Cookie Consent and the ePrivacy Regulation (formerly ePrivacy Directive)
Website visitors in Europe have been receiving cookie banners providing notice about the use of website cookies for years because of the EU Cookies Directive. With extensive changes to European data protection and privacy law because of the GDPR underway, it should come as no surprise that the ePrivacy Directive is also in the midst of an overhaul. In 2020 or 2021, websites will most likely face additional consent management obligations as they will need to extend their GDPR compliance solution to cookie consents. We are already beginning to think about what changes will be required under the new ePrivacy Regulation in addition to the current obligations imposed by the GDPR.
Try the Clarip Cookie Consent Manager if you are in need of compliance software for ePrivacy Directive Article 5.3.
For those that are starting to look at this area for the future as well, we have put together this brief overview:
What are cookies?
Cookies are information saved by the web browser used by websites to track certain actions and behaviors. They can be used to customize the browsing experience, make website interactions more efficient (by remembering items in the shopping cart), or deliver targeted advertisements. There are two types: session cookies and persistent cookies.
Most session cookies are a transient cookie that is stored temporarily in memory and is not retained after the browser is closed. It allows the website to avoid asking for the same information during the same session. It typically does not collect information from the user’s computer.
Persistent cookies are stored on the hard drive until it expires or it is deleted by the user. These more-permanent cookies help the website track information for the next visit to them. Persistent cookies can be used to remember login authentication, menu preferences, or language selection, among other things.
What is the current cookie law?
The EU Cookie Directive (Directive 2009/136/EC) is the 2009 amendment to the 2002 ePrivacy Directive (Directive 2002/58/EC) that requires website operators to establish consent with visitors to set and use cookies. Article 5(3) of the ePrivacy Directive specifically requires an organization to obtain the informed consent of a user before storing or accessing information on their device. As a result, websites in Europe have been notifying users and receiving consent for the placement of cookies for a few years now (the EU Cookie law had a two year implementation period).
Why was the law necessary?
The concept of digital consent for cookies has evolved over the years. In 2002, Europe gave website visitors the right to refuse the use of their equipment for the storage of information after they received clear and comprehensive information about its use. In 2009, the law was changed to require website operators to instead obtain consent before setting and using cookies. The Article 29 Working Party noted that most major browsers allowed all cookies by default and as a result the onus was put on website operators to provide notification and establish consent before setting cookies for themselves or third-parties.
Article 29 Working Party Guidance About Consent
In order for the website owner to demonstrate consent:
– provide an immediately visible notice that cookies are being used along with a link to find out more information about cookies being used
– immediately visible notice that using the website constitutes agreement for the website to set cookies
– information on how the user can accept or withdraw their wishes regarding cookies
– a mechanism to accept all or to accept some and decline other cookies
– the ability to change prior preferences regarding cookies.
The main requirements for website compliance with the Cookies Directive should look familiar to anyone
– Specific and Appropriate Information: It is insufficient to not specify the exact purpose of the cookies, the retention period, and whether there are third-party cookies or third-party access.
– Timing: Consent occurs before the cookie has been sent.
– Active Choice: The procedure for consent must be an active indication of the user’s wishes and leave no doubt as to the subject’s intention.
– Freely Given: There must be real choice without deception, intimidation, coercion or significant negative consequences. General access should not be conditioned on the acceptance of non-functional cookies that only provide website operators with additional benefits.
How has this translated into practice?
Notice – Most websites deploy a visible banner which alerts new visitors to the site’s use of cookies. The notice is displayed long enough to be seen and understood before the website’s cookies are deployed on the computer.
Consent – Most websites clearly spell out that a visitor which continues to browse the website without denying or disabling the cookies is expressing their consent to their placement.
Transparency – Websites provide a link to additional information about how their cookies are used.
Where do problems arise for cookies under the current ePrivacy Directive?
1. Simultaneous Notice and Cookies: The Dutch data protection authority took action against website owners and ad networks for dropping cookies at the same time as the notice was given. The users were not given an opportunity to avoid the cookies after receiving notice.
2. Implied Consent – This has been the market standard for several years now, with both Facebook and Goole adopting implied consent for their cookies within the EU. However, the GDPR’s move toward explicit consent clearly suggests that implied consent is on the way out.
3. Cookie Walls – Some website operators lock the website from use until the individual accepts the cookies on the wall that blocks their access to the website.
Why is the EU Updating the Cookies Directive and the ePrivacy Directive?
Europe is in the process of reforming the existing EU Privacy Directive to update it for new technological realities, harmonize it among Member States, and define clearer rules for tracking technologies such as cookies. The intention of the effort is to foster security and trust in digital services in order to boost the EU digital economy and ensure the fundamental rights of users are protected. The move complements the implementation of the EU General Data Protection Regulation (GDPR).
With respect to cookies specifically, studies have indicated that it has failed to enable users real choice to give informed consent. Instead, it has irritated users who are repeatedly asked for consent to set cookies or face cookie walls that force users to accept cookies.
What are the updates expected to accomplish?
The new ePrivacy Regulation is not limited to cookies. In fact, many aspects of it will reach well beyond cookies as it seeks to update the existing Directive and provide a complement to the GDPR. Overall, here are some of the changes and the goals for them:
– Provide a standard level of protection for all people and businesses which will be easier to comply with for businesses operating across the EU.
– Expand certain privacy rules from traditional telecom operators to cover new types of electronic communication services, such as Facebook Messenger, WhatsApp, Skype, Gmail, iMessage or Viber.
– Provide a privacy guarantee for communications content and metadata such as the time of a call and location.
– Clarify cookie law by establishing that consent is not necessary for non-privacy intrusive cookies. It will also require browser settings that are more user-friendly for accepting or refusing cookies.
– Prohibit unsolicited emails, SMS and automated calling machines either by default or through a do-not-call list (depending on the country).
– Fines of up to 4% of global annual revenue for infringements of the Regulation.
As you can see, many of the updates do not relate to changing the EU cookie law but it is nevertheless expected to have a broad impact on how cookies are handled in conjunction with the GDPR.
Time Frame: 2020?
Although many originally expected the updates to be in place to complement GDPR’s May 2018 implementation, that has not happened. The proposal for the new ePrivacy Regulation was published in January 2017. Further developments are expected in the fall of 2018 or spring of 2019 with a deadline for implementation by companies and other organizations of approximately one year after it is finalized. This is putting the current expected effective date for implementation by businesses in 2020 or 2021.
Contact Clarip Today for Help with CCPA and GPDR
The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.
If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Related Content
ePrivacy News
GDPR Requirements for Cookie Consent Compliance
Cookie Banner Generator for Enterprise Businesses
Cookie Consent Manager for GDPR & ePrivacy
EU Cookie Directive Law
Cookie Compliance Tools: Consent Manager and Cookie Scanner
Full Text of Proposed ePrivacy Regulation from April 2018