Cookies and Consent – An update on developments in the EU’s Draft e-Privacy Regulation
The EU’s e-Privacy Regulation was supposed to take effect alongside the General Data Protection Regulation in May 2018. The e-Privacy Regulation covers not only personal data but all access of a user’s equipment, which is usually made in relation to the placement of cookies, as well as issues relating to the use of email for commercial marketing and telecommunications. As the GDPR was required to ensure personal data was protected in the increasingly digital world, so the EU’s current e-Privacy regime has been identified as in need of an update. As the EU reaches its 18-month milestone under GDPR, the e-Privacy Regulation remains in draft. While reports of its death were greatly exaggerated, 18 months on the proposed Regulation remains in the EU Council where it has undergone various revisions under various Council Presidencies amidst wrangling over cookies, the precise scope of the Regulation and consistency with the GDPR, amongst other things. The latest draft, which was issued by the Finnish Presidency on 18 September 2019 and is currently being examined by the Council’s Working Party on Telecommunications and Information Society (WP TELE), suggests, however, that progress is being made towards a clearer, more workable e-privacy regime, more aligned with the GDPR than the e-Privacy Directive it seeks to replace.
When the European Commission adopted its proposal for a Regulation on Privacy and Electronic Communications (e-Privacy Regulation) in January 2017 to replace the current e-Privacy Directive (2002/58/EC), its stated aim was to update the current rules by extending their scope to all electronic communications providers, and "to create new possibilities to process communication data and reinforce trust and security in the Digital Single Market". At the same time, it would align the rules for electronic communications with the GDPR. Despite the Commission calling on the EU institutions to "work swiftly" to ensure the Regulation was ready by May 2018, the proposal stalled amidst concerns over how the Regulation would interact with new technologies; the need to address the issue of child imagery online; the use of content and metadata for analytics, profiling, behavioural advertising or other commercial purposes; the treatment of GPS location data; cookie consents; and the scope of protections against direct marketing, to name but a few.
Positives and negatives
The latest Presidency compromise text introduces a number of significant changes aimed at addressing some of these concerns. These include a new provision on processing of electronic communications data for the purpose of detecting, deleting and reporting material constituting child pornography.
The latest text also redefines direct marketing very broadly as “any form of advertising, whether written or oral, sent
or presented via a publicly available electronic communications service directly to one or more identified or identifiable specific end-users of electronic communications services, including the placing of voice-to-voice calls, the use of automated calling and communication systems with or without human interaction, electronic
Electronic communications metadata
The latest compromise text also introduces more flexibility in the proposal by including a possibility for further compatible processing of electronic communications metadata. Additionally, further clarification as to scope comes in response to calls for further modifications in relation to information security measures, which should not be prohibited by the Regulation, and this not only for providers of electronic communications networks and services but also for end-users or third parties taking such measures on their behalf. The text now includes a specific provision clarifying that the Regulation does not apply to electronic communications metadata processed by the end-users concerned or by a third party entrusted by them to record, store or otherwise process their electronic communications metadata.
The soft opt-in
Under the compromise text, it remains the general rule that business-to-consumer direct marketing through electronic communications services requires consent. The soft opt-in exception to the general rule remains substantively the same as in previous drafts. Where a customer's electronic contact details have been obtained as a result of a sale of a product or a service, then the seller will not need to obtain the customers' consent to use such contact details for direct (first-party) marketing of its own similar products or services, provided customers are "clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use". This right to opt out must be given at the time of collection of the customer’s contact details and each time a message is sent.
Direct marketers will therefore be disappointed that in the latest text the soft opt-in remains harder than that under e-Privacy Directive in that it applies only to a sale and does not extend to negotiations for a sale. Of further concern to the direct marketing industry, the Finnish Presidency has now introduced a provision requiring Member States to set a time limit for the use of the soft opt-in.
The Council’s position on consent has been supported this month by the CJEU’s finding in Verbraucherzentrale Bundesverband eV v. Planet49 GmbH (C‑673/17), (the Planet49 case) that pre-ticked checkboxes are not sufficient to demonstrate the “active” consent of a user under article 7 of the GDPR. As the current draft proposal of the e-Privacy regulation mirrors the definition of consent in the GDPR, the ruling has implications for the interpretation of consent within the e-Privacy Regulation once enacted. Whilst this element of the ruling confirms the current understanding of how consent should be interpreted, two elements of the judgment warrant further consideration and raise potential action points for organisations:
Firstly, the decision clarifies that consent for different processing purposes must be kept separate and that blanket consent for all purposes is not sufficient. Service providers must therefore ensure that separate consents are being obtained for separate processing purposes. Secondly, and most significantly, the judgment makes clear that the requirement to provide “clear and comprehensive information” must extend to the duration cookies will operate for and whether or not third parties will be able to access them, before consent is received. Service providers may therefore need to provide more detailed cookie banners providing necessary information relating to third-party access and the duration of the cookies, potentially disrupting the end user experience.
So it is clear that progress has been made, but the road to recovery for the Commission’s ailing proposal is a long one and there are likely to be further significant changes before the Council adopts a common position to set before the European Parliament. In doing so, it will have to address some of the outstanding open issues, including the debate over browser consent, with the privacy by default provision in Article 10, which was deleted in an earlier revision, being “still open for discussion”; and the structure of cookie consents, which in its recently updated guidance on cookies, the UK’s ICO accepts has given rise to “differing opinions as well as practical considerations around the use of partial cookie walls”. That is a position echoed by if not aligned with the view of the Federation of European Direct and Interactive Marketing (FEDMA) that cookie consent should not focus on GDPR level consent which “is likely to have strong impact on user’s experience (consent fatigue). The general approach of the article could be rethought more in line with the risk-based approach of the GDPR.” Despite these concerns, following the Planet49 ruling, the CJEU position is, as has been proposed by the ICO in particular, now fully aligned with the current consent regime under GDPR and the mirroring consent provisions of the latest proposed draft of the e-Privacy Regulation. These points are fundamental to the health and success of the ePrivacy regime, so the prognosis for recovery under a Council’s common position by the end of this year remains optimistic, but even then formal adoption of the Regulation remains some way off.