How will the new ePrivacy Regulation affect the operation of websites?


The General Data Protection Regulation entering into force on 25 May 2018 is not the only privacy revolution in store for the EU. The proposed ePrivacy Regulation is also generating greater and greater controversy and may change the shape of the internet as we know it.

On 26 October 2017 a plenary session of the European Parliament expressed its support for the mandate for the Committee on Civil Liberties, Justice and Home Affairs to represent the EP in trilateral negotiations with the Council of the European Union and the European Commission—the next step in the procedure of adopting a regulation that can entirely overturn the existing rules for online privacy. The proposed ePrivacy Regulation (full name: Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC) would directly impact such areas as the confidentiality of users’ data during transfer, and ensure the safety of files uploaded to the cloud. But despite the obvious soundness of most of the proposed rules, those involving transmission and storage of cookies are stirring major controversies. According to many internet content providers, the new rules would disable profiled advertising, which is often the foundation of their financial model. This has sparked a heated debate between businesses and NGOs centred around the question of the limits of privacy in the online environment.

Website financial model: cookies and targeted ads

To assess the proposed regulation, it is necessary first to understand how cookie-based advertising works. Currently the prevailing business model for financing the operations of some of the largest websites with the biggest audiences is to display profiled ads on the site from third parties, tailored to the user consuming the content. This approach, part of the broader marketing process known as targeted advertising, is made possible by cookie files stored and transmitted to the site by the user’s web browser.

Cookies as such are not used only for marketing. They enable personalisation of website viewing, logging in, remembering preferred settings, and the use of shopping baskets. Most of the potential applications of cookies involve the purely technical functioning of websites and are designed to improve the user experience. But other information about users’ online habits is also collected using cookies. Based on the information transmitted via cookies, it can be determined what sites the user visits, how much time they spent there, what they search for, and even the products they are interested in. This information is most often collected not by the owners of websites, but by advertisers using “third-party cookies” to gain information about users’ activities.

This in turn permits the creation of an information file which does not contain any personal data but does identify the user’s interests, financial capabilities and preferences, and enables the development of a kind of virtual profile of the user, which has a certain economic value. A simple example would be a situation where a person who has previously shown an interest in mountaineering on certain websites is then shown profiled ads on other websites for essential mountaineering gear, such as climbing boots.

The marketing benefits of these solutions are huge. By narrowing an ad campaign to a specific audience group, identified through analysis of big data, advertisers can deploy their financial potential more efficiently. This model, combined with initiatives linking websites with advertisers (e.g. Google AdSense, used by over 12 million websites), is the basis for the operation of numerous sites, which create content and charge a fee to provide access to advertising space, and thus generate funds essential for their operation.

Existing law

This solution is bound to raise doubts concerning the privacy of users as well as their frequent lack of awareness of what happens to the information about them provided to third parties. Under EU law, these issues are currently governed by the ePrivacy Directive (2002/58/EC), implemented in the Polish legal system through the Telecommunications Law.

Art. 173(1)–(3) of the Telecommunications Law imposes an obligation on telecommunications service providers to obtain the consent of the end user to access information stored on the user’s device, and then to clearly and understandably inform the user of the purpose for storing and processing this information, as well as the possibility of modifying these conditions through the software settings. The consequence of this rule is the notification users are familiar with on the internet (typically a pop-up) informing them that the service provider uses cookies stored on the user’s device, and requiring the user either to signal acceptance of the use of cookies or simply close the pop-up. Under current law, it is also acceptable to infer users’ consent from their behaviour after receiving the notice. This means that the user consents to the use of cookies by merely navigating about the site and taking advantage of its resources. Moreover, the overwhelming majority of service providers do not offer any option for declining the cookies policy. The pop-up windows are informational only, and it is typically not verified in any way that the user read the notice. This feature is known as a “cookie wall” and means that users cannot access the site’s contents if they do not consent to the use of cookies. All of these undesirable situations, arising from inadequate regulation of these issues, have led EU lawmakers to draw up a new law at the level of a regulation of direct applicability. It is intended to serve as one element of the European data protection reform and implementation of the digital single market strategy.

New ePrivacy rules

The proposed ePrivacy Regulation is closely tied to the General Data Protection Regulation (2016/679). They share a glossary of terminology, technical regulations for consent by users, and a national supervisory authority responsible for monitoring compliance with the regulation. But the proposal entirely changes the mechanism for functioning of cookies, and along with it, the mechanism for consenting to storage of cookies.

Most of the obligations in this respect are to be shifted to the producers of electronic communications software. In the case of computers, this will most often be producers of web browsers. Software is to be designed with mechanisms that can prevent storage and processing of information on the end user’s device by third parties. The user is to be informed of the default privacy setting when installing or updating the software. To continue, the user will have to consent to the settings. Under the “privacy by default” concept, the default level of protection of the user’s information is a high level of protection preventing third parties from storing cookies. This should also eliminate the constant display of pop-up notices on every website. Instead, the user will provide consent once, which can be withdrawn at any time, and the user will have to be informed of this option at least once every six months over the entire period of processing of the information. Direct consent will not be required only for storing and processing of data and metadata from the electronic connection that are necessary for the service provider to provide the service, ensure network security, or calculate fees.

Further transfer to third parties and processing of this information, which is deemed confidential, would not be permitted without the user’s consent. These rules are intended to ensure end users complete control over the information and prevent the use of cookie walls, because the information policy would be accepted at the level of the user’s software and not the website.

Limits of online privacy

The proposed regulations are generating a lot of controversy particularly in business circles connected to online marketing. The rule of increased privacy as the default setting for software intended for use of the internet would de facto disable targeted advertising and conducting marketing campaigns aimed only at a specific audience, if they did not modify the settings on their web browsers to allow greater intrusion into their privacy. Now third-party cookies represent over 70% all cookies sent to users of the most popular web services in the most highly developed countries in the European Union (“Cookie Sweep Combined Analysis,” Article 29 Working Party report of 3 December 2015, p. 9), providing a foundation for commitment of significant funds and conduct of numerous ad campaigns. According to the informational campaign likeabadmovie.eu created by marketing lobbyists (including the European Publishers Association, the European Association of Communications Agencies, EGTA (TV and radio sale houses), and the European Magazine Media Association), the proposed regulation would paradoxically have the most negative effect on end users of the internet. The effects forecast by this group include a reduction in the broad access to websites now funded by advertising, greater confusion among consumers concerning privacy settings, a small number of available applications, barriers to operation of many tech startups, and a greater proportion of paid premium content.

But many NGOs defend the proposed solutions and argue that the right to privacy online and the transparency of processed data take precedence over the opaque financial models of the marketing industry. An example in Poland is the Panoptykon Foundation, which claims that the regulation will restore to end users the control over their data, increase awareness of this issue, and in consequence perhaps lead to improvement in the quality of internet content by pruning the proliferation of articles intended for consumption only as click-bait.

It is hard to predict the consequences of these rules, particularly when their final shape is not known yet. If they do enter into force, they will certainly pose a huge challenge for the market. Players will have to decide whether to comply with the European requirements or seek to work around the rules, risking heavy fines. Another big unknown is whether the biggest sites will decide to impose an artificial block on their content as a way to force users to choose the desired privacy settings, as is already happening today with users of ad-blocking software. But the greatest concern is probably the plan for the regulation to enter into force on 25 May 2018. That’s an incredibly short grace period for a regulation that is still in the legislative works. That would be the same day as the launch of the GDPR, which companies have already spent a lot of resources getting ready for (see our guide here).

Adam Polanowski, Dispute Resolution & Arbitration practice, Wardyński & Partners