ePD, GDPR, ePR…. Are you also struggling to get a hold of EU legislation on website cookies and user privacy? Don’t worry, here we quickly summarize the EU legislative framework you need to know about when using cookies on your website.
- Which rules apply for website cookies in the EU at this moment?
- ePrivacy: What does the ePrivacy Directive say about cookies?
- When the ePrivacy Directive turns Regulation
- What does the forthcoming ePrivacy Regulation say about cookies?
- Penalties for not complying with the GDPR
- How to become ePrivacy and GDPR compliant
LINK: What is a cookie?
Which rules apply for website cookies in the EU at this moment?
But what do they say about cookies and how do they differ?
- ePrivacy Directive
- The current version of the ePrivacy Directive (ePD) came into effect in 2011 in the EU/EEA countries. It is transposed into national law across the European member states. It clearly states, that websites are obliged to collect their users’ informed consent before the website can store cookies on the users’ devices.
- The General Data Protection Regulation (GDPR)
- The other applicable legislation is the General Data Protection Regulation (GDPR). It was passed in May 2016 and came into effect on May 25, 2018. The GDPR covers all matters concerning the processing of personal data. GDPR specifies that some cookies by default process personal data and thereby are subject to the requirements of the GDPR.
The ePrivacy Regulation (ePR) is currently being negotiated in the EU and will eventually repeal the ePrivacy Directive. The ePR is expected to come into effect in 2020-21.
ePrivacy Directive: What does the ePrivacy Directive say about cookies?
The EU Directive 2002/58/EC (ePrivacy) addresses the use of website cookies. More generally, the Directive concerns the processing of personal data and the protection of privacy in the electronic communications sector.
The Directive contains provisions which are crucial for ensuring the users’ trust in the services and technologies they use for communicating electronically.
It states that*:
- any storing or retrieving of information from an end-user’s device is subject to consent
- the user must receive clear and comprehensive information about the purpose of the storing and retrieving of data
*Revised version of the ePrivacy Directive from 2009 (2009/136/EC)
The requirements hold for both first-party and third-party cookies.
Therefore, you are required to:
- inform your visitors of cookies
- obtain your users’ consent for all types of cookies*
- inform about the possibilities of revoking consent
*except strictly necessary cookies (cookies need to carry out an online communication).
Cookies exempt from consent
Cookies clearly exempt from consent according to EU advisory body on data protection- WP2910 include:
- user-input cookies (session-id) such as first-party cookies to keep track of your user's input when filling online forms, shopping carts, etc.
- authentication cookies used to identify your user once logged in
- user-centric security cookies used to detect authentication abuses
- multimedia content player cookies used to store technical data to play video or audio content
- load-balancing cookies
- user-interface customization cookies such as language or font preferences (whether being first- or third-party cookies)
The GDPR concerns the processing of personal data.
Many cookies process users’ personal data and the processing of this information is subject to the GDPR.
To process personal data, you need a lawful basis, i.e. a legal ground to process data. This can be a legitimate interest, but more often processing is based on consent.
With the GDPR, the definition of informed consent and the requirements associated with it changes significantly from the ePD.
- Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to the user.
GDPR, Recital 32
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
GDPR, Article 7 (3)
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
For all cookies processing personal data it is required that you collect valid consent. The cookies in question are marketing cookies, analytics cookies and other tracking technologies.
Personal data under the GDPR is information which can - directly or indirectly (compared to other data) - identify a user. It can be an IP address, online ID, device ID or location information.
- Collect your users’ active – and explicit – consent to cookies. It’s either a yes or no to cookies.
- Inform your users of which cookies you use; who has access to the data and their lifespan.
- Store consents in case you are subject to investigation by Data Protection Authorities.
Giving informed and unambiguous consent applies to almost all marketing-, targeting-, web-analytic cookies since these store user identifiers which is considered personal data by the GDPR.
Consent collection to the storage of cookies and processing of personal information is thus essential to stay compliant with GDPR if:
- the lawful basis of the processing of personal data when using cookies is based on consent
- personal user data is transferred to third-parties (e.g. through third-party vendors’ cookies)
By doing that, you comply with both the ePrivacy Directive and the GDPR.
When the ePrivacy Directive turns Regulation
The new ePrivacy Regulation (ePR) will repeal the current Privacy and Electronic Communications Directive (ePrivacy Directive) and will be lex specialis to the General Data Protection Regulation (GDPR).
This means that the ePR will be a law governing subject matter (lex specialis) and will override a law governing general matters (lex generalis) in the General Data Protection Regulation (GDPR). Specific rules for cookies described in the ePR will apply rather than general rules from the GDPR.
The ePR will automatically apply uniformly to all EU countries as soon as it enters into force. It does not have to be transposed into national law like a Directive.
What does the forthcoming ePrivacy Regulation say about cookies?
The ePrivacy Regulation will apply to any business or website that:
- Provides any form of online communication service.
- Uses online tracking technologies.
- Engages in electronic direct marketing.
The ePR specifies and complements the GDPR on electronic communications that qualify as personal data regarding the collection of user consents for storing cookies.
The ePrivacy rules, which specify consent as the legal ground for processing, will prevail over other grounds available in the GDPR, such as legitimate interests.
This means that the Regulation will apply to website cookies.
Until the ePrivacy Regulation enters into force, the provisions in the GDPR for processing of personal data will still apply for all data controllers and processors.
Penalties for not complying with the GDPR
The penalties for noncompliance to the GDPR and the ePR are set to a maximum of €20 million or, in the case of a corporation (undertaking) up to 4% of the total worldwide annual turnover, whichever is higher.
Europe has already seen a number of fines in 2019:
- Google is fined €50 million for lack of transparency when giving consent (link)
- Spanish airline Vueling fined €30.000 for not offering users the possibility to decline cookies (link)
- Marketing bureau Bisnode fined €220.000 for not storing consents (link)
And recently, the European Court of Justices ruled – in the case against Planet49 – that websites must collect an active consent for cookies from their users. Silence or pre-ticked boxes in a cookie banner is not considered valid consent.
The French Data Protection Authority CNIL, the British ICO, the Spanish AEPD and the German BayLDA recently updated their cookie requirements.
Become ePrivacy and GDPR compliant today
Do you want to know more about cookies and how to check your website for breaches to data security, see our article with a checklist to collect a valid cookie consent in the era of the GDPR.
You can also get a free assessment of your website’s cookie compliance: Test your website here
Or book a meeting with one of our cookie experts and we’ll help your company website becoming GDPR cookie compliant.