The ePR is more than just another ‘cookie monster’

13 Mar 2019

It won’t be long before the ePrivacy Regulation will come into force throughout the EU. ‘Isn’t the GDPR enough trouble as it is?’ and ‘What about the ePrivacy Directive that has been in force for years?‘ are just some of the obvious questions we have come across lately. It will be just as obvious that the answers go beyond a simple ‘yes’ or ‘no’. Let us try to shed some light on this issue.

Harmonization and modernization

First of all, unlike directives, a regulation has direct effect in all EU countries without the need for national laws. By issuing the ePrivacy Regulation, the EU automatically harmonizes the situation across Europe. Although the GDPR had the same aim to some degree, the exchange of electronic data needed serious fine-tuning. Roughly speaking, the ePR primarily applies to companies that are active in online communication and direct marketing using tracking technology. The ePR also specifically applies to relatively new players such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber. In other words: as of now, the so-called ‘over the top players’ are subject to the same requirements as network facilitators.


Non-intrusive cookies

Unlike the GDPR, the ePR goes beyond personal data and also includes metadata for instance. Like in the case of its predecessor, dealing with cookies is a key element of the regulation. Agreeing with the use of cookies by giving our consent without even reading the terms involved is almost as common as opening a door before entering a room. To better protect us from this carelessness, while keeping things manageable for online marketing companies at the same time, the ePR makes a distinction between intrusive and non-intrusive cookies. Hence, organizations no longer need explicit consent for certain types of cookies such as functional cookies that are used to increase the performance of websites. To many of us, this will be a blessing as it frees us of annoying cookie walls. However, consent is mandatory for the use of so-called tracking and social media cookies. Analytical cookies in turn can be used freely as long as the data do not leave the organization and cannot be used to identify users.


Do-not-track attitude

If it is up to the EU, ‘do not track’ will become the standard for browsers too. Funny enough, tests have shown that people who don’t mind being tracked in some cases receive better offerings from companies than those who prefer to stay completely untracked and anonymous. Obviously, online communication companies are faced with the challenge to reward people who also accept tracking cookies. It is important to note that, although the GDPR and the ePR are both regulations, the ePR will prevail and therefore overrule the GDPR in specific matters with regard to electronic data exchange. Remarkably enough, the interpretation of a ‘data subject’ in the ePR is broader than it is in the GDPR and includes legal entities. It may even include ‘things’ with a nod to IoT which in itself takes the discussions on AI to a whole new level.    
We expect the ePR to take effect no earlier than at the beginning of 2020. There is a fair chance that some additional adjustments will have been incorporated by then, due to the lobbying by organizations like Facebook and Google. Recent research in The Netherlands showed, yet again, that over a thousand websites place tracking cookies whenever visitors ignore the cookie-wall. New legislation, and more importantly stronger enforcement, seems inevitable.


Post a comment