PART 2 - New Guidance on Data Privacy: What's Next?

While we await the final draft of the new e-Privacy Regulation which will yet again tighten the rules on data privacy in an online context.

As we discussed in Part 1 of this 3-part article, the new e-Privacy Regulation has not been without its own controversies, and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has recently issued new guidance on the use of website cookies.

In the first part of our 3-part article, we looked at what cookies are and what the latest guidance from the Dutch Data Protection Authority states. In this second part, we look at what’s next and provide our tips and tricks for compliance. In the third part, we share latest guidance on cookies from the Court of Justice of the European Union.

As we saw, recent guidance from the AP conforms to the GDPR’s rules requiring that consent to cookies is clear and unambiguous; internet visitors must be asked in advance for any tracking software, and permission is not “free” if there is no real choice. So what do website owners need to do to ensure compliance, and what is next for the latest round of e-privacy rules in Europe?

What next?

The draft e-Privacy Regulation which is expected to replace the current ePrivacy Directive aims to work alongside the GDPR, giving businesses added liability around digital privacy and is especially concerned with the use of cookies. While the GDPR covers personal data more generally, the regulation aims to go into more detail ensuring protection for privacy at every stage of an online interaction.

It is expected that businesses will be required to demonstrate that their use of cookies is necessary for sending communications or ensuring security, and to prove that their user has given consent. The draft Regulation has not been without its controversies and with debates around the legitimacy of cookies it has been the subject of a number of amendments.

Those against the Regulation have argued that when a browser tries to connect to a website, that browser and its user are making a request to join the website. Creators and owners of websites have fundamental rights attached to them and technically there is nothing in the GDPR that says that people must make the content of their websites available to everyone. Perhaps users are not entitled to website content, and whilst they can’t be forced to accept tracking, this could be their choice with the other option being simply not to access the website, if there is no other way to access it. It may be that this question will remain to be answered one day by the CJEU. 

The new Regulation was set to come into force before the end of 2019, but with the debates that have surrounded it, it looks like this date is to be pushed back even further.

However, as with all legal matters, the best business practice is to keep up-to-date and be ready for and aware of any changes that may be made. 

Our Tips and Tricks for Compliance

  • Know what cookies your website is using – perhaps consult with a web developer if you are unsure how to decipher this yourself, and ensure you communicate with any third-party services on your site that may also be collecting cookies.

  • Ensure the consent you get for the use of these cookies is freely given, specific and informed, involving some form of unambiguous action.

  • Ensure your website privacy policy contains information about the use of cookies, and make sure this is easy to find and understand. 

  • Make sure users also have the option to object to the use of cookies.

For any specific advice on your cookies policy and and for a legal audit of your website’s compliance, or for any advice on any other legal matters, please don’t hesitate to get in touch!

In the meantime, keep a look out for a final article in this 3-part series, where we share latest guidance on cookies from the Court of Justice of the European Union.

Author: Lily Morrison, Legal Consultant @ Gerrish Legal, June 2019.