February 9, 2018

The Fall of the Cookie Banner

All those feeling annoyed by the plethora of cookie banners popping up on most European sites…please raise your hands.

Since 2012, European countries have had to implement rules requiring website to tell their users what cookies are being placed on their device and how to disable them. When the cookies have profiling or promotional purposes or are third-party cookies, websites must publish an informative banner during the user’s first visit.

The cookie banner requirement has been introduced into European national laws pursuant to a 2011 EU Directive amending the e-Privacy Directive (2002/58/EC).

As already well-known, the cookie banner informs users that the site utilizes profiling cookies and/or third-party cookies, includes a link to a more extensive disclosure, and it indicates that the user can consent to the use of cookies by continuing to browse the site.

Even if inspired by a noble purpose, cookie banners are not popular among businesses or consumers, as they hinder web browsing, particularly when carried out via mobile devices. Also, meeting the consent requirements can be rather costly for businesses.

European lawmakers are aware that this aspect of the current legal framework needs to change.

Indeed, if approved, a proposal by the European Commission for a new Regulation on e-Privacy will put the cookie banner requirement to rest.

The draft Regulation’s recitals quite go to the point:

Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent.

In the current draft version, the e-Privacy Regulation does not reduce the protection of privacy rights against invasive cookie use; on the contrary, it strengthens such rights.

Nonetheless, the focus is shifted from the cookie banner to the browser settings:

This Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. The choices made by end-users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties.

By centralizing consent in software, with users choosing their privacy settings “across the board”, the European Commission believes many businesses could avoid cookie banners. The new regime, yet, could affect behavioural advertisers, as (we can assume) a large share of users will reject third-party cookies in their browser settings.

The proposed new e-Privacy Regulation will also address other important matters regarding privacy in telecommunication: for instance, it will ensure that WhatsApp, Facebook Messenger and Skype guarantee the same level of confidentiality of communications as traditional telecoms operators, while banning unsolicited electronic communications by email, SMS and/or automated calling machines.

The new e-Privacy Regulation is likely to be approved before the end of 2018. After a sixth month lead-in period, the e-Privacy Regulation would be directly enforceable in all Europe (without the need of being transposed into national laws).

The new e-Privacy Regulation will join the GDRP (and prevail over it, in case of conflicts regarding electronic communications).