CookieLaw Blog February 10, 2015

Cookie Law Reform in 2016?


When the new European Commission was announced last year, one of the tasks for Gunther Oettinger as Commissioner for Digital Economy and Society was leading a reform of the e-Privacy Directive, which amongst other things, contains the requirements for consent for the use of cookies and similar technologies on websites. See our report from the time.

A timetable for this has now emerged in a new document (PDF) from the Commission, which shows this work as ‘Ongoing, expected to end in 2016’.  This also reinforces the position that the need for the reform is driven by the introduction of the Data Protection Regulation, which is widely expected to be completed by the end of 2015.

The current cookie rules, introduced in 2011 have been widely criticised, poorly implemented by many publishers and resulted in minimal enforcement action. This has led many to state that the cookie laws have resulted in no benefit for consumers with respect to increasing online privacy, merely increased expense for website owners.

Many people would like to see the laws scrapped completely.  Thanks to one high profile publicity campaign in the UK, many believe they have been already. So given all of this what, if anything, can we predict about how the law might change?

It is difficult to be sure until the regulation is finalised where the main points of divergence between the two sets of legislation will be, but we can perhaps make some educated guesses about the changes, as well as our own recommendation.

Much of the cookie rules hinge on the definition of consent, so if this changes in the regulation it will have a big impact.  In particular there is a push towards making explicit consent the norm, and if this becomes the case then implied consent, or opt-out approaches to use of cookies will need to be revised towards are more opt-in approach.

However, if that happens, then I would suggest we are likely to see at the same time a narrowing down of what types of cookies would be subject to this regime. The Netherlands for example is already preparing changes to their opt-in based law which narrows the scope of the requirements from the orginal provisions.

There is a general move in the Regulation to limit and give consumers control over profiling – and a lot of this aimed at  curbing ubiquitous online tracking of users across domains, using cookies and other methods of identifying individual device users.  I would suggest this would likely become the focus of an ‘opt-in to accept cookies’ model, with less privacy-invading cookie uses more likely to be given exemptions or subject to lower requirements.

One area in desperate need of reform is the language around the use of browser settings to signal consent.  This is currently far too vague to be of practical benefit to either users or publishers, especially given that as the ICO points out in its guidance, current browser settings options are not up to the task. 

Browser privacy controls, whilst not exactly keeping pace with tracking technology, have come a long way since the legislation was written, and in particular the Do Not Track feature is now universal in modern browsers.  There are ongoing debates about how sites should respond to Do Not Track (DNT) requests, in an attempt to get a global standard adopted.  Regardless of the progress of that work, there would be a huge leap forward in user privacy, and potential for improvements in usability, if the revised ePrivacy law were to explicitly set out what a compliant response to a DNT request would be. I would expect to see something about that in any changes.

Even as the cookie law first emerged in the consciousness of developers and service providers with a need to make changes to implement it, there was talk of alternative technologies that would enable the laws to be sidestepped without stopping the collection of information from consumers.  There was much talk of device fingerprinting techniques as being outside the wording if not the spirit of the law, and it took an opinion of the Article 29 Working Party (PDF) to quash that interpretation.  I suspect there will be a lot of scrutiny of the wording of the directive to ensure it can keep pace and achieve its goals in the face of ever increasing rates of technological change.

Finally, and perhaps more than a wish than an expectation, a comprehensive review of the cookie law should take a good look at the user interface issues that have really been the centre of much of the talk of the flaws in the law.  It would make a lot of sense for legislators to look at examples of both good and bad practice in notice and consent mechanisms that sites employ.  By doing so they can try to shape the requirements in such a way that it would support models that allow for strong privacy protection that creates a better user experience.  This has the potential to more effectively encourage compliance than the threat of fines, which in many cases are not large enough, or likely enough, to be a viable deterrent.

It is important to point out that all of this is just speculation at the moment, but there is one thing we can be sure of.  Once the work on the reform begins, the lobbying from interest groups will also get pretty fierce.

Recent Posts

January 13, 2017
Future of EU Cookie Compliance Webinar: ...

GDPR and now the proposed E-Privacy Regulation mean a stricter regime for cookie compliance, web governance and use of online tracking technologies. Join p...

View Article
Recent blog thumbnail
December 14, 2016
Draft EU ePrivacy Regulation Leaked...

A draft of the proposed legislation to replace the outdated EU ePrivacy Directive was leaked on the (PDF) website this week. The proposal is fo...

View Article
Recent blog thumbnail
November 3, 2016
GDPR Compliance Means Cookie Notices Mus...

Are you one of those people that ticked the cookie law box ages ago and not thought about it since? Well the game has changed and now is the time to re-vis...

View Article
Recent blog thumbnail
September 21, 2016
Optanon Acquired by OneTrust...

We are pleased to announce that Optanon, along with parent company Governor Technology, has been acquired by OneTrust....

View Article

Be in the Know

Subscribe to our newsletter

Onetrust All Rights Reserved