The European Commission recently proposed new regulations that will align privacy rules for electronic communications with the much-anticipated General Data Protection Regulation (GDPR) (the GDPR was fully adopted in May 2016 and goes into effect in May 2018). Referred to as the Regulation on Privacy and Electronic Communications or “ePrivacy” regulation, these final additions to the EU’s new data protection framework make a number of important changes, including expanding privacy protections to over-the-top applications (like WhatsApp and Skype), requiring consent before metadata can be processed, and providing additional restrictions on SPAM. But the provisions relating to “cookies” and tracking of consumers online activity are particularly interesting and applicable to a wide-range of companies.
Cookies are small data files stored on a user’s computer or mobile device by a web browser. The files help websites remember information about the user and track a user’s online activity. Under the EU’s current ePrivacy Directive, a company must get a user’s specific consent before a cookie can be stored and accessed. While well-intentioned, this provision has caused frustration and resulted in consumers facing frequent pop-up windows (requesting consent) as they surf the Internet.
Many commentators have noted that the practical application of these new cookie provisions is not 100% clear. For example, Jennifer Baker from The Privacy Advisor (IAPP) has argued that enabling “Do-Not-Track” is positive and the feature “should be enabled by default,” but admitted that “[h]ow this will work in practice remains to be seen.” In addition, Jessica Davies from Digiday has questioned whether the rules could have unintended consequences, such as resulting in more pop-ups, not less – stating that “if users opt against allowing most cookies, then publishers may have to issue a pop-up every time the users visit their site to inform them that they need to give permission first.” (See also concerns raised by Joon Ian Wong at Quartz that the rules could actually put users “back where they started.”)
More broadly, the ePrivacy rules also adopt a number of important principles from the GDPR. For example, as Polly Ralph from PWC explains, the ePrivacy regulations have an “extra-territorial reach” and apply to “entities anywhere in the world who provide publicly-available ‘electronic communications services’ to, or gather data from the devices of, users in the EU (irrespective of where the provider is located, or where the processing takes place)” – such as “an online fashion retailer based wholly in Singapore, sending marketing emails to its European customer base.”
The new ePrivacy proposal has not yet been adopted and must now go before the European Parliament and the EU’s Counsel of Ministers. The goal of the Commission is for the regulations to go into effect at the same time as the GDPR – May 2018 – and provide a single set of rules across the EU (the GDPR was fully adopted in May 2016)