On 8 September 2017, the Council of the European Union (hereinafter, “the Council”) reviewed the draft of the new e-Privacy Regulation (“EPR”) - previously published by the European Commission on 10 January 2017 -, which allows the use of first-party and third-party analytic cookies without express consent of the end-user.
The relevant legation in this field (Directive 2002/58/EC, hereinafter “e-Privacy Directive” or “EPD”) is indeed undergoing a reform process to align the current legal framework with the technological developments and the new provisions contained in the EU General Data Protection Regulation (“GDPR”).
Among other changes to the new EPR, the Council has proposed amendments to Article 8, concerning the “Protection of information stored in and related to end-users’ terminal equipment”. Cookies are one of the main examples of technologies which can track users’ behaviour online by reading information on their devices and, since EPD adoption, have been constantly subjected to European and national regulations.
In the European legislation, the main rule concerning the use of tracking technologies is Article 5(3) of the e-Privacy Directive. In Opinion 4/2012, Article 29 Working party (“WP29”) clarified that the above-mentioned article allows cookies to be exempted from the requirement of express and informed consent, if they are used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” (Criterion A) or if they are “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service” (Criterion B).
In addition, WP29 suggested a further exemption to the required informed consent by considering that “first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes, anonymised and equipped with user-friendly opt-out mechanisms” (Criterion C).
Criterion C was originally adopted in some Member States, including Italy and restated in WP29 Opinion 3/2016. Some of above suggestions were received by the Council who inserted them in its proposed revision of EPR even allowing the use of third parties analytics (specifically, information for audience measuring) without express consent, provided that the conditions laid down in article 28 of the GDPR are met.
Opening up to the use of first-party and third-party analytics surely serves the business needs of companies by introducing a new exception to the express and informed consent of the end-user. Moreover, the absence of any reference in Article 8 of the EPR to “data anonymization”, “privacy by design” and “data minimization” as specified in Opinion 3/2016 seems leading to the conclusion that, for the legislator, analytics do not pose a serious risk for users privacy anymore. However, the same may not be said with regard to profiling technologies for which an express and informed consent is still necessary.
In conclusion, should the Council revision of the Article 8 of the EPR be deemed appropriate;
- an express and informed consent will be required only for profiling technologies and not for first-party and third-party analytics;
- by default, the required consent will most likely be centralised in software such as internet browsers, apps, smartphones prompting users to freely choose their privacy settings (Art. 4a EPR), avoiding the use of banners.
We will continue to monitor the further developments of the legislative process.