Privacy laws

Some help with legal information about GDPR and other privacy laws

GDPR and e-Privacy Regulation compliance

In this article, we will discuss how GDPR (General Data Protection Regulation) and ePR (e-Privacy Regulation) affects cookie usage on your website and how Cookie-Script helps your website to get compliant with GDPR.

First things first, here are some quick FAQs about GDPR and ePR.

What is GDPR? 

GDPR stands for General Data Protection Regulation: new regulation that is created to improve data privacy


What is ePR?

ePR stands for e-Privacy Regulation: a regulation for electronic communications and the right to confidentiality


When is GDPR enforced?

25th of May 2018


When is ePR enforced?

Nobody knows yet


Will this affect my business?

Depends on what you do and what information you collect from your customers. Check out this nice infographic for more info.


What organizations does GDPR apply to? 

If your visitor/customer is from the EU, GDPR is applied to your organization


Are there fines? 

Yes, but there are 3 more steps before you get a fine (see link above). Fines can go up to €20 million or 4% of global annual turnover (whichever is higher)

Regulation vs Directive

It is important to understand the difference between directive and regulation.

  • A directive is a legal act of the European Union, which requires member states to achieve a particular result without dictating the means of achieving that result.
  • Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States.

Regulation is the same for all member states, while with e-Privacy Directive was created as a set of rules for every Members State to create its own laws. Previously we had Directives, now we are starting to follow Regulations.

It's not about cookies!

The main goal of GDPR is to regulate how personal information is collected, stored, and erased. The e-Privacy Regulation isn’t just about cookies, it concerns electronic communications and the right of confidentiality, data/privacy protection, and more.

In fact, cookies are mentioned in GDPR only once:

Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In other words: if cookies can be used to identify an individual - they are considered personal data (before ePR is enforced).

[icon name="icon-star"]  Cookies are only a small part of personal data that is managed by organizations. This is why you should review how and what personal information you collect and store to comply with GDPR.

IMPORTANT: Using Cookie-Script (or any other cookie-related solution) does not mean your website is automatically compliant with GDPR. There are many other aspects of this GDPR, so please read through all of them. There is plenty of information online on how to comply with all GDPR points, we will only focus on cookies here.
Another important thing to note - not all cookies are considered personal data. If you have a simple website, cookies that you set are not used to identify a person and you do not collect any personal information from your visitors - there is a high chance you do not need to worry about GDPR at all.

ePR and GDPR

Ok, so this one is pretty tricky and is usually not explained on other websites that offer cookie banner solutions.

The ePrivacy Regulation is lexed specialis to the GDPR. That’s a legal principle, which essentially means that the lex specialis, in this case, the ePrivacy Regulation, overrides the lex general, the GDPR, with the ePrivacy Regulation covering the mentioned specific areas. In other words, wherever ePR and GDPR overlap (for example, cookies) - ePR should be used.

Basically, you only care about ePR when it comes to cookies since GDPR does not focus on cookies and digital communications. ePR is specifically designed to explain how privacy and cookies should work together. e-Privacy Regulation also replaces e-Privacy Directive that forces websites to show banners, also known as "Cookie Law".

Now comes the interesting part:

ePR and GDPR were both designed to get applied on the same date (25th of May 2018) since they both are designed to work together. However, due to different reasons, ePR got delayed and will not come in force on the same date as GDPR. So what we have after the 25th of May is quite a tricky situation - regulation that is designed to control how cookies are used (e-Privacy Regulation) is still in development, old directive (e-Privacy Directive) is still in the air and we just use GDPR and consider cookies as private data (not all of them, only ones that can be treated as personal data). Not sure how strict regulators will look at this having in mind that GDPR is not designed to regulate cookies in the first place. Once ePR is enforced, new changes will apply and most GDPR changes (see below) regarding cookies will no longer be valid.

So what exactly will change from the 25th of May 2018 and until ePR is enforced?

Here are some key changes you should know when it comes to cookies:

1 Implied consent won't work anymore. This means you cannot set cookies (at least personalized cookies, which are now personal data) before the user permitted you. We will keep it as an option but will show a warning message if the user selects this option.

2 An option to withdraw consent should be always available.

3 Consent not needed for "non-privacy intrusive cookies". Examples include e-commerce cookies, remembering shopping cart histories, cookies for Google Analytics, and many others.

4 Consent should be unambiguous, which means a positive action by a visitor.

5 Strictly necessary cookies can be still set up for the website to operate properly.

Changes we are making

We do our best to make sure Cookie-Script stays up to date with the latest EU Regulations. We also try to keep it nice and simple. Many solutions require your technical knowledge, others are simply overkilled with some functionality leftovers from the e-Privacy Directive which is not relevant after the 25th of May 2018. We focus on simplicity and user-friendliness. Here are the key changes we are implementing to Cookie-Script to get it compliant with GDPR:

  • Implemented New design option that covers the whole page (to make sure clear affirmative action was taken by the user to navigate on the website).
  • Implied consent will remain, but will not be selected by default. Also, a warning message will appear if Implied consent is selected.
  • Implemented New option - Show cookie icon - (allows user to withdraw consent at any time). More designs are in progress
  • Implemented A button to decline all cookies - Saves user chooses not to set any cookies except strictly necessary cookies.
  • Implemented New piece of code (checkbox) to use on the privacy policy page - Withdraw consent (allows user to withdraw consent on cookie policy page).
  • Implemented New option - strictly necessary cookies (to keep website functioning even without user consent, like webshop cart cookie).
  • Implemented Functionality to record and store visitor consent in an encrypted way (this record is not considered personal data).
  • Implemented A set of articles to better explain how and when new options should be used.
  • Implemented AWS cashing - we are switching to Amazon Web Services to provide you one of the fastest and most reliable code delivery available on the market.

Once every change is implemented - it will be posted on the news and Facebook page. You can follow the Facebook page to stay updated with the latest changes.

Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of any law.

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.