How Cookie Consent May Evolve With EU’s Proposed ePrivacy Regulation

Cookie consent is one key aspect of effective consent management. An eye to the latest EU privacy proposals on cookie consent can help teams achieve global compliance.

A Recipe for Cookie Consent

It’s hard to discuss EU data privacy without mentioning GDPR, but there’s another proposed regulation also on the radar. It’s called the ePrivacy Regulation. To be clear, it would not be a replacement to GDPR but a complement to it. Whereas GDPR provides an overarching framework to protect user’s personal data, the ePrivacy Regulation sets out specific guidelines for electronic communications privacy, including around cookie consent. GDPR has shown that the EU is a bellwether for global privacy standards, so understanding cookie consent expectations with the ePrivacy Regulation will help teams build future-ready privacy ops.

A few key builds in your consent management today will keep your systems at the forefront of privacy. Your users will appreciate the move and see it as a reason to grow their trust in your brand.

Understanding the ePrivacy Regulation

The ePrivacy Regulation might not get the press that GDPR does, but this proposal does not come out of the blue. The European Commission introduced the ePrivacy Regulation back in 2017, with plans for it to roll out simultaneously with GDPR. A variety of political hurdles have kept the proposed regulation in limbo. Like GDPR, this regulation would not go into effect overnight but have a two-year grace period once confirmed. In the meantime, though, talks have picked up speed in 2021. Leaders like the European Data Protection Board are keen on rounding out the region’s privacy apparatus with user-centric builds:

“Privacy settings should preserve the right to the protection of personal data and the integrity of terminals of users by default and should facilitate expressing and withdrawing consent in an easy, binding and enforceable manner against all parties.”

The ePrivacy Regulation is a follow-up to the ePrivacy Directive of 2002. Among its requirements, the directive requires businesses to get users’ informed consent before storing cookies. As such, it has earned the nickname The Cookie Law. Electronic communications have hugely evolved since 2002, and the ePrivacy Regulation expands its scope to reflect that. In its latest version adopted by the Council of the European Union, it applies to tech like Internet of Things services, and it carves out new rules for cookie consent.

Cookie Consent in the ePrivacy Regulation

On the cookie consent front, the regulation narrows the scope of when businesses can use cookies without user consent. One such exception, for instance, is using cookies necessary to verify users’ identities in an online transaction. However, general business interest would no longer suffice for cookie usage at large. Using cookies would generally require users’ explicit consent.

Another build looks to alleviate consent fatigue among end-users. Instead of having to constantly navigate cookie consent settings, the ePrivacy Regulation encourages browsers to allow each user to “whitelist” service providers whose cookies they consent to.

The third build relates to cookie walls: cookie requirements in order to access websites. The ePrivacy Regulation would prohibit cookie walls unless a company can offer the user the choice for an alternative cookie-less service.

Compared to US regulations like CCPA and CDPA, the ePrivacy Regulation’s cookie consent provisions go beyond these state-level measures. Again, EU leaders have not yet confirmed the ePrivacy Regulation, and a two-year grace period will precede enforcement. However, checking the pulse in the EU on cookie consent provides two key benefits:

1. The EU has been driving digital privacy, especially with GDPR and its “A Europe fit for the digital age” initiative. If the ePrivacy Regulation goes into effect, it may shape regulations worldwide.
2. Like GDPR, the ePrivacy Regulation takes scope beyond just the EU. If your team processes EU residents’ data, you would need to comply with the ePrivacy Regulation, even if your HQ is elsewhere.

How to Build Future-Ready Consent Processes

Review your website’s tag management system and the consent processes associated with cookies. As it stands now, what cookies depend on an assumed business interest on your end? Under the ePrivacy Regulation, you would generally need EU users’ opt-in consent prior to using cookies that are not strictly necessary. Consider implementing a comprehensive consent management system in which users can easily suppress cookies according to their consent preferences. This move would keep you atop upcoming requirements and also grant users to further control over their own data, which is a wise investment in earning their trust.

Assess what web content currently requires users’ cookie consent in order to be accessible. The ePrivacy Regulation would require that sites either remove these cookie consent requirements or offer an equivalent without those requirements. Moving forward, keep your front-end engineers in the loop on whether EU leaders confirm new rules against cookie walls. (We’ll share updates when we hear anything, too.)

In addition to compliance with the proposed regulation, these builds make cookie consent more straightforward for users. However, cookie consent alone is not enough.

Why Cookie Consent Alone is not Enough

Cookie consent processes are one necessary piece of the compliance puzzle. As we wrote a few months back, relying on a cookie consent banner will not satisfy requirements of today’s major privacy regulations. A cookie consent banner might ace the ePrivacy Regulation’s requirements, but it would fail to cover deeper data flows. For instance, an e-commerce company might collect purchase and account data from end-users. A cookie does not capture that information, and cookie consent does not cover the bases for compliance with laws like California’s CCPA.

360-Degree Consent Management

To manage cookie consent as well as deeper data flows, teams worldwide are turning to Ethyca. To change the basis for tracking from an assumed business interest to user consent, your Ethyca-powered Privacy Center gives you fine-grained control over consent options presented to users, organized by use case. By implementing user consent throughout your data flows, Ethyca helps prepare you for today’s CCPA and tomorrow’s potential ePrivacy Regulation.