A ruling on consent for online cookies from the European Union’s highest court will lend clarity to a stalled effort to finalize an electronic communications privacy regulation, an EU official and attorneys said.
The EU Court of Justice ruled Oct. 1 that people must actively choose to let companies install cookies that track their internet browsing—not just check a box by default.
“The court ruling today is very good for legal certainty on a number of points,” said Rosa Barcelo, a partner with Squire Patton Boggs in Brussels. “It gives a boost to the legislative efforts to adopt the ePrivacy Regulation.”
Talks among countries on writing an online privacy regulation have stalled amid such complex questions as how to align rules for cookies consent with the 2018 General Data Protection Regulation’s overarching rules for consent on processing personal data.
The regulation will replace a 2002 e-communication and privacy directive (2002/58/EC). Directives require countries to meet goals, but don’t tell them how to do it.
The e-Privacy regulation would harmonize with the GDPR, which requires that consent for data processing be freely given, specific, informed and unambiguous, and can be withdrawn. But applying the same standard to cookies would be complex, according to Kristiina Pietikäinen, the Finnish official who chairs a technical group of EU country representatives working on the draft ePrivacy regulation.
Users go online using “so many devices and different services,” that it has proved difficult to define clear consent rules in line with the GDPR, Pietikainen said. Industry groups have raised concerns that device users frequently would be asked to click banners giving their consent.
The court ruling may help talks on the directive by firming up what should be included in the regulation’s consent provisions, practitioners said.
The ruling confirms “a toughening stance over the issue of consent,” said Rafi Azim-Khan, Head of Data Privacy at Pillsbury Law in London.
“Cookie use, in particular, is an area where various forms of bad practice had developed over time,” Azim-Khan said. “That is now set to change.”
It’s clear that cookie consent has to jibe with the GDPR’s overall consent standard, Anna Pateraki, a senior associate with Hunton Andrews Kurth in Brussels, said. But “the market needs clearer rules in the law, and a more business-friendly interpretation of the applicable rules,” she said.
The next meeting of the EU country representatives working on the ePrivacy regulation is Oct. 11, and the ruling will likely be relevant, though “we need to study” it, Pietikäinen said.
Pietikäinen is heading the working group because Finland currently holds the presidency of the EU Council, where member governments meet to adopt laws and coordinate policies. The council is the main decision-making body of the bloc, along with the European Parliament.
— With assistance from Daniel R. Stoller