The e-privacy regulation: new rules for analytics cookies

Home » News » The e-privacy regulation: new rules for analytics cookies

On 8 September 2017, the Council of the European Union reviewed the draft of the new e-Privacy Regulation (“EPR”) – previously published by the European Commission on 10 January 2017 -, which allows the use of first-party and third-party analytic cookies without express consent of the end-user.

The relevant legation in this field (Directive 2002/58/EC, hereinafter “e-Privacy Directive” or “EPD”) is indeed undergoing a reform process to align the current legal framework with the technological developments and the new provisions contained in the EU General Data Protection Regulation

Among other changes to the new EPR, the Council has proposed amendments to Article 8, concerning the “Protection of information stored in and related to end-users’ terminal equipment”. Cookies are one of the main examples of technologies which can track users’ behaviour online by reading information on their devices and, since EPD adoption, have been constantly subjected to European and national regulations.

Main Issues

In the European legislation, the main rule concerning the use of tracking technologies is Article 5(3) of the e-Privacy Directive. In Opinion 4/2012, Article 29 Working party (“WP29”) clarified that the above-mentioned article allows cookies to be exempted from the requirement of express and informed consent, if they are used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” (Criterion A) or if they are “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service” (Criterion B).

In addition, WP29 suggested a further exemption to the required informed consent by considering that “first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes, anonymised and equipped with user-friendly opt-out mechanisms” (Criterion C).

Opening up to the use of first-party and third-party analytics surely serves the business needs of companies by introducing a new exception to the express and informed consent of the end-user. Moreover, the absence of any reference in Article 8 of the EPR to “data anonymization”, “privacy by design” and “data minimization” as specified in Opinion 3/2016 seems leading to the conclusion that, for the legislator, analytics do not pose a serious risk for users privacy anymore. However, the same may not be said with regard to profiling technologies for which an express and informed consent is still necessary.

Practical Implications

In conclusion, should the Council revision of the Article 8 of the EPR be deemed appropriate:

  • An express and informed consent will be required only for profiling technologies and not for first-party analytics
  • By default, the required consent will most likely be centralized in software such as internet browsers, apps, smartphones prompting users to freely choose their privacy settings, avoiding the use of banners. 

Source: ICT Legal Consulting  ICT Legal Consulting

News

Cyberwatching will join FIC2020 with two key initiatives aiming at raising awareness on cybersecurity and bringing into the spotlight key services, tools and solutions for European SMEs that can help them react to online threats and become more cybersecure.

Future Events

The Annual Computer Security Applications Conference (ACSAC) will be held in San Juan, Puerto Rico on 9-13 December 2019. 

09/12/2019 to 13/12/2019

CYBERWISER.eu is going to present its cybersecurity training solution at a joint information stand at FIC 2020, in Lille (France), on 28-30 January 2020.

Cybersecurity has become a major priority for organisations to protect themselves against cyberattacks, and due to the rising concerns about data risks to information security, companies of all sizes, and public sector organisations around Europe need trained professionals to help fill skills gap, key for developing cybersecurity processes.

28/01/2020 to 30/01/2020