The e-privacy regulation: new rules for analytics cookies

On 8 September 2017, the Council of the European Union reviewed the draft of the new e-Privacy Regulation (“EPR”) – previously published by the European Commission on 10 January 2017 -, which allows the use of first-party and third-party analytic cookies without express consent of the end-user.

The relevant legation in this field (Directive 2002/58/EC, hereinafter “e-Privacy Directive” or “EPD”) is indeed undergoing a reform process to align the current legal framework with the technological developments and the new provisions contained in the EU General Data Protection Regulation

Among other changes to the new EPR, the Council has proposed amendments to Article 8, concerning the “Protection of information stored in and related to end-users’ terminal equipment”. Cookies are one of the main examples of technologies which can track users’ behaviour online by reading information on their devices and, since EPD adoption, have been constantly subjected to European and national regulations.

Main Issues

In the European legislation, the main rule concerning the use of tracking technologies is Article 5(3) of the e-Privacy Directive. In Opinion 4/2012, Article 29 Working party (“WP29”) clarified that the above-mentioned article allows cookies to be exempted from the requirement of express and informed consent, if they are used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” (Criterion A) or if they are “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service” (Criterion B).

In addition, WP29 suggested a further exemption to the required informed consent by considering that “first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes, anonymised and equipped with user-friendly opt-out mechanisms” (Criterion C).

Opening up to the use of first-party and third-party analytics surely serves the business needs of companies by introducing a new exception to the express and informed consent of the end-user. Moreover, the absence of any reference in Article 8 of the EPR to “data anonymization”, “privacy by design” and “data minimization” as specified in Opinion 3/2016 seems leading to the conclusion that, for the legislator, analytics do not pose a serious risk for users privacy anymore. However, the same may not be said with regard to profiling technologies for which an express and informed consent is still necessary.

Practical Implications

In conclusion, should the Council revision of the Article 8 of the EPR be deemed appropriate:

  • An express and informed consent will be required only for profiling technologies and not for first-party analytics
  • By default, the required consent will most likely be centralized in software such as internet browsers, apps, smartphones prompting users to freely choose their privacy settings, avoiding the use of banners. 

Source: ICT Legal Consulting  ICT Legal Consulting

News

SMESEC project Open Call for SMEs and SME associations
SMESEC has released an open call for SMEs and SME associations in order to validate SMESEC framework and at the same time improve their systems’ security.
 
SMESEC is inviting SMEs to participate in the validation of the SMESEC framework. By participating you not only have influence on the evaluation of the SMESEC framework, but also improve your own company security and get up to €20.000 of funds!

Future Events

CYBERUK 2019
24/04/2019 to 25/04/2019
Image:

CYBERUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors. You will be briefed on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.

CYBERUK 2019
24/04/2019 to 25/04/2019
Image:

Where: Scottish Event Campus (SEC), Glasgow
When: 24-25 April 2019
 
CYBERUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors. You will be briefed on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.