A draft of a new ePrivacy regulation from the European Commission was leaked in December 2016. The final version (10/01/2017) has now been published as an official proposal from the EU Commission. The new regulation should replace the ePrivacy Directive 2002/58/EC and flanks the General Data Protection Regulation (GDPR), which comes into force on 25 May, 2018. Unlike the old ePrivacy Directive, the planned ePrivacy Regulation applies directly across all member states and takes priority over national legislation. Associations and players of the online marketing sector, explain Dr Frank Eickmeier and Prof Dr Christoph Bauer (pictured below), have already strongly criticised the proposal, as it will have serious consequences on the internet industry and the information society. What exactly will the unmodified ePrivacy Regulation change, if the proposal is to be accepted?

According to the current proposal of the ePrivacy Regulation, a website visit by the end user can no longer be conceived as consent. The current, customary banner, with the content, “by visiting this website, you (by implication) accept the use of cookies”, or the notification, “we use cookies”, and an ‘OK’ button will become impermissible, because the user does not have a genuine choice when it comes to giving consent. The affected user is also not able to set up browser data protection.

Opt-in will be compulsory for many cookies

Dr Frank Eickmeier

On first accessing the website, and even before the first placement of a cookie that requires consent, the user must be notified about the use of cookies, at which point the user has the option to agree or reject. The notification, which mustn’t be ignored, can be a banner or notification window, and must be requested by way of an opt-in. This means that, to opt-in with a checkbox, it mustn’t be pre-filled with a tick. The user must explicitly click on ‘agree’. If he/she does not pay attention to the banner/notification, no consent-requiring cookies may be placed.

Should the user refuse, the website may not be blocked. In Recital 42 of the GDPR, it states that the design must be such that the user “[…] is in the position to refuse or revoke the consent without suffering disadvantages”. But there are plausible reasons to accept a disadvantage if the user, who does not consent, would be deprived of content on the website. But this isn’t certain because it is currently unclear how a ‘disadvantage’ will be defined.

Opt-out must be possible at any time

Prof Dr Christoph Bauer

The website operator must offer users an opt-out, where they have already granted their consent to an opt-out at any time. In the same regard, website operators must also consider the ‘do not track’ browser setting, because this already establishes the non-consent of the user.

Strict compliance with the new rules of the ePrivacy Regulation will lead to significant expenses for the website operators having to adapt their website. Especially in the case of website monitoring, where companies need to precisely weigh up what forms of data collection require user consent. Intensive negotiations and a lot of lobbying work are expected, before the norm comes into force.