This week, the European Commission released its proposal to repeal the existing Regulation on Privacy and Electronic Communication (the ePrivacy Directive (Directive 2002/58/EC)) and to replace it with a new Regulation. Unlike the current EU Data Directive and the new General Data Protection Regulation (GDPR) effective May 2018, the ePrivacy Directive primarily addressed practices of traditional telecommunication providers and new providers of electronic communication services (e.g., Gmail, and others listed below). The reason behind the proposal is to catch up the existing law to the realities of the technological evolution that occurred since the passage of the ePrivacy Directive. The proposal is also expected to ensure consistency in the protections afforded by the ePrivacy Directive, particularly with respect to confidentiality of communications, with the General Data Protection Regulation (GDPR), which will take effect in May 2018.

The two most impactful proposed changes are: (1) extension of the application of privacy rules from traditional telecommunications operators to the new providers of electronic communications services, such as Gmail, Facebook Messenger, WhatsApp, and others, and (2) simplification of the rules on cookies. The former proposal would prevent email services, such as Gmail, from scanning the contents of their users’ email for the purposes of delivering targeted advertising, without obtaining the users’ explicit consent. Obviously, this could significantly impact ad revenue of online email and messaging services that rely on targeted advertising for their funding.

The simplification of cookie rules, however, is a welcome relief to business. Article 5(3) of the current ePrivacy Directive requires websites to obtain prior informed consent from a user before storing cookies and similar technologies (e.g., web beacons, Flash cookies, etc.) or accessing information stored on the user’s terminal equipment. For consent to be valid, it must be informed, specific, freely given, and must constitute a real indication of the individual’s wishes. Certain cookies are exempt from the consent requirement, including user-input cookies (session ID first-party cookies), authentication cookies (to identify the user for the duration of a session), user-interface customization cookies (e.g., language or font preferences, for the duration of a session), and third-party social plug-in content-sharing cookies (for logged-in members of a social network). In other words, cookies that are used for the sole purpose of carrying out the transmission of a communication, or are necessary to provide the requested service are likely to be exempt. Some businesses, however, read this exemption narrowly and request user consent even for the use of these “experience-enhancing” cookies.

To comply with the ePrivacy Directive, beginning in May 2012, websites operating in the EU have been using cookie banners displayed at the top or bottom of the screen on all pages of a site using cookies that require informed consent. Some banners are in the form of notice only, with the presumption that continued use of the site signifies user consent, and some require active interaction by asking a user to click on a choice between “I accept” and “I refuse” the site’s cookies. When these banners first started popping up, many users saw them as irrelevant or irritating, particularly when trying to browse mobile sites. Several data privacy authorities, including the UK’s ICO, took a rather lax approach to enforcement of the cookie law, in part, due to the perceived lack of public concern over the use of cookies. Through it all, though, companies had to adjust their processes and spend money in order to comply with the law.

The new proposal would simplify the cookie rules. The European Commission recognizes that the so-called “cookie provision” resulted in an “overload” of consent requests for internet users and that the rules needed to be streamlined. The proposed rule clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g., remembering shopping cart history). Furthermore, cookies set by a visited website counting the number of visitors to the site will no longer require consent.

The new rule also proposes to centralize user consent in software, such as internet browsers, and to prompt users to choose their privacy settings across the board. The European Commission believes this would allow a significant proportion of businesses to do away with cookie banners and notices, thus leading to potentially significant cost saving. This benefit, while great for first-party businesses, however, will be diminished for online targeted advertisers should a large proportion of users opt for rejecting third-party cookies in their settings. At the same time, the European Commission notes, centralizing consent does not deprive website operators from the possibility to obtain consent by means of individual requests to end-users and thus will allow these operators to maintain their existing business model. Likewise, additional expenses will likely be incurred by providers of browsers who would need to ensure privacy settings compliant with the new rules. Overall, the European Commission believes that, depending on the specifics of the implementation, this proposed solution could lead to overall savings, in terms of compliance cost, of up to 70 percent (or €948.8 million in savings).

The Commission called on the European Parliament and the Council to ensure the smooth adoption of the new rules by May 25, 2018, when the GDPR goes into effect. The Commission stated that its “intention is to provide citizens and businesses with a fully-fledged and complete legal framework for privacy and data protection in Europe by this date.”