GDPR and e-Privacy Regulation compliance

In this article we will discuss how GDPR (General Data Protection Regulation) and ePR (e-Privacy Regulation) affects cookie usage on your website and how Cookie-Script helps your website to get compliant with GDPR.

First things first, here are some quick FAQ about GDPR and ePR.

What is GDPR? 

GDPR stands for General Data Protection Regulation: new regulation that is created to improve data privacy

 

What is ePR?

ePR stands for e-Privacy Regulation: a regulation for electronic communications and the right of confidentiality

 

When is GDPR enforced?

25th of May 2018

 

When is ePR enforced?

Nobody knows yet

 

Will this affect my business?

Depends on what you do and what information you collect from your customers. Check out this nice infographics for more info.

 

What organizations do GDPR apply to? 

If your visitor/customer is from EU, GDPR is applied to your organization

 

Are there fines? 

Yes, but there are 3 more steps before you get a fine (see link above). Fines can go up to €20 million or 4% of global annual turnover (whichever is higher)

Regulation vs Directive

It is important to understand difference between directive and regulation.

  • Directive is a legal act of the European Union, which requires member states to achieve a particular result without dictating the means of achieving that result.
  • Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States.

Regulation is same for all member states, while with e-Privacy Directive was created as a set of rules for every Members State to create its own laws. Previously we had Directives, now we are starting to follow Regulations.

It's not about cookies!

Main goal of GDPR is to regulate how personal information is collected, stored and erased. The e-Privacy Regulation isn’t just about cookies, it concerns electronic communications and the right of confidentiality, data/privacy protection and more.

In fact, cookies are mentioned in GDPR only once:

Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In other words: if cookies can be used to identify an individual - they are considered personal data (before ePR is enforced).

  Cookies are only small part of personal data that is managed by organizations. This is why you should review how and what personal information you collect and store in order to comply with GDPR.

IMPORTANT: Using Cookie-Script (or any other cookie-related solution) does not mean your website is automatically compliant with GDPR. There are many other aspects of this GDPR, so please read through all of them. There are plenty of information online on how to comply with all GDPR points, we will only focus on cookies here.
Another important thing to note - not all cookies are considered as personal data. If you have a simple website, cookies that you set are not used to identify a person and you do not collect any personal information from your visitors - there is a high chance you do not need to worry about GDPR at all.

ePR and GDPR

Ok, so this one is pretty tricky and is usually not explained on other websites that offer cookie banner solutions.

The ePrivacy Regulation is lex specialis to the GDPR. That’s a legal principle, which essentially means that the  lex specialis, in this case the ePrivacy Regulation, overrides the lex generalis, in this case the GDPR, with the ePrivacy Regulation covering the mentioned specific areas. In other words, wherever ePR and GDPR overlap (for example, cookies) - ePR should be used.

Basically you only care about ePR when it comes to cookies since GDPR does not focus on cookies and digital communications. ePR is specifically designed to explain how privacy and cookies should work together. e-Privacy Regulation also replaces e-Privacy Directive that forces websites to show banners, also known as "Cookie Law".

Now comes the interesting part:

ePR and GDPR were both designed to get applied at the same date (25th of May 2018) since they both are designed to work together. However due to different reasons ePR got delayed and will not come in force on the same date as GDPR. So what we have after 25th of May is quite a tricky situation - regulation that is designed to control how cookies are used (e-Privacy Regulation) is still in development, old directive (e-Privacy Directive) is still in the air and we just use GDPR and consider cookies as private data (not all of them, only ones that can be treated as personal data). Not sure how strict regulators will look at this having in mind that GDPR is not designed to regulate cookies in the first place. Once ePR is enforced, new changes will apply and most of GDPR changes (see below) regarding cookies will no longer be valid.

So what exactly will change from 25th of May 2018 and until ePR is enforced?

Here are some key changes you should know when it comes to cookies:

1 Implied consent won't work anymore. This means you cannot set cookies (at least personalized cookies, which are now personal data) before user gave you permission. We will keep it as an option, but will show warning message if user selects this option.

2 An option to withdraw consent should be always available.

3 Consent not needed for "non-privacy intrusive cookies". Examples include e-commerce cookies, remembering shopping cart histories, cookies for Google Analytics and many others.

4 Consent should be unambiguous, which means a positive action by a visitor.

5 Strictly necessary cookies can be still set up in order for website to operate properly.

Changes we are making

We do our best to make sure Cookie-Script stays up to date with the latest EU Regulations. We also try to keep it nice and simple. Many solutions require you technical knowledge, others are simply overkill with some functionality leftovers from e-Privacy Directive which is not relevant after 25th of May 2018. We focus on simplicity and user-friendliness. Here are the key changes we are implementing to Cookie-Script in order to get it compliant with GDPR:

  • New design option that covers whole page (to make sure clear affirmative action was taken by user to navigate on the website).
  • Implied consent will remain, but will not be selected by default. Also a warning message will appear if Implied consent is selected.
  • New option - Show cookie icon - (allows user to withdraw consent at any time).
  • A button to decline all cookies - Saves user choice not to set any cookies except strictly necessary cookies.
  • New piece of code (checkbox) to use on privacy policy page - Withdraw consent (allows user to withdraw consent on cookie policy page).
  • New option - strictly necessary cookies (to keep website functioning even without user consent, like webshop cart cookie).
  • Functionality to record and store visitor consent in an encrypted way (this record is not considered a personal data).
  • A set of articles to better explain how and when new options should be used.
  • AWS cashing - we are switching to Amazon Web Services in order to provide you one of the fastest and most reliable code delivery available on the market.

Once every change is implemented - it will be posted in the news and Facebook page. You can follow Facebook page to stay updated with latest changes.

Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of any law.