What are cookies?
Cookies are tiny files on a computer that attracts data that it recognizes as useful to the browsing patterns of the user. Cookies are accessed by web browsers such as Google Chrome, Microsoft Edge, and Firefox or by the website owner itself, and uses that data to automatically fill in the blanks each time you visit a website with the aim of providing a quicker browsing experience for web users. Cookies also benefit business owners, as it can provide information such as how the site visitor came to find your website, how many times a page is viewed by a customer and also notify you when a specific visitor accesses your website.
The contents of the EU Cookie Directive:
The General Data Protection Regulation (GDPR) which came into effect in 2018, paired with the EU cookie law, forms the overall data privacy regime in Europe. The extraterritorial scope of the EU cookie law means that any website that has visitors from the EU must be compliant to the law, regardless of where in the world the site is located. This is one of the world’s strictest data privacy regimes which have inspired newer privacy laws such as POPIA (Protection of Personal Information Act) which provides privacy rights and consumer protection under the South African law and Brazil’s Lei Geral de Proteção de Dados (LGPD) which governs both online and offline personal data.
The ePrivacy Directive’s cookie requirements requires you to obtain the explicit consent from end-users prior to cookies being activated on your website. The minimum requirements in terms of the EU directive whether a user is based in the EU or deal with EU customers, are as follows:
- Inform the user that the site uses cookies;
- A notification that makes cookie use clear, like a banner in the header;
- Explicit, voluntary consent before cookies are used; and
- The choice for users to opt-out.
These requirements are adapted from the EU e-Privacy Directive, as part of Europe’s endeavor to provide online privacy for its people.
The European Privacy Directive (EPD) will eventually be replaced by the ePrivacy Regulation (EPR), which aims to expand the definitions and ambit of the EPD. The EPR was set to be enacted in 2018 at the same time the GDPR came into effect, but only incomplete drafts of the document were available up to 10 February 2021, when a finalized text was agreed upon by the EU Council.
Although it is scheduled to be completed this year there is no date yet for its implementation. In the European Union a directive must be incorporated into national law by EU countries while a regulation becomes legally binding throughout the EU the date it comes into effect.
The scope of the draft ePrivacy Regulation 2021 extends to all electronic communication. This includes WhatsApp, mobile text messaging, Facebook messaging, email, etc and protects individuals inside the EU from third-party interference into their private communication unless explicit and informed consent is given upfront. The 2021 draft centralizes user consent as the core to electronic data privacy and is targeted at website trackers and cookies.
The EPR will also address the practice of digital fingerprinting whereby a code runs in the background of many websites that collects information about a visitor’s device, location & habits without requiring their permission. What is important however, is that consent is here to stay. While cookies are continually evolving and the rules which regulate them are still being set, the onus of maintaining an updated cookie policy and properly informing your users about the cookies your website is using and obtaining their consent will ensure you stay compliant with the GDPR and maintain your client satisfaction.
Sources:
https://www.privacypolicies.com/blog/eu-cookies-directive/
https://www.cookiebot.com/en/cookie-law/
https://www.cookiebot.com/en/eprivacy-regulation/
Photo by Taryn Elliott: https://www.pexels.com/photo/close-up-photo-of-cookies-on-wooden-surface-6119145/