Emerging in the shadow of the hotly discussed General Data Protection Regulation (EU) 2016/679 (the GDPR) is the forthcoming ePrivacy Regulation (ePR), which is set to repeal Directive 2002/58/E (the so-called 'cookie law').
Whilst many may still be familiarising themselves with the GDPR, we will soon see the introduction of the ePR, which has been coined the GDPR's 'forgotten sibling'. Together, it is hoped that they will form a fully comprehensive set of laws governing all uses of personal data within the EU.
What is ePR - ePrivacy Regulation?
As with the GDPR, the ePR is a European Regulation which means that it will have direct effect across all EU Member States when it comes into force. Although it was intended to come into force on the same date as the GDPR (25 May 2018), the ePR is unlikely to come into force before 2019.
How does it differ from the GDPR?
The ePR differs from the GDPR in that it relates specifically to electronic communications data and it may also concern non-personal data. The GDPR governs the protection of personal data.
What does it mean for cookies?
According to the most recent text of the ePR, methods used for obtaining consent for the tracking of cookies should be as transparent and user-friendly as possible and should prevent end users from being bombarded with requests for consent to track cookies.
The proposed text envisages users consenting to the use of tracking cookies via the settings in their web browsers. This would remove the requirement on website operators to obtain consent by, for example, using cookie banners, although they will not be prevented from doing so.
Are there any exemptions?
Website operators must be mindful of making access to a website conditional upon the acceptance of cookies by a user that are not essential, as this may be considered as disproportionate.
What is meant by consent?
The ePR will adopt the definition of consent under the GDPR, which covers any 'freely given, specific, informed and unambiguous indication' of an individual's wishes 'by a statement or by a clear affirmative action'.
Cookie banners: are they recommended?
The proposed provisions of the ePR point towards a system in which providers of software enabling access to the internet must create a comprehensive set of privacy settings. This will allow users to tailor which, if any, cookies they wish to be tracked, and to inform users at either first use or at the moment of every update of the available privacy settings.
It is anticipated that the new provisions will end the cookie banner at the top of website homepages. However, at present the use of cookie banners is still commonplace and it is still recommended that they are used for the time being prior to the ePR coming into force. Further, there have been discussions around explicitly permitting use of cookie banners after the ePR comes into force.
What should be included in cookie banners?
There are no express guidelines on what must be included in cookie banners. However, they must meet the requirements of the GDPR in terms of consent and ensure that users are provided with sufficient information in order to be deemed to be giving their informed consent.
Currently, a number of cookie banners simply state that cookies may be tracked on a website, but going forward they may need to specify the different types of cookies which may be tracked on that website and include a clear breakdown of the different purposes for which the data is being collected, with an option to opt in and out of each different use at the click of a mouse.
Furthermore, allowing users to opt in or out of distinct categories of cookies is providing them with clear options whereby they can freely and unambiguously consent, including allowing users to withdraw consent as easily as they have given it and avoiding pre-ticked boxes. Save for the exemptions considered above, cookies should not be tracked where there is no consent given.