EU’s ePrivacy Regulation Rethinks Cookies for the GDPR Age

GDPR

Last updated: 3/12/2019

The General Data Protection Regulation may be the biggest newsmaker of the day, but it’s not the only piece of online protection legislation coming from the European Union. The EU’s new ePrivacy Regulation, also known as the cookie regulation, is just around the corner. While it’s too early to know exactly what the new regulation will involve, its impact will be big enough that it’s well worth an early look.

The History of the ePrivacy Regulation

The ePrivacy Regulation emanated from the Commissions Digital Single Market Strategy set forth in May 2015. But it probably pays to examine both the regulation that the ePrivacy Regulation is replacing and the one it will supplement. Currently, cookie collection in the EU is governed by the similarly named ePrivacy Directive, more properly known as the Privacy and Electronic Communications Directive (PECD).Established in 2002, this directive was a complement to the EU’s Data Protection Directive, the precursor to the GDPR. It was further amended in 2009, and by 2013 all Member States of the European Union were to have the ePrivacy Directive/PECD implemented into national laws.

For clarity’s sake, a regulation is legally bending across the entire EU, whereas a directive is designed to adapt to local laws—whatever works best within the framework of a specific country.

The PECD set a number of restrictions on the storage and handling of consumers’ personal data. Most relevant to the new regulation, the PECD established guidelines requiring websites to obtain visitors’ consent before employing certain kinds of tracking cookies. (What exactly constitutes consent is another issue, as we’ll see a little later.)

While that seems like a good start, there were a number of concerns about the ePrivacy Directive’s effectiveness. Website owners found the new rules simultaneously too vague and too strict, with EU member nations varying widely in their enforcement of the rules and site owners having little idea of how to avoid penalties. The ePrivacy Regulation is effectively removing most of the wiggle room that led to confusion over the ePrivacy Directive.

How do the GDPR and ePrivacy Regulation Differ?

But hold on a second—isn’t there already a highly publicized regulation taking care of data protection issues in the European Union? That’s absolutely correct, but the GDPR doesn’t actually have much to say about cookie consent. In fact, cookies are mentioned in exactly one sentence throughout all 99 GDPR articles. However, that sentence carries a lot of weight.

The main difference is that the two regulations (GDPR and PECD) have been drawn up to address different aspects of European life as laid out in the European Charter of Human Rights (ECHR):

  • The GDPR focuses on Article 8 of the ECHR, covering “protection of personal data”
  • The ePrivacy Regulation falls under Article 7, “respect for private and family life,” which specifies that “everyone has the right to respect for his or her private and family life, home and communications”

It’s also worth noting that part of the reason the ePrivacy Directive was upgraded to a regulation was to work in concert with the GDPR. So while the GDPR’s handling of cookies as personally identifiable data sets a baseline for consumer protection, the stricter rules laid out by the ePrivacy Regulation are just as vital for data collectors and processors.

Questions and Concerns about the ePrivacy Regulation

As with any wide-reaching rule change, the ePrivacy Regulation brings with it a good amount of criticism. If a user attempts to visit a site whose cookies are rejected by the users’ browser settings, for instance, the visitor will likely be informed of the rejection via a pop-up—effectively carrying on one of the key annoyances of the ePrivacy Directive era. Some critics even suggest that users will have to adjust their browser settings on every device they use, sometimes as they move from site to site. There have also been concerns that data collectors may be punished for infractions beyond their control, potentially garnering fines if a user misunderstands or is unaware of their browser settings.

The overriding worry for data controllers, especially those in advertising, is that these stricter cookie rules will make it prohibitively difficult for websites to offer the level of service consumers currently enjoy. Websites and apps that rely on data collection and cookie tracking in exchange for free content will need to drastically reconsider their business models, which could in turn significantly impact the online experience for many consumers.

Still, until the ePrivacy Regulation is passed in its final form, all of this remains largely speculation. What’s certain is that changes are ahead for not only data collectors, but also nearly any business and individual that uses the internet in the EU. That umbrella covers an awful lot of people, so it pays to get on board earlier rather than later.


Have you automated your GDPR web compliance process? Siteimprove Data Privacy locates the personal data you handle online so you can pinpoint and remove that data across your websites, minimizing the risk of fines and other legal consequences.


Learn more about Siteimprove GDPR