WTF is the EU ePrivacy directive?

This article is a WTF explainer, in which we break down media and marketing’s most confusing terms. More from the series →

A term which has been dormant in media headlines, and most likely Google searches, for a couple of years, resurfaced again this week: The European Union ePrivacy directive, also known as the EU cookie directive, is back. This has been due a revision that updates it to correlate better with its big brother, the General Data Protection Regulations.

Any update to EU-wide data laws, though important, can be horribly dry (and confusing) to digest.

We’ve broken down some of the most important points for marketers and publishers who want to know more about it.

So WTF is the EU cookie directive?
Europeans are all familiar with slightly annoying banner pop-ups that appear on any website they visit, asking for consent to collect cookies. That was the product of the last (and existing) EU cookie directive update. Essentially, it is the European Commission’s way of trying to apply some regulation to how companies collect individuals’ data online, and give people more choice over how their cookies are used to track them. At least that’s the theory.

So that’s a good thing, right?
Yes and no. The idea of giving people more choice over how their cookies are collected may be sound. The reality of how that can actually be executed is complex and messy — and potentially won’t result in a better user experience.

How so?
One of the goals with these latest EU cookie proposals is to drop the need for the existing banners that ask for people’s permission to drop cookies, having deemed them annoying. The rub: The alternative of what publishers (and any business that runs a website and drops cookies on visitors) will have to do may result in, ironically, more banners. These updated proposals will mean, for example, that publishers, brands and anyone collecting or analyzing data for the purposes of advertising will have a few more hoops to jump through to gain consent.

So what are the hoops?
In the revised law, consumers will be the ones setting their privacy settings via their browsers or any mobile apps they use. In theory, that means they can select options for how much they let themselves be tracked — they may agree to allow all their cookies to be used, or just some, or none. And they will need to set that up in their browser settings. That way, websites would supposedly read the cookie preferences set in users’ browsers. At least, that’s the theory. But if users opt against allowing most cookies, then publishers may have to issue a pop-up every time the users visit their site to inform them that they need to give permission first — much like ad-blocker pop-up messages currently work, according to the IAB’s head of policy and regulatory affairs, Yves Schwarzbart.

There’s also been some clarity on an area that there was some confusionlast year — whether publishers are legally within their right to use ad blocking detection software. That seems to have been a storm in a tea cup. The European Commission has revealed that this is totally fine.

And what about messaging apps?
Tougher rules on how messaging services, such as WhatsApp, Skype and Gmail, are included in the revised proposals. There are already tight regulations around SMS text messages, which telcos already abide by, meaning safeguards are in place to ensure confidentiality of messages sent, for example. To date, newer companies like WhatsApp — which provide over-the-top services, but which many people now use to send messages — haven’t been included. The revisions now rectify that.

So do companies need consumer consent to gather all data now?
No. There are certain exemptions. For example, a supermarket that provides online shopping won’t have to ask for consent to remember shopping-basket data. And that also includes counting visits to a specific person’s site.

What else is different about these new proposals?
These proposals have intentionally been revised to align better to the GDPR. But one of the biggest differences between them currently is that GDPR is a regulation, and the cookie law is a directive. And the difference between the two is quite important: A regulation means that each of the 28 member states in the EU must adhere to the exact same laws and ways of implementing them. No wiggle room whatsoever. Whereas each country in the EU can implement whatever version of a directive works best for their individual markets. So those with a more advanced digital advertising landscape, like the U.K., needn’t apply such strict rules as the likes of Germany or Scandinavian countries, for example. But the EU ePrivacy proposals released this week are suggesting the directive become regulation. And it’s “very likely” this will become the case, according to Schwarzbart.

This sounds very similar to GDPR.
Yes, that’s intentional. And again, ad tech companies that provide the ad services but don’t have the direct access to the customer data (like a publisher or a brand might with its customer relationship data) will find the changes a lot trickier to implement.

What are the next steps?
The revised laws will now go to the European Parliament, and the EU’s Council of Ministers, who represent the 28 member states, will have a chance to make amendments. The goal is to have them ready for implementation at the same time as GDPR: 2018.

More in Media

Immediate deepens CMP strategy, slashes ad tech partnerships for sharper data governance

Consent management platforms at Immediate aren’t just about ticking boxes for data laws.

Teads’ M&A rumors are firming up with a deal to merge with Outbrain

The latest installment of ad tech M&A activity is leaving some industry folks surprised.