Remember last May when our favorite sites were suddenly asking our consent to collect cookie information? The answer given by the media and other experts for this flurry of cookie consent pop-ups was this was a result of the General Data Protection Regulation (GDPR). That’s partially true.
The real answer is far more interesting, and involves another less-publicized EU privacy law, the Privacy and Electronic Communications Directive (PECD).
The PECD is better known as the ePrivacy Directive. Never heard of it? Nothing to be embarrassed about. The ePrivacy Directory has, unfortunately, been eclipsed in the headlines by the far more famous GDPR law. But it’s worth getting to know it a little better.
The Key Differences Between GDPR and ePrivacy Directive
In effect since 2002, the ePrivacy Directive (ePD) is focused on protecting privacy and security of personal data in electronic communications. You can think of it as a specialization of the more general EU data laws but for ISPs and cell carriers, as well as older telcos.
The ePD includes language requiring providers to secure the data they carry by taking “appropriate technical and organisational measures to safeguard security of its services” (Article 4.1) and ensure the confidentiality of the communications by prohibiting “listening, tapping, storage … without the consent of the users concerned” (Article 5.1).
Like its EU data law cousin, the ePD also calls for minimizing the collection and processing of personal data. The ePD certainly goes into the communication weeds by specifically calling out “traffic data” or routing data — the telco version of metadata — and requiring it to be protected as well.
In 2009, ePD was updated, and one of the new requirements was for personal data breach reporting. Overall, you can think of the ePD as a set of rules that parallel the former Data Protection Directive (DPD) and newer GDPR, but delving into communications details as needed.
Lawyers say that ePD is lex specialis, referring to specific content, and overrides a more general law, lex specialis, which in our case is the GDPR.
With the 2009 update, the ePD took on the name of The Cookie Law because it explicitly required consent from users to process their web cookies. Actually, the ePD does make an exception for cookies that are strictly necessary for legitimate purposes. But more intrusive cookies for monitoring or targeting consumers squarely fall under the Cookie Law.
Anyone who has ever browsed EU web sites before the GDPR is no doubt familiar with the Cookie Law: you’ve probably noticed the lower banner reminding you that cookies are collected and your use of site implies consent. Hold that thought.
The key takeaways in terms of contrasting the ePD with the GDPR are: (1) ePD is focused on communications, and (2) ePD covers more than personal data, specifically web cookies and traffic data.
ePD Meets GDPR
With the above as background, we can now understand some of the confusion surrounding cookies with the launch of the GDPR last May. US and other non-EU companies were furiously updating their websites in the spring of 2018 to remain compliant.
Now it becomes confusing.
The GDPR doesn’t directly impact cookies. In fact, cookies are mentioned in only one place: in the preamble or recitals section of this enormous law. However, the GDPR does require in general that “unambiguous consent” be given when collecting data.
In this case, the data being collected is a web cookie and so now requires, under the GDPR, an explicit click on an accept button to gain true consent from the user.
My dime-store analysis is that you refer to the general law, GDPR, to interpret consent where this overarching principle is brought up. But then you dig into the ePD for more details about cookies. So any violations by EU-based companies involving cookies would not fall under the GDPR but the ePD, which has the lex specialis.
Anway, the new GDPR definition of consent is far more explicit than it was in the older Data Protection Directive (DPD) – it now has to be “unambiguous”. And this explains why we see cookie consent broken down into separate categories on many websites (below).
The next question is why did non-EU companies also have to update their cookie consent processing for their websites last May?
As near I can tell, the GDPR’s territorial scope kicks in. If you look at Article 3, a company that monitors behavior of users in the EU is covered under the GDPR! And cookies or at least some types of cookies are certainly capturing user behavior. In short: US companies fall under the GDPR with respect to cookies, but not the ePD!
If you’re confused about which EU law applies, you join lots of attorneys who are also pondering this same issue. In March, the European Data Protection Board (EDPB), which is a super-regulatory body overseeing the separate national supervisory bodies, issued an opinion to explain the criteria for either the GDPR or ePD to come into play. It’s not easy reading.
The ePrivacy Regulation and Over-the-Top Communication
Now for even more confusion. Just as the Data Protection Directive transformed into the General Protection Regulation creating a more uniform data law across the EU, the ePrivacy Directive is undergoing a similar metamorphosis.
That’s right, an ePrivacy Regulation or ePR is currently in the works. We likely won’t see this go into effect until 2021 as the details are still being worked out and the law will have go through the grueling EU approval process.
Like the GDPR, the ePR will have its own extraterritorial rules. US companies with websites will eventually find themselves directly under the ePR.
And if companies violate these cookie rules, they can face stiff GDPR-like fines of up to 4% of global revenue.
One very positive aspect for both consumers and companies is that under the ePR the cookie consent process will be streamlined. The current draft includes rules for centralizing cookie setting in software as a way to avoid those annoying cookie banners.
In short: the web servers will directly read the cookie permission options that users have configured, say, in their browsers and make life easier for users.
One more thing.
The ePR updates the ePD by covering a much larger class of communications, which includes web messaging, Voice Over IP (VoIP), chat, as well as web-based email services. The ePR refers to this as Over-the-Top (OTT) communications. Remember this term, you’ll be hearing more about it.
As purely practical matter, WhatsApp, Skype, Slack, and lots of other smaller companies offering similar communications services would fall under the ePR.
The ePR essentially carries forward the ePD but with stricter rules for securing electronic communications — for example, requiring messages to be erased or anonymized after they’ve been received.
Bottom line: US next-gen communication and messaging providers, which have long been doing business in a regulatory-free zone, will soon face tougher privacy and security rules and penalties.
Think that your company has nothing to do with communications or OTT and will escape the long reach of the ePR?
Think again! Any company that offers its own built-in chat or specialized messaging services to its customers would in effect by providing OTT. And so corporate IT groups may soon find themselves under additional compliance rules if they want to provide OTT to their EU customers.
While the ePR will in some ways simplify cookie rules, it will still be have complex interactions with the GDPR. The ePR rules have not been completely worked out, and so we’ll keep you posted as the ePR gets closer to its final form.