This website makes use of Google Analytics cookies.
For more information on how to block such cookies, please read our cookie policy.
By using this website, you agree to the use of cookies as explained in the cookie policy.

Our Focus

Proposed ePrivacy Regulation

The ePrivacy Directive (Directive 2002/58/EC), also nicknamed the “Cookie Directive” because of its rules on storing and accessing data on a users’ device, such as so-called Internet cookies, is a directive primarily regulating the processing of personal data in the electronic communications sector, i.e. by telecommunications providers. The ePrivacy Directive (ePD) is of importance to the digital advertising industry because of the aforementioned rules on cookies, which are of general application and not limited to the electronic communications sector. Cookies play an important role in websites delivering a personalised experience, including relevant advertising. The ePrivacy Directive stipulates that member states must create rules that require website operators to inform the user concerned about the use of cookies and obtain their consent for the use of (most) cookies. Now, the Commission has proposed repealing and replacing the Directive with an ePrivacy Regulation. As a matter of EU law, Regulations can be relied upon directly by citizens, meaning that EU Member States no longer have a role in interpreting its application to fit within their national legal order. In its current form, the Regulation would require the consent of users in line with the rules of the General Data Protection Regulation for the lawful use of cookies, advertising identifiers (e.g. IDFA and AAID), device fingerprinting, etc. to collect information (not just personal data) and to deliver targeted advertising. The proposed Regulation would also mandate browsers and other software to provide the option to actively prevent data collection through cookies et al., and to force users to make a choice as to their privacy preferences during installation. This would be the case not just for web browsers, but for any application or device which can connect to the internet. For more information on the political and legal aspects of the proposal, check out IAB Europe’s ‘Cookie Regulation FAQ’, along with IAB Europe’s (updated: October 2018) position paper on the proposed ePrivacy Regulation below.

Q: What is the ePrivacy Regulation?

A: The ePrivacy Regulation is a proposed law of the European Union to replace the existing ePrivacy Directive. The directive is usually referred to as the Cookie Directive, as it requires websites to ask its users for their consent to the use of cookies and similar identifiers. As a regulation, the new cookie law will be directly applicable in its entirety without the need for Member States to enact national laws transposing the rules. This means that there will only be one cookie law in the EU without any national margin for discretion when implementing the rules. Directives, on the other hand, have to be implemented at the national level by the governments of each EU Member State. To see how the Cookie Directive is currently implemented in EU Member States.

Q: How will the consent rule change under the ePrivacy Regulation?

A: If the new ePrivacy Regulation became law in its current form, it would require the consent of users in line with the rules of the General Data Protection Regulation for the lawful use of cookies, advertising identifiers (e.g. IDFA and AAID), device fingerprinting, etc. to collect information (not just personal data) and to deliver targeted advertising.

Q: Are there any exceptions to this rule?

A: The new cookie rules would permit collecting information for first party web audience measurement without the consent of the user. The proposal also clarifies that configuration checks to determine whether a user can receive content requested, which can include a user’s ability to view advertising, does not require consent. Cookies et al. necessary for the functioning of a service (e.g. providing shopping cart functionality) remain exempted from the consent requirement, as was the case under the old Cookie Directive. In effect this clarifies that first party analytics and ad block detection methods are now exempted from the consent rule, too. It should be noted that the General Data Protection Regulation still applies to the processing of personal data, even where its collection is exempted from the scope of the ePrivacy Regulation.

Q: What else is new under the ePrivacy Regulation?

A: The ePrivacy Regulation would introduce rules allowing users to set general privacy preferences in their browsers and other software, which would be binding on and enforceable against any other person. In addition, the regulation would mandate browsers and other software to provide the option to actively prevent data collection through cookies et al., and to force users to make a choice as to their preference during set up.

Q: When will this become law? How does the lawmaking process work?

A: An agreement must now be found between Members of the European Parliament and Member States’ governments in the Council of the European Union, both of whom can make changes to the proposed text. This procedure is known as the Ordinary Legislative Procedure. A compromise between the two co-legislators will most likely be reached informally in so-called trilogue negotiations between representatives of the Council and the Parliament with input from the Commission.  Below, you can see a diagram showing the process in more detail.

Q: What’s a trilogue negotiation?

A: Trilogue negotiations occur after both the Parliament and the Council have prepared their initial positions, as outlined in the diagram above. Due to time limits which apply only later during the ordinary legislative procedure, the co-legislators usually seek to come to an informal agreement before the Parliament and the Council formally vote on a proposal for the first time. After the Parliament and the Council vote on a draft law for the first time, strict time limits will apply for the second and third rounds of votes.

For this reason, the representatives of the co-legislators meet with representatives from the Commission informally to agree before this part of the process.

Q: Who gets to have a say during the legislative process?

A: In the Parliament, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) will take the lead on the draft law. The center-left group of Socialists and Democrats in the European Parliament has secured rapporteurship on the file. The group has appointed Marju Lauristin, an Estonian MEP who has previously worked on the GDPR, to take charge of compiling an amended version of the law (legislative report) that can find support by a majority of parliamentarians. The Parliament as a whole will then vote to approve or disapprove this report in a plenary session.

The Committee on Internal Market and Consumer Protection (IMCO), the Committee on Industry, Research and Energy (ITRE), and the Committee on Legal Affairs (JURI) will contribute to the lead committee’s work with non-binding opinions. Despite being non-binding, ideas suggested in these opinions can be taken over by the rapporteur of the legislative report.

In the Council, the proposal will be dealt with by the Working Party on Telecommunications and Information Society (TELECOM) and ultimately voted on by national ministers in the Transport, Telecommunications and Energy Council configuration.

Q:When can we expect the co-legislators to reach a compromise? Are there any deadlines that have to be met?

A: The Commission’s intention is that the ePrivacy Regulation will become applicable at the same time as the General Data Protection Regulation in May 2018. However, it is not certain that this timeline can be met. Definitions of the ePrivacy Regulation hinge on the European Electronic Communications Code, which is in the legislative process right now and is not expected to be finalized before the end of the year. In addition, just like with the General Data Protection Regulation, the debate on this draft law is likely going to be contentious with many different interests having to be balanced, which may slow down the process. The average time frame for adoption of a European law is 18 months.

As explained above, there are no official deadlines until both co-legislators have held their first formal vote on a draft law in the ordinary legislative procedure. Once an informal agreement has been reached, it still takes time for the law to be drawn up in each of the languages, and for the co-legislators to formally vote on the law. This process took almost half a year for the GDPR. Realistically, the negotiations on the ePrivacy Regulation would have to be done and dusted by the end of 2017 if the deadline proposed by the Commission were to be met.

Lines (1)