This week, the European Commission released its proposal to repeal the existing Regulation on Privacy and Electronic Communication (the ePrivacy Directive (Directive 2002/58/EC)) and to replace it with a new Regulation. Unlike the current EU Data Directive and the new General Data Protection Regulation (GDPR) effective May 2018, the ePrivacy Directive primarily addressed practices of traditional telecommunication providers and new providers of electronic communication services (e.g., Gmail, and others listed below). The reason behind the proposal is to catch up the existing law to the realities of the technological evolution that occurred since the passage of the ePrivacy Directive. The proposal is also expected to ensure consistency in the protections afforded by the ePrivacy Directive, particularly with respect to confidentiality of communications, with the General Data Protection Regulation (GDPR), which will take effect in May 2018.
The two most impactful proposed changes are: (1) extension of the application of privacy rules from traditional telecommunications operators to the new providers of electronic communications services, such as Gmail, Facebook Messenger, WhatsApp, and others, and (2) simplification of the rules on cookies. The former proposal would prevent email services, such as Gmail, from scanning the contents of their users’ email for the purposes of delivering targeted advertising, without obtaining the users’ explicit consent. Obviously, this could significantly impact ad revenue of online email and messaging services that rely on targeted advertising for their funding.
The simplification of cookie rules, however, is a welcome relief to business. Article 5(3) of the current ePrivacy Directive requires websites to obtain prior informed consent from a user before storing cookies and similar technologies (e.g., web beacons, Flash cookies, etc.) or accessing information stored on the user’s terminal equipment. For consent to be valid, it must be informed, specific, freely given, and must constitute a real indication of the individual’s wishes. Certain cookies are exempt from the consent requirement, including user-input cookies (session ID first-party cookies), authentication cookies (to identify the user for the duration of a session), user-interface customization cookies (e.g., language or font preferences, for the duration of a session), and third-party social plug-in content-sharing cookies (for logged-in members of a social network). In other words, cookies that are used for the sole purpose of carrying out the transmission of a communication, or are necessary to provide the requested service are likely to be exempt. Some businesses, however, read this exemption narrowly and request user consent even for the use of these “experience-enhancing” cookies.