Now that the public consultation has been launched for the review of the ePrivacy Directive, it’s interesting to consider the reasons a review is considered necessary. The review was mentioned explicitly in the Commission’s Communication on the Digital Single Market back in May 2015, under the pillar of creating the right conditions for a digital single market. In the Communication, the Commission announced that the review of the Directive would begin after the conclusion of the data protection reform package. The review is now officially underway with both the consultation having started and a first stakeholder workshop having taken place the same week as the data protection reform was adopted.
The General Data Protection Regulation (GDPR) sets out to ensure a high level of protection for personal data mainly from private actors in the information society sphere; the ePrivacy Directive, on the other hand, primarily regulates telecommunications service providers. However, one notable provision has a broader application: the so-called ‘cookie provision’ contained in Article 5 (3). The cookie provision requires users to consent to the storing of or access to information on their devices. While this applies to any technology which stores or accesses data stored on an end-user device, this usually applies to cookies, hence the name. The Directive itself is sometimes even referred to as the ‘Cookie Directive’. In 2009, the provision went from an opt-out requirement to an opt-in consent model. The result is that Internet users across Europe are confronted daily with notices informing them that cookies are being used.
In the Netherlands, such an approach would not suffice, as the consent required under the cookie provision’s implementation requires that users are given an explicit choice to accept or refuse. Further browsing only allows users to accept cookies implicitly, so it does not satisfy the requirement of an explicit action. As a result, users in the Netherlands are confronted with much larger banners with big ‘Accept’ or ‘OK’ buttons. Some websites go as far as to redirect users to a separate landing page to get their consent, then redirecting them to the homepage of the website they intended to visit only once they have given their consent. This is likely an effort to make it extra clear to the Dutch enforcement authorities, who have energetically enforced the country’s strict interpretation, that cookies have not been placed before consent.
There are, of course, arguments in favour and against these approaches.
The Dutch approach might be seen as ensuring that users always know that they are giving consent and what they are consenting to. However, in reality users are confronted with pop-up screens and splash screens multiple times each browsing session, making it completely impractical to read and fully understand these notices. The result is that users tend to block or accept all cookies. There is even a browser extension which has the sole purpose of removing notices about cookies, named “I don’t care about cookies”. Between the two largest web browsers it has a userbase of 85,000.
The point is that as a company, there is no way to be sure of your cookie-consent policy being acceptable in each Member State without doing research into national implementations. The review needs to critically assess how to ensure a more uniform or practical application of the Directive’s rule. It could even be argued that, as a matter of data protection, it makes more sense to remove rules for specific technologies and allow data processing by cookies to be governed by the GDPR. This would essentially ‘purify’ the ePrivacy Directive and focus its scope solely on telecommunications regulation.