The ePrivacy Regulation will likely be finalised by 2019 and will revoke the ePrivacy Directive, which is also referred to as the “cookie law”.
While the General Data Protection Regulation (GDPR) legislates on personal data, the ePrivacy regulation is more concerned with electronic communications and the privacy implications of their transmission.
According to Recital 2 of the ePrivacy regulation, the provisions laid down by the ePrivacy regulation are intended to “particularise and complement” the rules on personal data provided by the GDPR by “translating its principles into specific rules.”
In a practical sense, and in terms of what’s most likely to be of interest to individuals and organisations, it regulates on topics including direct marketing, the transmission of communications between devices, browsers and cookies.
Interestingly, and unlike the GDPR, it also specifically references “web measurement,” which will be of particular interest to webmasters and marketers who are unclear on the extent to which GDPR applies to web measurement platforms like Google Analytics and Adobe Marketing Cloud.
Article 8(d) of ePrivacy proposal (as published by the Council of the European Union on 4th May, 2018) is of particular importance, and states:
“…the collection of information from end-users’ terminal equipment…shall be prohibited, except…[when] it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party on behalf of the provider of the information society service.”
However, Recital 20 of the ePrivacy proposal arguably adds some confusion to the mix, and states:
“Techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user’s terminal equipment should be allowed only with the end-user’s consent and for specific and transparent purposes.”
Interestingly, Recital 20 also states, “Access to specific website content may still be made conditional on the consent to the storage of a cookie or similar identifier” and provides further information on when this is or is not acceptable.
A number of organisations, in implementing consent management platforms to comply with the GDPR, have made access to their websites conditional dependent on whether a user consents to set cookies.
Recital 21(a) also refers to cookies for tracking purposes and states:
“Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example of website design and advertising or by helping to measure the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application. This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site.”
Following the enactment of the GDPR on 25th May, some organisations have already taken steps to configure their web analytics tools to better protect personal data or personally identifiable data. Such as modifying retention settings, anonymising IP addresses, presenting consent messages and utilising Analytics’ new user deletion API.
Confused….? Well we have a bit of time to get our heads round all of this so watch this space OR get in touch if you want to chat about it.