How the ePrivacy Directive and GDPR impact cookie law

GDPR EU explains the regulations governing cookies and data privacy including GDPR, the current ePrivacy Directive and the future ePrivacy Regulation as devised by the European Union.

Cookies, the ePrivacy Directive & GDPR – A complete guide

Businesses use cookies to gain valuable insight into Internet users’ activity. As such, cookies are extremely important as a tool for businesses and corporations. However, cookie consent is not necessarily straight forward.

Despite the importance of this tool, the regulations covering cookies are divided between the ePrivacy Directive and the General Data Protection Regulation.

 

What exactly are cookies and why are they relevant within electronic communications?

Cookies are placed on user devices in the form of small text files. They’re placed on the device by the websites that the Internet users are browsing.

The web browser then processes and stores the cookies, which are harmless in and of themselves. They are crucial for the functionality of the website, and can easily be found and deleted, if necessary, from the user’s device.

Cookies and the General Data Protection Regulation (GDPR)

Cookie consent relates to GDPR and governed by data protection authorities because each one stores a wealth of data. Crucially, this data could be used to identify the user.

Simply put, advertisers and businesses use cookies as one of their main identifiers to track the user’s activity online. This allows them to target ads towards each user in a very specific way.

And, due to the amount of data that cookies can contain, they’re legally considered personal data. Therefore, they come under data privacy and GDPR.

Before we go into detail about the specifics of the data protection directive in relation to cookies, it’s important to understand the different types that require consent.

Breaking down the technical details of cookie types

There are three key points to quantify and categories cookies: their provenance, what they’re for and how long they last.

The provenance of cookies

These are broken down into the following:

  • Third party cookies: these are placed on the user’s device by a third party, rather than by the website itself. This means by advertisers or an analytic tool.
  • First party cookies: these are placed on the user’s device by the website they’re visiting.

The purpose of each cookie

The following are the generally accepted ways to classify cookies, but there are others that don’t fit into these categories.

  • Marketing cookies: these track the user’s online activity so that advertisers can use the data to deliver specific ads or, in some cases, to limit how many times the user sees it. Therefore, these cookies share data with advertisers or other organisations for direct marketing and are usually third-party.
  • Statistics cookies: you may see these referred to as performance cookies, but either way they collect data and information on how the user browses the website. For example, these cookies store information about how many links are clicked on and which pages are visited. The purpose of these is solely to improve the functionality of the websites.
  • Preference cookies: sometimes called functionality cookies, these allow a website to remember and store choices the user has made. These could include the language preferred, their username and password so they can login automatically.
  • Strictly necessary cookies – as the name suggests, these cookies are necessary for the website and its features to work properly. Cookies like this allow the website to remember shopping cart history, for example. Consent requests aren’t always necessary with these, but there should be information to inform users of their existence.

How long each cookie lasts

  • Persistent cookies: this covers all cookies that remain on the user’s hard drive until either the browser or person deletes them. The browser will delete them according to the code embedded within the cookie. All cookies of this type have a coded expiration date. The ePrivacy Directive says that these cookies should not last longer than a year, but they can if action is not taken.
  • Session cookies: these are temporary and automatically expire when the browser is closed and the search ends.

Data protection authorities and cookie classification

The privacy issues are generally concerned with third-party, marketing, persistent cookies. This is because these types of cookies contain personal data and communications data of the user, including location, preferences, and other online identifiers.

Furthermore, the accessibility of third-party cookies is complex and potentially open to abuse.

Cookies and personal data protection

Since the advent of the GDPR by the European data protection board, the use of third-party cookies has declined.

The GDPR, which was devised and implemented by the European Union on 25 May 2018, is the world’s most comprehensive and detailed data protection law that has been issued so far.

Cookie consent, however, is only referred to once in the 88-page document. The European Union confidentiality rules as part of the GDPR mention cookies in Recital 30.

Recital 30 refers to Online identifiers for profiling and identification. It states: “Natural persons may be associated with identifiers provided by their devices, apps, tools and protocols, such as Internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

To simplify Recital 30, it essentially says that cookies used during electronic communications and web browsing are subject to GDPR, as laid out by the European Union, only in so far as they can feasibly be used for identification.

How the ePrivacy regulation works regarding cookies

The ePrivacy Directive (EPD) was first passed in 2002. It was amended in 2009 and is colloquially known as the ‘cookie law’.

Its nomenclature derives from the fact that its biggest impact after it was implemented was on the cookie consent pop ups.

The ePrivacy Directive works with the GDPR, and in some cases actually overrides it, concerning the confidentiality rules surrounding electronic communications and tracking users.

Complying with the ePrivacy directive and GDPR

In order to properly comply with the ePrivacy regulation and the legally binding GDPR regulations governing first party cookies and third-party services, here’s what businesses must do.

  • Ensure consent requests are made and that consent is received from the user before the use of any cookies. The ‘cookie law’ doesn’t cover ‘strictly necessary’ cookies.
  • Communicate the privacy rules with accurate and specific information regarding the data contained in the cookie. Plain language must be used to communicate this information before consent requests are made.
  • Store and document the results of the consent requests from the user.
  • Ensure it’s simple for users to withdraw the consent they’ve given. This must be as simple to do as the initial consent request used to obtain consent.

The EPD will be replaced by the ePrivacy Regulation for electronic communications services

Eventually, the ePrivacy Regulation will replace the current ePrivacy Directive. If you’re wondering what the difference is between the directive and the ePrivacy Regulation in terms of European Union law, it’s the following.

Within the European Union and as directed by the European Parliament, a ‘directive’ must be included into law by countries within the bloc. In other words, it must be made national law by each separate country. A ‘regulation’, such as the ePrivacy Regulation, becomes instantly legally binding throughout the member states on the date it is launched.

When will the ePrivacy Regulation be adopted?

Given that the initial draft of the ePrivacy Regulation was written and published in early 2017, when it goes ahead?

In the first instance, the European Parliament intended to release the ePrivacy Regulation at the same time as the GDPR in 2018. However, as of April 2022, negotiations continue among EU countries due to the complexity of the proposed ePrivacy regulation.

In February 2021, the EU Council of Ministers agreed on a new version of the EU legislation, albeit still in draft form. This became the first step of the negotiation between all three EU legislative groups: the Council of Ministers, the EU Parliament, and the European Commission.

Proposed ePrivacy regulation – the key points

We can see several useful points within the privacy rules of the European Commission’s proposal. As with all European legislation, this is not yet final.

The main aim of the ePrivacy Regulation is to regulate electronic communications content that is generated by electronic communications services.

By electronic communications services, the European Commission and other bodies mean interpersonal communications services, Internet access services and those that consist partly and wholly of transmitting signals. This means that Voice Over Internet Protocol (VOIP), the Internet of Things (IOT) and machine-to-machine (M2M) are under the ePrivacy Regulation.

This broad scope will include new infrastructure projects as well as current communications infrastructure projects, something that will affect everyone from transport companies to EU citizens across the board.

Other provisions of the ePrivacy Regulation

In addition to the above, the proposed ePrivacy Regulation covers the following:

  • Information about user’s devices, and particularly data derived from cookies.
  • The provision of directories that are specifically publicly accessible of the users of the electronic communications content services.
  • Direct marketing communications content sent by end-users through unsolicited electronic communications.

As mentioned earlier, the ePrivacy Regulation is designed to be used above the GDPR in some cases.

Legality of data processing and confidentiality rules

The ePrivacy Regulation is predicated on confidentiality of the data used within electronic communications, including unsolicited electronic communications.

Any interceptions, such as monitoring, scanning, storing, listening etc, by a different person (other than the user) is not permitted. There are some exceptions provided within the ePrivacy Regulation, but by and large the major element of permission from users is consent.

The general conditions for permission are laid out in the GDPR Article 6. This covers permissible examples, such as the maintenance or restoration of networks, or the detection and prevention of risks to security or attacks on the user’s devices. There are other examples where this kind of data processing is OK, including threats to public interest or criminal offences.

Electronic comms content data and comms metadata are two distinct entities. Communications content data is the information that is swapped using services such as video, voice, text, or sound apps.

Metadata refers to the data that is processed for transmitting, exchanging, sharing, or otherwise distributing electronic communications content.

Summary of the EU Commission’s proposal for the ePrivacy Regulation

The regulation proposal for these new rules covering all e-communications includes the following:

Newer applications and services included

However, the new privacy rules end up, they will apply to entities that provide e-comms services on ‘new’ platforms. From the vantage point of 2022, these aren’t new, but for the legislation they are considered so.

These include Skype, Facebook Messenger, and WhatsApp, among others. The idea is that all of these services will have confidentially guaranteed at the same level as traditional telecoms operators.

Tighter rules with stronger enforcement

All EU citizens and businesses within EU member states will have the same level of e-comms protection. As there will be a single set of rules across the EU, businesses will benefit in a way they don’t under the current ePrivacy directive.

Metadata and communications content

As explained in detail earlier, the new regulation will ensure privacy for coms content and metadata. The latter will be deleted and anonymised without specific and prior consent. The only change to this policy will be if the metadata is necessary for billing purposes.

New opportunities for traditional telecoms operators

Once the consent is acquired for communications data processing, operators will find new opportunities to develop their businesses by providing more services. This could include, for example, heat maps that show where individuals are located, which would be useful for the development and design of new infrastructure projects by transport companies.

A simpler cookie law

As anyone who uses the Internet will have noticed, the cookie law established in 2018 led to an immense number of consent request for the user. This will be streamlined and simplified under the new regulation, which will make it easier to use. Instead of clicking from a pop up, the user will be able to consent or refuse tracking cookies and other identifiers through their browser settings.

There is also clarification under the proposed new regulation that there is no consent necessary for cookies that are deemed to improve the experience but are not intrusive in terms of privacy. This includes the cookies that remember shopping cart history, for example.

Spam protection

The proposed regulation will outlaw unsolicited emails, texts or from automated calling machines. Each of the member states will decide their own national law as to whether this protection will be in the form of a default or presented in a access to a ‘do not call list’ so that they can control whether they get a marketing call or not. It will also mean that these marketing phone calls will be legally bound to display their real number or use a prefix that clearly shows where they’re from.

Better enforcement

Enforcing the privacy and confidentiality rules will be under the charge of data protection authorities, in the same way that they manage GDPR.

Keeping on top of a changing regulatory landscape

As you can see, privacy regarding electronic communications data, including everything from marketing phone calls to traditional telecoms operators, is always evolving.

In the same way, cookie law is also evolving. This does present a challenge for businesses and entities to understand and stay on top of the current ePrivacy Directive, which is a directly applicable regulation in many cases.

All of this is to benefit EU citizens and give users the opportunity to refuse tracking cookies and understand how their data is stored and utilised on their devices. Whether they’re users of Facebook Messenger or utilise lots of different electronic communications services, protection should be on the same level.

Such communication is part of every business offering in the 2020s, and it is a continuous task to maintain current cookie law. However, it’s vital to be aware of the national legislation that affects your business and ensure that you’re compliant with GDPR and the current ePrivacy Directive on your own website and across any electronic communications as outlined above.