The European Commission has announced its proposed reform of the ePrivacy legislation which has been in place since 2009. This set of rules includes, among other things, what has come to be known as the “cookie law”.
The full text contained some changes to last month’s leaked draft text, but nothing earth-shaking.
There is, of course, much more to this proposal and regulation than cookies, but this post is only dealing with the cookie provisions. For more on the other aspects of this announcement this blog post is an excellent overview.
What is changing with cookies?
First-party cookies and analytics
In the lead-up to v1 of the cookie law, first-party cookies and analytics were seen as equally guilty of wrongdoing.
That ship has now sailed.
Recital 21: …consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website…
Consent fatigue is acknowledged
And here we have the long-awaited mea culpa.
Recital 22: …Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent.
This leads to the encouragement of the switch to browser and technical settings.
…this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. The choices made by end-users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties.
Within the actual text of the regulation, Article 8, Section 1 deals with the processing and storage of information on end users’ terminal equipment. Article 8, Section 2 deals with the conditions by which the collection of information from terminal equipment is allowed.
So what does that mean in plain English? It means that as of May 2018, your cookie law dropdowns, popups, modals, top bars, bottom bars, and dive bars can go.
Browsers + GDPR
Browser and application settings can stand as the form of cookie consent, provided that
- Those settings have been developed in accordance with the PBD requirements of GDPR;
- The settings offer the option to prevent third parties from storing information on the user’s equipment;
- Users have a series of options, ranging from high (e.g. never accept cookies), intermediate (e.g. accept first party but reject third party cookies), to low (e.g. accept all cookies);
- These options are presented in a clear and easily understood manner, as required by the privacy notice requirements of GDPR.
Browsers + consent
Continuing the above, browsers and applications should:
- Request the user’s privacy settings at the time of installation;
- Not provide any information (or naughty dark patterns) which dissuade users from choosing higher privacy options;
- Provide information on the risks of third party cookie storage, including profiling and cross-device tracking;
- Provide easy ways for users to change their privacy settings at any time;
- Allow users to whitelist and exempt sites from settings;
- Ensure that these processes comply with the Consent provisions of GDPR.
In the case of software and applications which have already been installed by the compliance deadline of 25 May 2018, “the requirements…shall be complied with at the time of the first update of the software, but no later than 25 August 2018.”
In other words, developers who have not met the compliance deadline will need to ship an update within three months of d-day.
Article 9 references GDPR as the standard for consent, and reiterates that “where technically possible and feasible…consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.”
The consent process, interestingly enough, must be repeated every six months.
In other words, every six months your browsers and applications must remind you to update or refresh your cookie consent settings.
Enforcement and penalties
The enforcement and penalty regime mirrors GDPR, with progressive fines possible through an infringing party’s national data protection authority.
That said, the removal of everyday web site administrators from cookie consent obligations for nothing more than analytics should free up data protection authorities to focus on genuine privacy breaches, rather than having to deal with vexatious and ad-hominem complaints filed by serial grievance filers on high horses.
When do these changes take effect?
The refreshed ePrivacy regulation would take effect on 25 May 2018 – yes, the same day as GDPR.
What about Brexit?
Le sigh. You will need to continue complying with GDPR and the ePrivacy regulation as long as you are doing business in Europe regardless of Brexit.
Can I have a cookie now?
Oh go ahead.
About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.