ePrivacy Regulation – Final text approved by the Council of the European Union

The ePrivacy Regulation is finally at a decisive turning point because the Council of the European Union has reached an agreement on the final version of the text.

The approval of the ePrivacy Regulation by the Council of the European Union

After negotiations that lasted over 4 years, the ePrivacy Regulation is finally at a decisive turning point. The Council of the European Union reached an agreement on the final version of the text, thus approving a negotiating mandate for the final revision of the rules on the protection of privacy and confidentiality in the use of electronic communication services.

The ePrivacy Regulation will apply not only to providers of traditional electronic communication services, such as mobile and fixed telephone operators, but will introduce important changes in key sectors of the digital economy, such as the Internet of Things, online advertising, and online telecommunications.

The draft Regulation presented by the European Commission at the beginning of 2017, immediately aroused the interest of lobbies of the telecommunications, advertising, and media services sector, and underwent numerous modifications due to the influence of the interests – in part opposing – of businesses and consumers. In fact, it took 8 different presidencies of the Council of the European Union to agree on a shared text of the draft ePrivacy Regulation, which was finally reached on February 10, 2021, under the Portuguese Presidency.

Here is a brief recap of some of the most interesting points of the new text.

Default privacy settings

To combat the so-called cookie banner fatigue, software vendors are encouraged (but not obliged) to include by default settings that allow end-users, in an easy and transparent way, to manage their consent to cookies, making precise choices about storage and access to data stored in their terminal equipment, easily setting and modifying white-lists for the categories of cookies accepted or not, so as to have an easily exercisable control of consent. After all, Elon Musk, who lately seems to be more influential than usual, said so too.

Cookie walls and adtech

The possibility of conditioning access to websites on the user’s provision of consent to the installation of cookies is maintained, provided that it “does not deprive the user of an effective choice“. This condition is deemed to be met if the end-user is placed in a position to choose – consciously – between a service offering that includes consent to the use of cookies for additional purposes, on the one hand, and an equivalent offering from the same provider that does not involve consent to the use of data for additional purposes, on the other. An imbalance could exist, for example, when the end-user has only a few or no alternatives to the service, and therefore has no real choice regarding the use of cookies, for example in the case of service providers that hold a dominant position. With respect to the issue of awareness, as already provided by the GDPR the information must be clear, comprehensive, and user-friendly (confirming that legal design will not be just a trendy hashtag in the coming months).

Consent yes, but with reminders

End-users who have given their consent to the processing of electronic communication data should be reminded of the possibility to withdraw consent at periodic intervals of no more than 12 months, as long as the processing continues, unless the end-user asks not to receive such reminders.