This blog article was originally published on the TYPES Blog. TYPES is a EU-funded programme under Horizon 2020 whose aim is to support growth in the online advertising industry through trust-enhancing tools and technologies, in the face of the growing popularity of advertising mitigation software such as ad blockers. IAB Europe plays a critical role in this programme, by providing insights and inputs from the digital advertising industry perspective.
Now that the public consultation has been launched for the review of the ePrivacy Directive, it’s interesting to consider the reasons a review is considered necessary. The review was mentioned explicitly in the Commission’s Communication on the Digital Single Market back in May 2015, under the pillar of creating the right conditions for a digital single market. In the Communication, the Commission announced that the review of the Directive would begin after the conclusion of the data protection reform package. The review is now officially underway with both the consultation having started and a first stakeholder workshop having taken place the same week as the data protection reform was adopted.
The General Data Protection Regulation (GDPR) sets out to ensure a high level of protection for personal data mainly from private actors in the information society sphere; the ePrivacy Directive, on the other hand, primarily regulates telecommunications service providers. However, one notable provision has a broader application: the so-called ‘cookie provision’ contained in Article 5 (3). The cookie provision requires users to consent to the storing of or access to information on their devices. While this applies to any technology which stores or accesses data stored on an end-user device, this usually applies to cookies, hence the name. The Directive itself is sometimes even referred to as the ‘Cookie Directive’. In 2009, the provision went from an opt-out requirement to an opt-in consent model. The result is that Internet users across Europe are confronted daily with notices informing them that cookies are being used.
A stark contrast exists in how Member States have implemented the cookie provision into national law. In practice, the most common method used is what is called a ‘cookie banner’ – a banner which shows up at the top or bottom of the page upon first visit, which informs users that cookies are being used for various purposes, like personalised advertising, with a link to a detailed cookie policy. If the user browses further, they thereby indicate their consent. This method can be observed across the EU’s Member States as it is a relatively low effort way for users to consent. They are confronted with a banner, but using the website as they normally would allows them to indicate consent in a natural way, without overly interrupting the browsing experience and taking any overly-distracting or time-consuming action. Privacy-concerned users can still find detailed information and they are informed how to refuse the storage of cookies.
In the Netherlands, such an approach would not suffice, as the consent required under the cookie provision’s implementation requires that users are given an explicit choice to accept or refuse. Further browsing only allows users to accept cookies implicitly, so it does not satisfy the requirement of an explicit action. As a result, users in the Netherlands are confronted with much larger banners with big ‘Accept’ or ‘OK’ buttons. Some websites go as far as to redirect users to a separate landing page to get their consent, then redirecting them to the homepage of the website they intended to visit only once they have given their consent. This is likely an effort to make it extra clear to the Dutch enforcement authorities, who have energetically enforced the country’s strict interpretation, that cookies have not been placed before consent.
In Germany, as far as the user is concerned the complete opposite happens. Cookie banners are extremely rare because German law provides an alternative solution. The German legislator created a special opt-out regime that allows the use of cookies without consent, provided that collected data is immediately pseudonymised, which means that data is scrambled in such a way that users can no longer be identified. Users can go to a website’s privacy policy page to learn more about what is happening and how they can opt-out of the use of cookies. While pseudonymisation is mentioned by the Dutch data protection authority as a method that improves user privacy, it does not affect the requirement of obtaining consent.
There are, of course, arguments in favour and against these approaches.
The Dutch approach might be seen as ensuring that users always know that they are giving consent and what they are consenting to. However, in reality users are confronted with pop-up screens and splash screens multiple times each browsing session, making it completely impractical to read and fully understand these notices. The result is that users tend to block or accept all cookies. There is even a browser extension which has the sole purpose of removing notices about cookies, named “I don’t care about cookies”. Between the two largest web browsers it has a userbase of 85,000.
The German approach might be criticised for not giving users an up-front choice every time they visit a website that uses cookies. but on the other hand it is a good compromise that does not frustrate users with annoying notices, as long as an additional layer of privacy protection is provided. Users can still exercise control after the fact.
The cookie provision is an example of a Directive not achieving proper harmonisation, as the technical and practical solutions were left almost entirely up to national legislators, who in turn left it to data protection authorities. Even the Article 29 Working Party refrains from recommending specific methods of gaining consent for the use of cookies in its Working Paper on the topic, instead outlining requirements to be met. While this allows Member States and publishers alike to come up with creative ways to getting consent, it also creates confusion as to what exactly is required in each Member State and leaves data controllers in a situation of legal uncertainty. In England and Ireland a banner merely has to link to more information and mention that cookies are being used, in France and Belgium the exact purposes of cookies have to be specified, and in Poland the banner merely exists to inform users, but consent is presumed from browsers being set to accept cookies.
The point is that as a company, there is no way to be sure of your cookie-consent policy being acceptable in each Member State without doing research into national implementations. The review needs to critically assess how to ensure a more uniform or practical application of the Directive’s rule. It could even be argued that, as a matter of data protection, it makes more sense to remove rules for specific technologies and allow data processing by cookies to be governed by the GDPR. This would essentially ‘purify’ the ePrivacy Directive and focus its scope solely on telecommunications regulation.