Cookie law reform announcement: farewell popups, hello settings

Important update

This post was written in January 2017. As of May 2018 the ePrivacy Directive reform is still in draft and has not been finalised. The proposed changes detailed below are not set in stone, and the revamp will not take effect on 25 May along with GDPR.

While this post may be useful to you in understanding how the reform may eventually take shape, it is not definitive legal or compliance information. Until the reform is finalised, you should continue to comply with the existing ePrivacy Directive as well as the upgraded requirements of GDPR.

The European Commission has announced its proposed reform of the ePrivacy legislation which has been in place since 2009. This set of rules includes, among other things, what has come to be known as the “cookie law”.

Under the refreshed rules, the burden for cookie compliance shifts from administrators, and the front ends of web sites, to the technical settings of browsers and applications.

These changes should spell an end for cookie consent popups, dropdowns, and modals, as well as unnecessary opt-in processes.

The refreshed rules, including provisions on consent and privacy by design, are tied to GDPR, the EU data protection reform taking effect in May 2018.

The full text contained some changes to last month’s leaked draft text, but nothing earth-shaking.

There is, of course, much more to this proposal and regulation than cookies, but this post is only dealing with the cookie provisions. For more on the other aspects of this announcement this blog post is an excellent overview.

What is changing with cookies?

First-party cookies and analytics

In the lead-up to v1 of the cookie law, first-party cookies and analytics were seen as equally guilty of wrongdoing.

That ship has now sailed.

Recital 21: …consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website…

Consent fatigue is acknowledged

And here we have the long-awaited mea culpa.

Recital 22: …Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent.

This leads to the encouragement of the switch to browser and technical settings.

…this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. The choices made by end-users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties.

Within the actual text of the regulation, Article 8, Section 1 deals with the processing and storage of information on end users’ terminal equipment. Article 8, Section 2 deals with the conditions by which the collection of information from terminal equipment is allowed.

So what does that mean in plain English? It means that as of May 2018, your cookie law dropdowns, popups, modals, top bars, bottom bars, and dive bars can go.

Browsers + GDPR

Browser and application settings can stand as the form of cookie consent, provided that

  • Those settings have been developed in accordance with the PBD requirements of GDPR;
  • The settings offer the option to prevent third parties from storing information on the user’s equipment;
  • Users have a series of options, ranging from high (e.g. never accept cookies), intermediate (e.g. accept first party but reject third party cookies), to low (e.g. accept all cookies);
  • These options are presented in a clear and easily understood manner, as required by the privacy notice requirements of GDPR.

Browsers + consent

Continuing the above, browsers and applications should:

  • Request the user’s privacy settings at the time of installation;
  • Not provide any information (or naughty dark patterns) which dissuade users from choosing higher privacy options;
  • Provide information on the risks of third party cookie storage, including profiling and cross-device tracking;
  • Provide easy ways for users to change their privacy settings at any time;
  • Allow users to whitelist and exempt sites from settings;
  • Ensure that these processes comply with the Consent provisions of GDPR.

In the case of software and applications which have already been installed by the compliance deadline of 25 May 2018, “the requirements…shall be complied with at the time of the first update of the software, but no later than 25 August 2018.”

In other words, developers who have not met the compliance deadline will need to ship an update within three months of d-day.


Article 9 references GDPR as the standard for consent, and reiterates that “where technically possible and feasible…consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.”

The consent process, interestingly enough, must be repeated every six months.

In other words, every six months your browsers and applications must remind you to update or refresh your cookie consent settings.

Enforcement and penalties

The enforcement and penalty regime mirrors GDPR, with progressive fines possible through an infringing party’s national data protection authority.

That said, the removal of everyday web site administrators from cookie consent obligations for nothing more than analytics should free up data protection authorities to focus on genuine privacy breaches, rather than having to deal with vexatious and ad-hominem complaints filed by serial grievance filers on high horses.

When do these changes take effect?

The refreshed ePrivacy regulation would take effect on 25 May 2018 – yes, the same day as GDPR.

What about Brexit?

Le sigh. You will need to continue complying with GDPR and the ePrivacy regulation as long as you are doing business in Europe regardless of Brexit.

Can I have a cookie now?

Oh go ahead.