What the existing law says
The current key provisions regarding cookies are:
- Cookies – The current law requires websites to inform users that they set cookies, and to explain what those cookies do and why. Websites must obtain a user’s consent for non-essential cookies, although this can be implied (depending on how intrusive the cookies are).
- Browser cookie consent choices – While the PECR allows for browser settings as a means of obtaining consent, there is not a requirement for browsers to provide consent choices.
What the draft new law says
The key changes proposed by the new legislation are:
- Browser cookie consent choices – The draft legislation requires users to be provided with cookie consent choices as part of their browser software set-up. This approach appears to try to move the consent requirement away from individual websites to the browser providers (which could see an end to the need for cookie banners), though there appears to be little appetite from regulators to accept browser settings as sufficient. This provision is also drafted in very broad terms and includes any software that permits electronic communications, potentially capturing a broad range of other devices, which could include the Internet of Things.
- Increased territorial scope – The proposed ePrivacy Regulation applies to organisations anywhere in the world which provide publicly-available electronic communications services to, or gather data from the devices of, users in the EU.
- Wi-Fi / device location tracking – The proposals contain new provisions relating to Wi-Fi / device location tracking although there is currently some debate about whether such tracking should require express consent or whether an opt-out mechanism will be sufficient.
The legislation is still being negotiated, and this page will be updated following further developments.