ePD, GDPR, ePR…. Are you also struggling to get a hold of EU legislation on website cookies and user privacy? Don’t worry, here we quickly summarize the EU legislative framework you need to know about when using cookies on your website.
This article contains:
If your website places cookies on your users’ devices and if some of them process personal data, there are certain EU regulations you need to be aware of to be able to respect the privacy of your visitors.
LINK: What is a cookie?
Which rules apply for website cookies in the EU at this moment?
Current EU law requirements for cookies derive from the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR). But what do they say about cookies and how do they differ?
The current version of the ePrivacy Directive (ePD) came into effect in 2011 in the EU/EEA countries. It clearly states, that websites are obliged to collect their users’ informed consent before the website can store cookies on the users’ devices.
Because the requirements were set forth in a directive, it required each Member State to transpose the directive into national law. The national laws which transpose the directive are available here:
The other applicable legislation is the General Data Protection Regulation (GDPR). It was passed in May, 2016 and came into effect on May 25, 2018. The GDPR covers all matters concerning the processing of personal data.
Although the GDPR for the most part is technologically neutral, it clearly specifies that some cookies by nature will process personal data and thereby are subject to the requirements of the GDPR.
An ePrivacy Regulation (ePR) is currently being negotiated in the EU and will eventually repeal the ePD. The ePR is expected to come into effect in 2021-22.
ePrivacy Directive and website cookies? What does it really say?
The EU Directive 2002/58/EC (ePrivacy) addresses the use of website cookies. More generally, the Directive concerns the processing of personal data and the protection of privacy in the electronic communications sector. The Directive contains provisions which are crucial for ensuring the users’ trust in the services and technologies they use for communicating electronically.
The revised version of the ePrivacy Directive 2009/136/EC states that any storing or retrieving of information from an end-user’s device is subject to consent unless it is technically necessary for the intended communication to take place. In order for this to occur, the user must receive clear and comprehensive information about the purpose of data storing and retrieving. These requirements apply to cookies stored on the end-user’s terminal equipment (e.g. computer, phone etc.).
The requirements hold for both first-party and third-party cookies. This means that end-user consent must be given to all types of cookies and that website owners are responsible for the collection of user consents.
However, there is an exception to the rule. If a cookie is absolutely necessary for the provision of a service requested by the user – or if information storage has the sole purpose of carrying out an online communication – end-user consent is not necessary.
Cookies clearly exempt from consent according to EU advisory body on data protection- WP2910 include:
- user-input cookies (session-id) such as first-party cookies to keep track of the user's input when filling online forms, shopping carts, etc.
- authentication cookies used to identify the user once he/she has logged
- user-centric security cookies used to detect authentication abuses
- multimedia content player cookies used to store technical data to play video or audio content
- load-balancing cookies
- user-interface customization cookies such as language or font preferences (whether being first- or third-party cookies)
GDPR and personal data. How are cookies affected?
Under the GDPR, the definition of informed consent and the requirements associated with it changes significantly from the ePD. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to the user.
GDPR – cookie consent requirements GDPR, Recital 32
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
GDPR, Article 7 (3)
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Giving informed and unambiguous consent applies to almost all marketing-, targeting-, web-analytic cookies since these store user identifiers which is considered personal data by the GDPR.
Consent collection to the storage of cookies and processing of personal information is thus essential to stay compliant with GDPR if:
- the lawful basis of the processing of personal data when using cookies is based on consent
- personal user data is transferred to third-parties (e.g. through third-party vendors’ cookies)
The GDPR consent requirements to cookie usage on websites can be summed up to the following:
- Inform users about the data processing that occurs when using cookies
- Give the users a real choice when it comes to the usage of cookies. Offer the user the option to accept or decline cookies.
- Collect informed consent prior to placing cookies. Do not set cookies on the users’ computer or phone before consent is obtained.
- Provide the mechanism for remembering the users’ settings and for the user to withdraw consent directly on your website
- Keep evidence that consent occurred (even if a consent has been withdrawn) by keeping records of consents
To sum up, cookie consent collection is essential to comply with both the GDPR and the ePrivacy Directive.
When the ePrivacy Directive turns Regulation
The new ePrivacy Regulation (ePR) will repeal the current Privacy and Electronic Communications Directive (ePrivacy Directive) and is lex specialis to the General Data Protection Regulation (GDPR). This means that the ePR will be a law governing subject matter (lex specialis) and will override a law governing general matters (lex generalis) in the General Data Protection Regulation (GDPR). The ePR will be an EU regulation and will automatically apply uniformly to all EU countries as soon as it enters into force. It does not have to be transposed into national law like a Directive.
The ePR specifies and complements the GDPR on electronic communications that qualify as personal data regarding the collection of user consents for storing cookies. The ePrivacy rules, which specify consent as the legal ground for processing, will prevail over other grounds available in the GDPR, such as legitimate interests.
What does the forthcoming ePrivacy Regulation say about cookies?
The ePR will apply to any business that provides any form of online communication service; uses online tracking technologies; or engages in electronic direct marketing. This means that the Regulation will apply to website cookies.
At the moment, EU co-legislators have failed to reach an agreement on key issues such as
access to specific website content made conditional on the consent to the storage of a cookie; whether browsers are allowed to block tracking by default; or which exceptions apply to consent requirements.
So far, the negotiations have been difficult and are currently postponed till the second half of 2019 after the European Parliament elections in May 2019. The ePR was intended to come into effect on May 25, 2018, but realistically will probably not be enforced before 2021-2022.
However, even though the ePrivacy Regulation is not yet effectuated, general data protection rules still apply to website owners.
Penalties for noncompliance
The penalties for noncompliance to the GDPR and the ePR are set to a maximum of €20 million or, in the case of a corporation (undertaking) up to 4% of the total worldwide annual turnover, whichever is higher.
This was the case with the fine to Google for not complying with the GDPR. On January 21, 2019, the French Data Protection Authority (CNIL) imposed a financial penalty of 50 Million euros on Google - in accordance with the General Data Protection Regulation (GDPR) - for lack of transparency, insufficient information and lack of valid consent concerning personalization of ads.
More on Google’s CNIL fine: Google penalty - What are the implications for collection of cookie consents?
Moreover, the Data Protection Authority (DPA) of the German state of Bavaria announced in February 2019 that it was considering fining a number of companies under the GDPR for their website cookie practices. The Bavarian DPA’s action potentially signals that cookies, user tracking and online advertising are priority issues for companies irrespective of their industry – and one that may result in GDPR fines.
Is your website GDPR compliant?
Now you can get an assessment of your website's GDPR cookie compliance [free].
Fill out the form, and we will get back to you with a complete assessment on whether your website pass the requirements in the GDPR concerning cookies.