The e-privacy regulation: new rules for analytics cookies

On 8 September 2017, the Council of the European Union reviewed the draft of the new e-Privacy Regulation (“EPR”) – previously published by the European Commission on 10 January 2017 -, which allows the use of first-party and third-party analytic cookies without express consent of the end-user.

The relevant legation in this field (Directive 2002/58/EC, hereinafter “e-Privacy Directive” or “EPD”) is indeed undergoing a reform process to align the current legal framework with the technological developments and the new provisions contained in the EU General Data Protection Regulation

Among other changes to the new EPR, the Council has proposed amendments to Article 8, concerning the “Protection of information stored in and related to end-users’ terminal equipment”. Cookies are one of the main examples of technologies which can track users’ behaviour online by reading information on their devices and, since EPD adoption, have been constantly subjected to European and national regulations.

Main Issues

In the European legislation, the main rule concerning the use of tracking technologies is Article 5(3) of the e-Privacy Directive. In Opinion 4/2012, Article 29 Working party (“WP29”) clarified that the above-mentioned article allows cookies to be exempted from the requirement of express and informed consent, if they are used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” (Criterion A) or if they are “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service” (Criterion B).

In addition, WP29 suggested a further exemption to the required informed consent by considering that “first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes, anonymised and equipped with user-friendly opt-out mechanisms” (Criterion C).

Opening up to the use of first-party and third-party analytics surely serves the business needs of companies by introducing a new exception to the express and informed consent of the end-user. Moreover, the absence of any reference in Article 8 of the EPR to “data anonymization”, “privacy by design” and “data minimization” as specified in Opinion 3/2016 seems leading to the conclusion that, for the legislator, analytics do not pose a serious risk for users privacy anymore. However, the same may not be said with regard to profiling technologies for which an express and informed consent is still necessary.

Practical Implications

In conclusion, should the Council revision of the Article 8 of the EPR be deemed appropriate:

• An express and informed consent will be required only for profiling technologies and not for first-party analytics
• By default, the required consent will most likely be centralized in software such as internet browsers, apps, smartphones prompting users to freely choose their privacy settings, avoiding the use of banners. 

Source:   ICT Legal Consulting