Have you heard about the ePrivacy Regulation? As the GDPR, this new text will tackle emerging data protection and privacy issues concerning new technologies at European level. In particular, it will review the way you manage cookies on your websites. Audience measurement, cookies walls, browser settings…
In this article we will go deeper into the essence, the state and the progress of the EU ePrivacy Regulation.
Why an ePrivacy Regulation on cookies?
The ePrivacy Regulation highlights that end-users consents are necessary before processing any kind of data from users devices.
The ePrivacy Regulation, will regulate topics such as:
- Commercial prospecting;
- The use of metadata;
- Cookies.
Is this necessary?
There is the ePrivacy Directive that is an older piece of legislation, enacted in 2002 and amended in 2009. It requires each EU Member State to transpose it into its national law before it is applicable in each EU country. And parliaments do not always agree with each other. Nor do the regulatory authorities.
The rules may therefore vary from one country to another, concerning, for example:
- the exemption or not exemption from consent for audience measurement cookies;
- the admissibility of the cookie wall.
A maximised harmonisation was therefore necessary to build a single digital market.
ePrivacy Regulation, what is it?
It is simple.
The GDPR is the reference framework for everything concerning personal data processing. But the ePrivacy Regulation will complement the GDPR’s general rules on personal data processing by providing specific rules governing electronic communications. As such, the ePrivacy Regulation will take precedent over the GDPR in situations where both laws apply.
ePrivacy Regulation, when will it come?
Long announced, often postponed…
The ePrivacy Regulation lifts the ePrivacy Directive to a higher level of European law in order to update, clarify and modernise it.
The timetable has finally been accelerated, and in February 2021, the EU Council adopted its position and agreed on a draft text. The ePrivacy Regulation will now go into trilogue negotiations with between the EU Parliament, the EU Council and the EU Commission.
Once the legislative process will be completed and the text adopted, companies will have a transitional period to implement it.
The effort you will need to make to comply will depend on what you have already done to comply with the GDPR.
Consent: the ePrivacy Regulation allows browser-based settings
The ePrivacy Regulation will partly reinforce the current rules by further strengthening the need to obtain consent before collecting and processing users personal data. The deposit and use of cookies (and other tracking technologies) that are not essential to the functioning of the site, will only be possible after users have been properly informed and given their consent.
This will impact, for example:
- social cookies, video cookies, etc.;
- advertising cookies;
- cookies for personalising the site.
Essential cookies will be exempt from consent if:
- they are exclusively used to carry out or facilitate an electronic communication;
- they are strictly necessary for the provision of a service expressly requested by the user.
How can you collect users consents?
By configuring the browser?
The GDPR is open to this, but the regulatory authorities have often objected. The CNIL explicitly said that relying on the browser settings is not acceptable. Many users do not know how to set the browser settings to accept or refuse cookies, therefore this doesn’t count as an informed request.
This position has forced website owners to deploy a real policy for managing their cookies by:
- integrating a cookie banner to collect and store consents;
- updating their cookie and privacy policies to no longer refer to browser-based settings. If users wish to express a choice, they will have to do so on a site by site basis, via the available cookie banner.
With the ePrivacy Regulation, browser publishers will have to develop and offer end-users settings that comply with the legal framework.
To avoid cookie consent fatigue, end-users will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. Software providers will be encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment.
With the ePrivacy Regulation, no consent needed for audience measurement
Website tracking is an essential practice for most websites. Tracking user behaviour gives insight into how your website performs. The idea that cookies used to measure a website’s traffic should benefit from an exemption got across. But this exemption does not exist under the GDPR.
Nevertheless, the CNIL has published guidelines to benefit from the exemption from consent and allow a website publisher to bypass the need to obtain prior consent from the user before depositing cookies. It is applicable in France only. To benefit from it, there are conditions that must be respected (production of anonymous statistical data; no global tracking of a user’s navigation on several sites, etc.).
The ePrivacy Regulation confirms this exemption as long as the audience measurement is carried out:
- by the concerned website publisher;
- by a third party acting on the behalf of the website publisher, or at least jointly.
The exemption will thus allow the use of a web analytics tool.
Are you using your web analytics solution for marketing or advertising purposes?
You must obtain the explicit, prior consent from end-users for your web tracking to be GDPR compliant.
Certain cookies will be exempt from consent if they are used for:
- the security of the electronic communication, or the user’s terminal;
- prevent fraud;
- detecting incidents;
- updating software (in some cases).
Generally all cookies of your website need to be displayed on your cookie banner.
ePrivacy Regulation and cookie walls
In its latest draft the ePrivacy Regulation does not completely prohibit the use of cookie walls (or paywalls). The draft states that access to website content can be made conditional on the users consents if there is an equivalent that does not require cookie consent.
As long as the users have a free and genuine choice between services based on the purpose of cookies provided by the service providers, cookie walls are allowed. Users must be able to use an alternative route, and keep on navigating the website, that does not require accepting cookies.
Conclusion: Ready to comply with the ePrivacy Regulation?
Let’s keep on following the ePrivacy Regulation news and progress. In the meantime a cookie policy that complies with current legal requirements, especially those specified in France by the CNIL, remains largely valid under the ePrivacy Regulation.
Not already done so? Don’t wait too long and deploy a cookie policy and a cookie consent banner on your website, which will allow you to collect and prove your users consents.