Protection Regulation.
Cookies are placed on user devices in the form of small text files. They’re placed on the device by the websites that the Internet users are browsing.
The web browser then processes and stores the cookies, which are harmless in and of themselves. They are crucial for the functionality of the website, and can easily be found and deleted, if necessary, from the user’s device.
Cookie consent relates to GDPR and governed by data protection authorities because each one stores a wealth of data. Crucially, this data could be used to identify the user.
Simply put, advertisers and businesses use cookies as one of their main identifiers to track the user’s activity online. This allows them to target ads towards each user in a very specific way.
And, due to the amount of data that cookies can contain, they’re legally considered personal data. Therefore, they come under data privacy and GDPR.
Before we go into detail about the specifics of the data protection directive in relation to cookies, it’s important to understand the different types that require consent.
There are three key points to quantify and categories cookies: their provenance, what they’re for and how long they last.
These are broken down into the following:
The following are the generally accepted ways to classify cookies, but there are others that don’t fit into these categories.
The privacy issues are generally concerned with third-party, marketing, persistent cookies. This is because these types of cookies contain personal data and communications data of the user, including location, preferences, and other online identifiers.
Furthermore, the accessibility of third-party cookies is complex and potentially open to abuse.
Since the advent of the GDPR by the European data protection board, the use of third-party cookies has declined.
The GDPR, which was devised and implemented by the European Union on 25 May 2018, is the world’s most comprehensive and detailed data protection law that has been issued so far.
Cookie consent, however, is only referred to once in the 88-page document. The European Union confidentiality rules as part of the GDPR mention cookies in Recital 30.
Recital 30 refers to Online identifiers for profiling and identification. It states: “Natural persons may be associated with identifiers provided by their devices, apps, tools and protocols, such as Internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
To simplify Recital 30, it essentially says that cookies used during electronic communications and web browsing are subject to GDPR, as laid out by the European Union, only in so far as they can feasibly be used for identification.
The ePrivacy Directive (EPD) was first passed in 2002. It was amended in 2009 and is colloquially known as the ‘cookie law’.
Its nomenclature derives from the fact that its biggest impact after it was implemented was on the cookie consent pop ups.
The ePrivacy Directive works with the GDPR, and in some cases actually overrides it, concerning the confidentiality rules surrounding electronic communications and tracking users.
In order to properly comply with the ePrivacy regulation and the legally binding GDPR regulations governing first party cookies and third-party services, here’s what businesses must do.
Eventually, the ePrivacy Regulation will replace the current ePrivacy Directive. If you’re wondering what the difference is between the directive and the ePrivacy Regulation in terms of European Union law, it’s the following.
Within the European Union and as directed by the European Parliament, a ‘directive’ must be included into law by countries within the bloc. In other words, it must be made national law by each separate country. A ‘regulation’, such as the ePrivacy Regulation, becomes instantly legally binding throughout the member states on the date it is launched.
Given that the initial draft of the ePrivacy Regulation was written and published in early 2017, when it goes ahead?
In the first instance, the European Parliament intended to release the ePrivacy Regulation at the same time as the GDPR in 2018. However, as of April 2022, negotiations continue among EU countries due to the complexity of the proposed ePrivacy regulation.
In February 2021, the EU Council of Ministers agreed on a new version of the EU legislation, albeit still in draft form. This became the first step of the negotiation between all three EU legislative groups: the Council of Ministers, the EU Parliament, and the European Commission.
We can see several useful points within the privacy rules of the European Commission’s proposal. As with all European legislation, this is not yet final.
The main aim of the ePrivacy Regulation is to regulate electronic communications content that is generated by electronic communications services.
By electronic communications services, the European Commission and other bodies mean interpersonal communications services, Internet access services and those that consist partly and wholly of transmitting signals. This means that Voice Over Internet Protocol (VOIP), the Internet of Things (IOT) and machine-to-machine (M2M) are under the ePrivacy Regulation.
This broad scope will include new infrastructure projects as well as current communications infrastructure projects, something that will affect everyone from transport companies to EU citizens across the board.
In addition to the above, the proposed ePrivacy Regulation covers the following:
As mentioned earlier, the ePrivacy Regulation is designed to be used above the GDPR in some cases.
The ePrivacy Regulation is predicated on confidentiality of the data used within electronic communications, including unsolicited electronic communications.
Any interceptions, such as monitoring, scanning, storing, listening etc, by a different person (other than the user) is not permitted. There are some exceptions provided within the ePrivacy Regulation, but by and large the major element of permission from users is consent.
The general conditions for permission are laid out in the GDPR Article 6. This covers permissible examples, such as the maintenance or restoration of networks, or the detection and prevention of risks to security or attacks on the user’s devices. There are other examples where this kind of data processing is OK, including threats to public interest or criminal offences.
Electronic comms content data and comms metadata are two distinct entities. Communications content data is the information that is swapped using services such as video, voice, text, or sound apps.
Metadata refers to the data that is processed for transmitting, exchanging, sharing, or otherwise distributing electronic communications content.
The regulation proposal for these new rules covering all e-communications includes the following:
However, the new privacy rules end up, they will apply to entities that provide e-comms services on ‘new’ platforms. From the vantage point of 2022, these aren’t new, but for the legislation they are considered so.
These include Skype, Facebook Messenger, and WhatsApp, among others. The idea is that all of these services will have confidentially guaranteed at the same level as traditional telecoms operators.
All EU citizens and businesses within EU member states will have the same level of e-comms protection. As there will be a single set of rules across the EU, businesses will benefit in a way they don’t under the current ePrivacy directive.
As explained in detail earlier, the new regulation will ensure privacy for coms content and metadata. The latter will be deleted and anonymised without specific and prior consent. The only change to this policy will be if the metadata is necessary for billing purposes.
Once the consent is acquired for communications data processing, operators will find new opportunities to develop their businesses by providing more services. This could include, for example, heat maps that show where individuals are located, which would be useful for the development and design of new infrastructure projects by transport companies.
As anyone who uses the Internet will have noticed, the cookie law established in 2018 led to an immense number of consent request for the user. This will be streamlined and simplified under the new regulation, which will make it easier to use. Instead of clicking from a pop up, the user will be able to consent or refuse tracking cookies and other identifiers through their browser settings.
There is also clarification under the proposed new regulation that there is no consent necessary for cookies that are deemed to improve the experience but are not intrusive in terms of privacy. This includes the cookies that remember shopping cart history, for example.
The proposed regulation will outlaw unsolicited emails, texts or from automated calling machines. Each of the member states will decide their own national law as to whether this protection will be in the form of a default or presented in a access to a ‘do not call list’ so that they can control whether they get a marketing call or not. It will also mean that these marketing phone calls will be legally bound to display their real number or use a prefix that clearly shows where they’re from.
Enforcing the privacy and confidentiality rules will be under the charge of data protection authorities, in the same way that they manage GDPR.
As you can see, privacy regarding electronic communications data, including everything from marketing phone calls to traditional telecoms operators, is always evolving.
In the same way, cookie law is also evolving. This does present a challenge for businesses and entities to understand and stay on top of the current ePrivacy Directive, which is a directly applicable regulation in many cases.
All of this is to benefit EU citizens and give users the opportunity to refuse tracking cookies and understand how their data is stored and utilised on their devices. Whether they’re users of Facebook Messenger or utilise lots of different electronic communications services, protection should be on the same level.
Such communication is part of every business offering in the 2020s, and it is a continuous task to maintain current cookie law. However, it’s vital to be aware of the national legislation that affects your business and ensure that you’re compliant with GDPR and the current ePrivacy Directive on your own website and across any electronic communications as outlined above.