European legislators have discussed the draft of the ePrivacy Regulation in great detail and repeatedly revised it with regard to the tracking provisions. The term "tracking" primarily covers the targeting and retargeting of users through the use of cookies for advertising purposes.
Will all tracking need consent in future?
The purpose of Article 8 of the draft ePrivacy Regulation of 10 February 2021 is to protect users' terminal equipment, i.e. their smartphones, computers and other devices, and is aimed at website and app operators.
Not all data processing related to the use of terminal equipment will require consent. The latest draft of the ePrivacy Regulation permits the use of technically essential session cookies and of audience measuring tools without the consent of users (Article 8 (1) (a), (c) and (d)).
Under the current draft by the EU Council of Ministers, it should also be possible in future to justify data processing in the context of using terminal equipment by determining a compatibility of purpose between the purpose of the original collection of data and the purpose of the intended further processing. When balancing the interests in this respect, the factors that must be taken into account in accordance with Article 8 (1) (g) include the following:
- (i) whether there are connections, and if so which ones, between the original collection of the data and the intended further processing,
- (ii) the context in which the data were originally collected, especially the relationship between end user and provider,
- (iii) the modalities of collecting and further processing, especially whether special categories of personal data pursuant to Article 9 (1) GDPR could be disclosed,
- (iv) the consequences of the further processing for the end user and
- (v) the use of possible security mechanisms, especially encryption or pseudonymisation.
What is more, such further processing is only possible if it is ensured in accordance with Article 8 (1) (h) that:
- (i) the information will be erased or anonymised without undue delay after the purpose has been achieved,
- (ii) only pseudonymised information is further processed and
- (iii) the information is not used to analyse the characteristics of a user or to build an individual profile of a user.
The draft of the EU Council of Ministers would thus require the user's consent to tracking for advertising purposes, regardless of whether this tracking is performed using the provider's own cookies or third-party cookies.
Article 10 of the early first draft of the ePrivacy Regulation imposes obligations on providers of software that enables electronic communication, in particular providers of internet browsers. In accordance with the principle of privacy by design, the intention is for the user to be able to prevent third parties from storing information on the user's terminal equipment or from processing such information, e.g. via their browser settings (Article 10 (1) of the first draft). Such a provision would therefore apply in particular to third-party cookies.
Article 10 (2) of the first draft of the ePrivacy Regulation also required that the user's consent to the use of cookies always be obtained when the software is installed. Once the choice is made, it was also intended to be binding on third parties. It remained unclear, however, whether the third party itself should still be able to obtain consent and how the individual consents would then relate to each other.
The Portuguese Council presidency, like previous presidencies, recently voted for the deletion of Article 10 in its entirety. Instead, recital 20a encourages software providers to make it easy for users to create and modify at any time what it calls "whitelists" in their browsers and to withdraw their consent. However, the user's consent, given directly at the request of the service used, should always take precedence over such software settings and be taken into account accordingly.
How must consent be implemented?
With regard to the implementation of consent, the ePrivacy Regulation largely refers to the provisions of the GDPR, thereby imposing strict conditions. Consent must be given voluntarily, for a specific purpose, with knowledge of the facts and unambiguously; it must also be as easy to revoke as it was to grant (see Working Paper 259 of the Article 29 Data Protection Working Group Rev. 01).
Having said that, two simplifications are being discussed in relation to the provisions in the (current) draft ePrivacy Regulation on the protection of information stored on terminal equipment: Firstly, users should also be able to express their consent, as far as technically feasible, via software settings in browsers and similar software. Nonetheless, this is not intended to water down GDPR requirements with regard to consent. Secondly, if the controller is not in a position to identify the data subject, they should be allowed to demonstrate consent by means of technical log data.
What applies during the transitional period?
Up until the CJEU ruling of 1 October 2019 (Planet49 – Case C-673/17) and the German Federal Court of Justice (BGH) ruling of 28 May 2020 (Cookie-Einwilligung II – I ZR 7/16 (only available in German)), different views were expressed, for example, regarding the legality of website tracking and the applicable regulations.
Since 1 December 2021, the Telecommunications Digital Services Data Protection Act (TDDDG) has been pertinent at a national level for the setting of cookies and it will continue to be so until the ePrivacy Regulation enters into force. You can find more information about the regulations that apply during this transitional period here:
