Cookie consent is one key aspect of effective consent management. An eye to the latest EU privacy proposals on cookie consent can help teams achieve global compliance.
Cookie consent is one key aspect of effective consent management. An eye to the latest EU privacy proposals on cookie consent can help teams achieve global compliance.
It’s hard to discuss EU data privacy without mentioning GDPR, but there’s another proposed regulation also on the radar. It’s called the ePrivacy Regulation. To be clear, it would not be a replacement to GDPR but a complement to it. Whereas GDPR provides an overarching framework to protect user’s personal data, the ePrivacy Regulation sets out specific guidelines for electronic communications privacy, including around cookie consent. GDPR has shown that the EU is a bellwether for global privacy standards, so understanding cookie consent expectations with the ePrivacy Regulation will help teams build future-ready privacy ops.
A few key builds in your consent management today will keep your systems at the forefront of privacy. Your users will appreciate the move and see it as a reason to grow their trust in your brand.
The ePrivacy Regulation might not get the press that GDPR does, but this proposal does not come out of the blue. The European Commission introduced the ePrivacy Regulation back in 2017, with plans for it to roll out simultaneously with GDPR. A variety of political hurdles have kept the proposed regulation in limbo. Like GDPR, this regulation would not go into effect overnight but have a two-year grace period once confirmed. In the meantime, though, talks have picked up speed in 2021. Leaders like the European Data Protection Board are keen on rounding out the region’s privacy apparatus with user-centric builds:
“Privacy settings should preserve the right to the protection of personal data and the integrity of terminals of users by default and should facilitate expressing and withdrawing consent in an easy, binding and enforceable manner against all parties.”
The ePrivacy Regulation is a follow-up to the ePrivacy Directive of 2002. Among its requirements, the directive requires businesses to get users’ informed consent before storing cookies. As such, it has earned the nickname The Cookie Law. Electronic communications have hugely evolved since 2002, and the ePrivacy Regulation expands its scope to reflect that. In its latest version adopted by the Council of the European Union, it applies to tech like Internet of Things services, and it carves out new rules for cookie consent.
On the cookie consent front, the regulation narrows the scope of when businesses can use cookies without user consent. One such exception, for instance, is using cookies necessary to verify users’ identities in an online transaction. However, general business interest would no longer suffice for cookie usage at large. Using cookies would generally require users’ explicit consent.
Another build looks to alleviate consent fatigue among end-users. Instead of having to constantly navigate cookie consent settings, the ePrivacy Regulation encourages browsers to allow each user to “whitelist” service providers whose cookies they consent to.
The third build relates to cookie walls: cookie requirements in order to access websites. The ePrivacy Regulation would prohibit cookie walls unless a company can offer the user the choice for an alternative cookie-less service.
Compared to US regulations like CCPA and CDPA, the ePrivacy Regulation’s cookie consent provisions go beyond these state-level measures. Again, EU leaders have not yet confirmed the ePrivacy Regulation, and a two-year grace period will precede enforcement. However, checking the pulse in the EU on cookie consent provides two key benefits:
Review your website’s tag management system and the consent processes associated with cookies. As it stands now, what cookies depend on an assumed business interest on your end? Under the ePrivacy Regulation, you would generally need EU users’ opt-in consent prior to using cookies that are not strictly necessary. Consider implementing a comprehensive consent management system in which users can easily suppress cookies according to their consent preferences. This move would keep you atop upcoming requirements and also grant users to further control over their own data, which is a wise investment in earning their trust.
Assess what web content currently requires users’ cookie consent in order to be accessible. The ePrivacy Regulation would require that sites either remove these cookie consent requirements or offer an equivalent without those requirements. Moving forward, keep your front-end engineers in the loop on whether EU leaders confirm new rules against cookie walls. (We’ll share updates when we hear anything, too.)
In addition to compliance with the proposed regulation, these builds make cookie consent more straightforward for users. However, cookie consent alone is not enough.
Cookie consent processes are one necessary piece of the compliance puzzle. As we wrote a few months back, relying on a cookie consent banner will not satisfy requirements of today’s major privacy regulations. A cookie consent banner might ace the ePrivacy Regulation’s requirements, but it would fail to cover deeper data flows. For instance, an e-commerce company might collect purchase and account data from end-users. A cookie does not capture that information, and cookie consent does not cover the bases for compliance with laws like California’s CCPA.
To manage cookie consent as well as deeper data flows, teams worldwide are turning to Ethyca. To change the basis for tracking from an assumed business interest to user consent, your Ethyca-powered Privacy Center gives you fine-grained control over consent options presented to users, organized by use case. By implementing user consent throughout your data flows, Ethyca helps prepare you for today’s CCPA and tomorrow’s potential ePrivacy Regulation.
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Ethyca’s CEO Cillian Kieran hosted a LinkedIn Live about the newly agreed upon EU AI Act. Read a summary of his talk and find a link to his slides on what governance, data, and engineering teams need to do to comply with the AI Act’s technical risk assessment and data governance requirements.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Request a Demo