The Cookie “Monster” – What does the future hold for cookies and user analytics in light of new EU Laws


Since the 1990s, websites have had a love affair with using cookies to track user behaviour, as strong as that of Sesame Street’s beloved monster.

 

However with recent moves towards customer privacy, and Google’s plans to phase out third-party cookies on Chrome browsers by 2022, it looks like third-party cookies (i.e. cookies created by parties other than the website that the user is currently visiting) could be on their way out.

 

In this article we consider how the EU’s new ePrivacy Regulation could affect the use of cookies and what alternatives are being considered.

 

EU New Cookie Law

In 2018, the EU brought forward plans around e-privacy which were intended to supplement the now infamous GDPR. This ePrivacy Regulation was intended to cover all electronic communications on publicly available services and networks from or by individuals in the EU.

 

Now, after more than four years of negotiation, it looks like the ePrivacy Regulation is one step closer to being passed, and we take a look below at some of the key differences between the draft text and current legislation.

 

  1. Public Networks: The law covers publicly available services and networks, meaning that if the transmission takes place over a closed or private network, it will not apply.

 

  1. Scope Outside EU: The law applies to end-users located in the EU, regardless of the location of the processing or the service provider.

 

  1. Consent: To process any data exchanged by such an electronic communication from an individual in the EU, that individual must first provide explicit and affirmative consent (similar to GDPR) (legitimate interest justification is not sufficient), subject to certain exemptions. The consent request must notify the user of the use of cookies on any revisit to same site.

 

The exemptions include processing for reasons such as identifying malware, security reasons, or to protect vital interests. Metadata can also be processed for purposes other than those for which it was collected, provided that this new purpose is compatible with the initial purpose, and that safeguards apply.

 

  1. Cookie Walls: These are permitted provided that there must now be an equivalent that does not require such cookie consent i.e. users must be given a genuine choice with regards to the use of cookies or other similar technologies.

 

The offering of little to no alternative services, with inadequate information may ‘deprive’ the users of a free choice, meaning compliance may be difficult for many website providers depending on how websites have been built.

 

  1. Whitelisting: To combat cookie request overload, the law contemplates users consent to certain types of cookies by ‘whitelisting’ particular provider(s) in their browser settings. Providers will need to ensure that users can easily amend or withdraw their consent at any time through whitelists.

 

What Next?

The ePrivacy Regulation is still in draft form, and a transitional period of 2 years means that, at the earliest, it will not become law before 2023.

 

Although the law would apply directly in the UK post Brexit, as noted above organisations based outside the EU (including NI companies) will be bound by it if they process electronic communications, equipment information or metadata (such as location and time data) about recipients.

 

Alternatives

With restrictions such as these, many service providers are looking towards alternatives, with one popular alternative being the Unified ID.

 

Unified ID works on the basis that when an individual logs into a website with their email address, an identifier will be created based on an anonymised version of that email (the Unified ID). This identifier is regularly updated ensuring that it remains both anonymised and secure. When the individual logs on to the website, they will be informed as to why the service provider wishes to create the Unified ID and what it will be used for. At this point the individual can set their preferences regarding their data.

 

The benefits here allow for anonymisation of the individual, as the Unified ID contains no identifying information and cannot be reverse engineered into the email address used or any other form of identification.

 

Additionally, Unified ID allows for greater transparency (for example, it allows individuals to better understand how they are accessing sites in return for personalised advertisements) and greater control (as individuals can log into their account and monitor how their data is being used).

 

Despite the advantages of such a platform and a number of large advertising technology companies signing up, Unified ID is already encountering roadblocks, with Google stating that it has no plans to support any email based identifiers which it considers to mirror the functionality of cookies.

 

Instead, Google is keen to promote its own third party-cookie alternative, Privacy Sandbox. However with, as of yet, no actual platform or code, it is difficult to assess the usability of Privacy Sandbox as a viable alternative to third party cookies.

 

Looking to the Future

Until negotiations regarding the new ePrivacy Regulation have been concluded and the legislation implemented, it is not possible to predict with certainty what the landscape will look like for e-privacy in the UK or EU.

 

Additionally, it appears that the battle to provide a viable replacement for third-party cookies continues with no real leader yet emerging on the market.

 

With the ever-changing negotiations, discussions and technical advancements in the field of data protection, service providers would be wise to keep their finger to the pulse so that, whatever the future holds, they will be prepared.

 

If you or your business requires further advice or assistance navigating data protection or e-privacy matters, please contact Andrew Kirke, Partner – Contracts and Technology Department by email Andrew.Kirke@tughans.com


While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.