A leaked sneak peek at the cookie law tweak

This week Politico leaked a draft (inaccessible pdf, 3mb) of the reform of the EU e-Privacy directive, the 2009 amendment to the 2002 directive which lays down various rules on online privacy. This directive includes everyone’s favourite digital regulation ever: the consent mechanism known as the cookie law.

We weren’t expecting to see some movement on this reform until January, so call the leak an early Christmas gift for policy geeks. (What can I say, we’re easily amused.)

It’s important to note that this is a working draft, and an old one at that. Jennifer Baker reports it is “a recent—though not the current—draft of the proposed law, according to anonymous Brussels sources.” There is no date or version number on it.

Because of that, do not give the draft too much weight. This is not the new law carved in stone, nor is this anything official.

That said, there’s no harm in taking a look.

For ease of discussion I refer to “cookie law v.1” and “cookie law v.2”.

The big changes

The first thing to catch a policy geek’s eye is that this proposal is for a regulation. The 2002/2009 law it would replace is a directive.

For those who don’t understand the difference, it works like this: a Directive must be transposed into national legislation, in other words, added to a country’s national laws. In transposing a Directive, member states usually have some leeway to modify parts of it to suit their national needs. Regulations, on the other hand, become the law across Europe the day the proverbial ink is signed. Member states have no leeway to make modifications.

The fact that cookie law v.1 was a Directive, not a Regulation, was how we ended up with several dozen different cookie laws. The compliance obligation inherent in getting that right presented a monumental challenge to everyday developers and web site administrators.

Cookie law v.2 will be one rule for all of Europe.

But is that a good or a bad thing? That depends on what lies within it. Read on.


The 2002 and 2009 regulations came out seven and fourteen years into the life of the EU data protection directive and did little to complement it.

This ePrivacy refresh, however, is specifically designed as a complement to GDPR, the refresh of that 1995 directive. The idea is that both new sets of rules would come into effect at roughly the same time. (GDPR becomes enforceable from 25 May 2018.)

Within policy circles this year there has been a lot of debate over whether GDPR effectively rendered the ePrivacy directive redundant. The draft acknowledged that debate and noted that the EC has spent the year mulling over five options: soft law; limited, measured, or far-reaching strengthening of the Directive; or a repeal altogether. This draft indicates they have gone with the middle option, measured strengthening.

Many of the GDPR’s standards are duplicated within the draft ePrivacy revamp. For example, the requirement for Privacy by Design is repeated here, and the article on Consent references GDPR.

Another feature in common is the draft law’s teeth. As with GDPR, there are fines up to 4% of a company’s global annual turnover.

(Cue a repeat of 2012’s scaremongering OMG YOU ARE GOING TO GET A FINE FROM THE EU!!!!!!! No you’re not. As with now, supervision will rest with your national data protection authority, which will work with businesses constructively and cooperatively towards better compliance. Fines and penalties, as with now, will be a last resort used by DPAs against service providers which refuse to cooperate or those who commit truly egregious violations of data privacy.)

While we won’t see a final draft of the ePrivacy revamp until next month, get into the mindset of preparing for both revamps at the same time. They are two halves of the same thing.

Let’s talk cookies

For a full rundown of what the draft says about cookie consent, see pages 18-20 and 28-30 of the leaked draft.

By my read, the draft suggests a major change in how the EU is approaching the privacy issues created by cookies. In layman’s terms they are shifting the focus and shifting the burden. The focus on privacy is as strict as ever; however, it would seem that they have taken aboard the lessons learnt about what simply did not work the first time around.

This is important. V1 of the cookie law effectively criminalised every web site owner overnight. Small businesses using analytics cookies were treated no differently from privacy-gulping social media platforms. Scaremongering, conspiratorial accusations, and threats abounded. Abuse of the law as an ad-hominem griping mechanism left even data protection commissioners fed up. The real loser in all that was privacy. A poorly drafted law, brought into force with no regard for the priority of constituencies, served neither the public nor online privacy.

It looks like this draft is trying to fix that.

Browser preferences. Finally.

One of the questions that came up time and time again with cookie law v.1 was “why didn’t they just allow browser preferences to express consent?”

Well, here’s your potted history.

When the Article 29 Working Party – the EU’s privacy watchdog – started looking into legislation on online privacy in the year 2000, the browser was yet to get a patch for cookie control. By “the browser” I mean Internet Explorer 5. (See page 52 of this pdf if you’re really bored.) It seems that the notion that browsers ≠ cookie consent stayed in their heads.

When the 2009 amendment which created the cookie regulation was under discussion, despite the fact that browsers had long caught up by then, the Article 29 Working Party strongly objected to the use of browser settings as the consent mechanism. See page 10 of this pdf.

That’s how we got popups and consent fatigue.

Since then, thankfully, the priority of constituencies has finally dawned on the Article 29 Working Party. In their evaluation of the review of the e-Privacy directive published earlier this year (pdf) they conceded:Instead of relying on website operators to obtain consent on behalf of third parties (such as advertising and social networks), manufacturers of browsers and other software or operating systems should be encouraged to develop, implement and ensure effective user empowerment, by offering control tools within the browser (or other software or operating system)…”

In the leaked draft, Recitals 26, 27, and 28 (see the leaked draft) address browser settings.

Article 9 (Consent) states: “Where technically possible and effective…consent may be expressed by using the appropriate technical settings of a software application enabling access to the Internet.”

So there we have it.

Consent fatigue is a thing

As part of the shift to browser preferences as a valid consent mechanism, recital 28 admits “while [consent] banners serve to empower users, at the same time, they may cause irritation because users are forced to read the notices and click on the boxes, thus impairing Internet browsing experience.”

That’s bureaucratic speak for “yeah, we got that one wrong.”

Shift from from functional cookies to advertising

The second big change, by my read, is a shift in focus to where the problems are: advertising and marketing cookies.

Cookie law v.1 initially treated all cookies, whether first-party functional cookies or third-party advertising beacons, as being equally guilty of wrongdoing.

By shifting the focus to third-party cookies, and requiring browser manufacturers to give user the option to block all third-party cookies by default, the leaked draft has succeeded in getting the advertising industry to declare that cookie law v.2 is “putting at risk the entire internet as we know it,” which is a sign that the EU has them properly spooked.

Stale cookies

Article 7 in the draft deals with data retention issues (worded as “erasure of electronic communications data”) which add to GDPR’s requirements. It implies that unreasonable dates for cookie expiry need to go. You’re not going to need that bookmark in 7,984 years anyway.


You’ll recall that analytics were a huge point of contention with cookie law v.1. Sites need analytics for a matter of reasons, ranging from security to funding evaluations, over and above the basic need to know who is visiting your site and what they are looking at. However, cookie law v.1 saw all analytics as malicious tracking and all analytics users as co-conspirators in the surveillance apparatus. (And they wonder why there were people who stated they would vote to leave the EU specifically because of the cookie law?)

In 2012, barely a month after the law went into effect, the Article 29 Working Party said (pdf) that “first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes” but that “first party analytics should be clearly distinguished from third party analytics, which use a common third party cookie to collect navigation information related to users across distinct websites, and which pose a substantially greater risk to privacy.”

Recital 25 of the leaked draft states “Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a site.”

The draft’s articles do not legislate anything specific on analytics, however its other provisions cover analytics, whether first or third party, cookie-enabled or cookie-less.

The bottom line for analytics is that, at least by this draft, the EU has decided to pick its battles. And that’s a good thing.

Save the sanctimony…

None of what I’ve observed above is to say that web site administrators and developers are off the hook where user privacy is concerned. They still have a moral and legal obligation, particularly where GDPR is concerned, to build in proper workflows and privacy by design. You will still have an obligation to be crystal clear about what information you are requesting, what information you are storing, and what rights people have to their data as well as the things you are doing with it.

The point is that the presumption of guilt, and the burden of proof placed on to those who have done nothing wrong, is on the way out. And not before time.

How much has this cost so far?

I’ve written earlier (posts one and two) about the difficulties in trying to quantify the implementation costs of cookie law v.1. Because the data would need to come from dozens of countries and languages, it’s an exercise that would challenge an academic with a team of interns, nevermind an unpaid blogger. While one Washington-based think tank estimated the total compliance cost at €2 billion, their political biases – as well as their questionable track record – made that figure little more than fag packet maths.

Page 6 of the leaked draft states “while it is necessary to acknowledge the difficulty to obtain reliable and representative quantitative data, most of the compliance costs experienced [across the whole Directive] today seem to be associated to the ‘cookie’ consent provision (Article 5.3), which due to its extensive coverage (i.e. all businesses running a website with tracking cookies), amounts to approximately EUR 1.8 billion.”

The source of this figure is given as the REFIT evaluation and review, which is not yet available online, although you can read its inception impact assessment (pdf).

What about Brexit?

Well, what about it? If you watched my GDPR talk you know what’s coming next.

Compliance after Brexit

Regardless of how it turns out in the final draft, the ePrivacy directive, as with GDPR, is extraterritorial. That means its provisions apply to European users and customers regardless of where the service is being provided from.

So as with GDPR, Brexit will not end compliance obligations with the ePrivacy directive. Doing business in Europe will mean following both laws.

If you are a business in the UK, prepare for compliance with GDPR and the ePrivacy directive as if Brexit was never going to happen and then stay there as if Brexit never did. Compliance will allow you to continue doing business in Europe and will also provide you with a healthy data protection standard to follow. That standard is much healthier, in fact, than anything we are likely to come up with domestically.

Speaking of which…

Not going out without a fight

There’s one last surprise in this draft. Article 5 reads:

Confidentiality of electronic communications

Electronic communications shall be confidential. Any processing of, including interference with, electronic communications by any natural or legal person without the consent of the end-users concerned, such as by listening, tapping, storing, monitoring, or other kinds of interception and surveillance shall be prohibited, except when provided otherwise in this Regulation.

Article 6 goes on to provide a list of lawful conditions for accessing and processing metadata, none of which include some of the excuses we’ve heard lately from Whitehall.

The message here is clear: EU citizens will continue to enjoy legal protection against the forms of mass surveillance which the UK is putting in right now.

The timing here is also important. The ePrivacy revamp is meant to come into force in 2018 alongside GDPR. There is no chance of the UK being out of the EU by May 2018. This means that there will be an interim phase where a Brexiting, authoritarian, and surveillance-mad UK is made subject to new articles on the confidentiality of electronic communications which makes much of that surveillance illegal.

This will open up a whole new battle as digital rights and civil liberties groups demand that Articles 5 and 6 carry over post-Brexit, while the May government seizes on it as yet more evidence of European interference in British law and order.

There will be fireworks.

The final official draft of the ePrivacy directive revamp is expected on 11 January.