The ePrivacy Regulation will likely be finalized by 2019 and will repeal the ePrivacy Directive, which is colloquially referred to as the “cookie law”.
While the General Data Protection Regulation (GDPR) legislates on personal data, the ePrivacy regulation is more concerned with electronic communications and the privacy implications of their transmission.
According to Recital 2 of the ePrivacy regulation, the provisions laid down by the ePrivacy regulation are intended to “particularise and complement” the rules on personal data provided by the GDPR by “translating its principles into specific rules.”
In a practical sense, and in terms of what’s most likely to be of interest to individuals and organizations, it regulates on topics including direct marketing, the transmission of communications between devices, browsers and cookies.
Interestingly, and unlike the GDPR, it also specifically references “web measurement,” which will be of particular interest to webmasters who are unclear on the extent to which the GDPR applies to web measurement platforms like Google Analytics.
Article 8(d) of ePrivacy proposal (as published by the Council of the European Union on 4th May, 2018) is of particular importance, and states:
“…the collection of information from end-users’ terminal equipment…shall be prohibited, except…[when] it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party on behalf of the provider of the information society service.”
“‘service’ means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”
The ePrivacy proposal Article 8 1(d) also sets down a condition that websites relying on Article 8 1(d) must meet the provisions of Article 28 of the GDPR.
However, Recital 20 of the ePrivacy proposal arguably adds some confusion to the mix, and states:
“Techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user’s terminal equipment should be allowed only with the end-user’s consent and for specific and transparent purposes.”
Interestingly, Recital 20 also states, “Access to specific website content may still be made conditional on the consent to the storage of a cookie or similar identifier” and provides further information on when this is or is not acceptable.
A number of organizations, in implementing consent management platforms to comply with the GDPR, have made access to their websites conditional dependent on whether a user consents to set cookies.
Recital 21(a) also refers to cookies for tracking purposes and states:
“Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example of website design and advertising or by helping to measure the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application. This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site.”
Following the enactment of the GDPR on 25th May, organizations have taken steps to configure Google Analytics to better protect personal data or personally identifiable data.
These steps include modifying retention settings, anonymizing IP addresses, presenting consent messages and utilizing Analytics’ new user deletion API.