Monday 23rd July 2018

Latest revisions to EU privacy law (ePrivacy) address ad networks, browsers, cookies, web measurement and ‘consent fatigue’

The latest revision proposes deleting Article 10 (obligations and privacy responsibilities for browsers), amending Article 6 (permission to process electronic communications) and clarifying Article 8 (the processing and collection of information from a user's device).
Jason Smith
by on 10th July 2018
EU flag

The Council of the European Union, currently led by Austria, has published revisions to a proposal for a new ePrivacy regulation likely to come into force in 2019.

According to an announcement (PDF) on the Austrian Parliament’s website, the revisions will be discussed in a meeting of the Working Party on Telecommunications and Information Society on 17th July.

The new ePrivacy regulation focuses on the confidentiality of users’ electronic communications and will repeal the existing ePrivacy directive, which is colloquially referred to as the “cookie law”.

According to recital 2 of the ePrivacy proposal, the proposed regulation intends to “particularise and complement” the provisions around personal data laid down by the GDPR by “translating its principles into specific rules”.

It regulates activities like direct marketing and web measurement, as well as the transmission of communications across devices and browsers, and cookies set on users’ machines.

The latest revisions focus on Articles 6, 8 and 10 of the proposed regulation. An introduction to the proposed revisions states the aforementioned articles are currently “rather complex provisions” and contain the “core elements” of the proposal.

Moreover, the synopsis to the proposed revisions (PDF) again refers to end-user’s “consent fatigue,” which is likely a reference not only to requests for consent under the existing ePrivacy directive but new requests for consent prompted by the emergence of the GDPR.

The latest proposal also seeks to clarify Article 8 via a proposed amendment to recital 20. Article 8 focuses on the protection of devices utilized by users to transmit electronic communications.

A proposed revision to recital 20 states:

“The responsibility for obtaining consent for the storage of a cookie or similar identifier lies on the entity that…collects of [sic] information from end-users’ terminal equipment, such as an information society service provider or ad network provider. Such entities may request another party to obtain consent on their behalf”.

The term “information society service” is defined by directive (EU) 2015/1535 and states:

“service’ means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

The term “terminal equipment” refers to a user’s device e.g. a smartphone, tablet of computer.

Recital 20 also goes onto state:

“The end-user’s consent to storage of a cookie or similar identifier may also entail consent for the subsequent readings of the cookie in the context of a revisit to the same website domain initially visited by the end-user”.

Furthermore, “Access to specific website content may still be made conditional on the consent to the storage of a cookie or similar identifier”.

As per recital 21, consent is not required to store cookies that involve “no, or only very limited, intrusion of privacy,” e.g. cookies used to remember products stored in a user’s shopping basket, authenticate a user’s session or retain form input.

The revisions also address recital 21(a), which refers to cookies being used to “measure the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application” as a “legitimate and useful tool”.

It also explicitly states that “This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site”.

The aforementioned provisions pulled from Recital 21(a) aren’t new; they were available in the previous proposal published on 4th May.

The latest revisions also propose deletion of Article 10 (which focused on “software placed on the market permitting electronic communications” e.g. browsers) and recitals 22 and 22a. Recitals 22 and 22(a) focus on the obligations of browser manufacturers to obtain user consent.

Recital 22 previously laid down the possibility to express “consent by using the appropriate settings of a browser or other application” and recital 22(a) focused on the possibility of using browser as “gatekeepers”.

Recital 23, which has also been marked for deletion, previously proposed browsers should provide a set of privacy options – “higher, intermediate and lower” – that would signify the extent to which a user would be willing to consent to the storage of different types of cookies on their devices (terminal equipment).

Recital 24, which sought to require browser developers to present users with privacy options upon first installation or next update, has also been marked for deletion.

The motivation behind changes to Article 6 relate to a desire to make the regulation more “future proof” and the proposed changes introduce a possibility for “further compatible processing of electronic communications metadata” in the new Article 6(2)a.