ePrivacy Regulation (new draft) and Cookies

On February 10, 2021, the EU member states agreed on a negotiating mandate for the final text of the ePrivacy Regulation, four years after the initial proposal was drafted. The new draft will replace the existing ePrivacy Directive of 2002.

In this article, we will discuss the ePrivacy Regulation and how the new changes make cookie consent all the more significant. 

After a wait of four years, the final text (hopefully) of the ePrivacy Regulation (ePR) is here. ePrivacy Directive has been the governing directive for the EU data privacy for electronic communication.

The new draft of the ePR covers elements such as all electronic communication and electronic consent, the possibility of using cookie walls, Internet of Things services, and direct marketing.

The new draft of the regulation further solidifies the need for obtaining consent before collecting and processing the personal data of users.
The draft will now be taken up in the EU council for a trialogue to decide its final effective date.

The Privacy and Electronic Communications Directive of 2002 or ePrivacy Directive (ePD) is an EU directive on data protection and privacy. It sets out various guidelines for electronic communications within the European Union (EU). It is also known as the EU Cookie Law because of its specific clause for website cookies.

The Directive recognizes cookies as a useful technology. However, it believes that they can also raise privacy concerns. The cookie law (along with the GDPR) is responsible for the rise in cookie consent banners and popups on websites around the world.

The cookie law mandates that websites must obtain user consent before using non-necessary cookies. It also states that when a user visits the website, they must get adequate information about the cookies being used, including the technical ones. As per the directive, the website must also have an option for the users to deny the cookie. The process of rejecting or withdrawing consent to cookies must be as user-friendly as possible. In case they deny consent to certain types of cookies, the website can restrict or limit access to services that use those cookies.

In 2017, the EU proposed a regulation known as ePrivacy Regulation (ePR), which was supposed to repeal the Directive.

ePrivacy Regulation is the regulation proposed for electronics communication within the EU. It would repeal the ePrivacy Directive and would be lex specialis to the General Data Protection Regulation (GDPR) in the EU. The Regulation was supposed to come into force the same day as the GDPR, but it took time. It has still not been adopted yet. 

The final draft text addresses the confidentiality of electronic communication, acquiring consent for cookies, and data collection for marketing purposes.

Read the full text of the draft here.

The new draft has amended many clauses on website cookies and electronics consent. It has outlined various cases where consent is required and where it is exempted. 

Main highlights of the current text of ePrivacy Regulation:

Processing of metadata

The new draft covers electronics communication on publicly available services and the metadata, such as location, time, and recipient of a communication. The Regulation may decide when there needs to be interference in such communication, which is otherwise not allowed. 

The processing of metadata without consent is possible in cases like security, identifying malware, vital interest, or prosecuting criminal offenses.

The ePrivacy Regulation will allow the processing of metadata for a purpose other than the defined one if it is compatible with the initial purpose.

The use of machine-to-machine transmission and Internet of Things (IoT) services

The new draft will apply to machine-to-machine transmissions and IoT services over publicly available services to ensure full protection of the rights to privacy and confidentiality of communications. 

In the case where the transmission is done over a private or closed network, the Regulation does not apply.

End-users in the EU

The Regulation applies to the processing of electronic communications data or personal data of end-users who are located in the EU, regardless of whether the processing takes place in the EU, or of whether the service provider is located in the EU.

Cookies or similar identifiers

You must obtain consent for storing cookies or similar identifiers or collecting information from the end user’s terminal equipment. The consent request must include reading cookies later on revisits to the same website.

You can no longer use ‘legitimate interest’ as the basis for using cookies under the ePrivacy Regulation.

The use of cookie walls 

The ePrivacy Regulation in its new draft does not completely prohibit the use of cookie walls (or paywalls). It states that access to website content can be made conditional on the user’s consent if there is an equivalent that does not require cookie consent.  As long as the users have a free and genuine choice between services based on the clear information (purpose of cookies) provided by the service providers, cookie walls are allowed. Offering little to no alternative services, with inadequate information may ‘deprive’ the users of a free choice.

Whitelist service providers for cookie consent

Often, end-users are overloaded with consent requests, which leads to ignoring the consent information and the protection that comes with it.  The users must be able to consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. Therefore, the service providers must make it easy for users to set up and amend the whitelists and withdraw consent at any time.

Consent exemption for security updates

The Regulation states that consent is not necessary if the processing is for fixing security vulnerabilities and bugs or for security updates. However, you must inform the users about it before the update. The update must not affect the hardware or software functionality or the privacy settings that were chosen by the users. The users must be able to turn off or postpone such updates if need be. 

Software updates that do not have any security purpose, such as those adding new features, require user consent. 

The current draft will now be subject to a trialogue between European Parliament, the European Commission, and the EU Council representatives. Once agreed, it will come into effect in two years from the twentieth day following its publication.

As mentioned, the draft has been criticized by various data protection authorities, in particular, the German data protection authority. They have proposed stronger privacy provisions in the final text. 

Therefore, the final effective date of the Regulation remains a question.

You must prepare your website for the ePrivacy Regulation, regardless of when it comes into force. Whatever the outcome is, a website still requires user consent to store cookies (non-necessary) on the user device. All the other conditions for using cookies still apply. 

CookieYes is a cloud-based solution that helps your website to obtain and manage consent for cookies. Its features align with the requirements of privacy laws like the GDPR, ePrivacy Directive, and now, the ePrivacy Regulation. 

The key features of CookieYes are:

• Allows full customization of the cookie consent banner, including content, button labels, color
• You can also add CSS codes for unique banner styles
• Lets the users change their consent at any time if you use custom CSS 
• Auto-recommends the banner style as per the website’s color scheme
• Supports major languages spoken worldwide
• Supports all major consent management platforms and custom coded websites
• Respects the ‘Do Not Track’ setting of the browser
• Automatically blocks cookies from third parties such as Google Analytics, Facebook Pixel, Hotjar, and YouTube before obtaining user consent
• Automatically scans your website for cookies and adds them to the cookie list on your website
• Allows granularity to consent cookie categories
• Logs user consents and their preferences for auditing purpose
• Lets the website show cookie banners based on the users’ location

Installing the CookieYes cookie consent banner on your website is easy. It takes these simple steps to be privacy compliant for cookies:

Over 1 million users trust CookieYes products.  Sign up today for a 14-day free trial!