The Cookie Law vs. The DPR

The Cookie Law and the proposed EU Data Protection Regulation (DPR) appear to be contradicting each other.  Which one will win out when the DPR comes into force as expected?

With the EU General Data Protection Regulation passing its first important vote towards becoming law this week, there have been plenty of commentators looking at the meaning of the latest version of the document to be published. 

It is very broad ranging, and has a much wider scope than the ePrivacy Directive, however there is a great deal of overlap, and some of the provisions are conflicting, so I have decided to look at these further and examine the potential consequences.

It is important to point out that only a few days ago we had new guidance from the Article29 Working Party (WP), which we have already commented on, so I am using this as the starting point for my comparison.

Given that the ePrivacy Directive has been translated into local law in each country, the WP guidance only focuses on what would be required to be compliant in all member states, because the law is slightly different in each country. Nevertheless this is useful because it gives us an idea of what the law would have been, had it been a directly applicable regulation.

The key thing for me is that according to the WP there needs to be clear consent for all cookies (except those strictly necessary) before they can be used. Therefore, despite the fact that most websites restrict themselves to either an information only or, slightly rarer, an opt-out choice model for compliance, the WP feels that true compliance means opt-in. That they say, was the intention of the directive.

Turning to the LIBE draft of the DPR that was agreed this week – at first glance it appears to reinforce this model. Consent for data processing should be explicit – opt-in. It also makes clear that cookies, as well as other online identifiers not covered by the ePrivacy Directive, are covered by the regulation. So far they are in agreement, with the DPR merely extending the scope of the ePrivacy Directive to make it truly technology-agnostic.

However, there is a get-out clause for consent here that does not exist in the cookie law. That get out is ‘legitimate business interests’. Essentially, if you can demonstrate you have a legitimate business reason for processing data without consent, you can do so. When you read the small print around this get out, it becomes clear that much processing done by cookies would meet the test of legitimate business interests – particularly where data is pseudonymous.

However, to counter this becoming a get out of data jail free card, the regulation introduces a pretty much universal ‘right to object’. This basically requires a company to stop processing data if a subject requests it, and in most cases, including where cookies are concerned, overrides the legitimate business interest.

In other words, the DPR sets up an opt-out regime for cookies vs. the opt-in intentions of the ePrivacy Directive.

What to do? Well one of these is still a proposal, the other is law here-and-now. The DPR, in whatever final form it takes, will not replace the cookie laws. So when it does come into force probably two years or so from now – we are going to see some conflict between these two instruments if it is not sorted out before then.

What is clear though is that, opt-in or opt-out, choice is a central requirement of both instruments. Choice is also what people want, and as we move forward are increasingly likely to demand.

So the key takeaway right now is that any website that is not providing meaningful choice, the ability to use the site with or without cookies, is running a higher risk of regulatory action, and perhaps more importantly, losing the trust and engagement of its visitors.