You’re probably pretty fed up with clicking on cookie banners and consent popups by now. Most likely, you reached the stage of clicking the obvious highlighted option without really thinking about it. Or perhaps you’re one of the (rare) people who automatically rejects all cookies and only grants consent if you absolutely must.
Either way, millions of people in Europe assume that cookie banners and consent popups are both part of GDPR. However, the reality is more complex. Cookie banners are actually implemented in order to meet the requirements of the EU ePrivacy Directive as well as GDPR. Meanwhile, consent is firmly under GDPR, like that little checkbox you usually have to click when you complete a signup form.
Here, we explore the implications of this fragmented privacy landscape and explain why harmonisation may be better than deregulation. TLDR; cookie banners are complicated to understand, but easy to solve with the right tools. By contrast, consent appears easy to understand, but is actually hard to get right.
GDPR vs the ePrivacy Directive, a bit of history for the curious
The EU has been leading the way in privacy and data protection for decades. The original EU Data Protection Directive was enacted almost 30 years ago and pioneered the idea of cross-border regulation of data protection. A few years later, the EU parliament passed Directive 2002/58/EC on Privacy and Electronic Communications, also known as the ePrivacy Directive. This Directive was designed to update the Data Protection Directive to take into account the rapid changes to electronic communications over the intervening seven-year period. Thus, the ePrivacy Directive deals with issues like spam, cookies, and confidentiality of electronic communications. Roll forward another 16 years and you get to the GDPR, replacing the Data Protection Directive, and enshrining Data Protection in law across the EU.
Directives vs Regulations
Before we go further, it’s important to understand some of the arcane differences between different types of EU regulation. The EU-geeks among you will already know that a Directive differs from a Regulation. Regulations are binding in their entirety and must be transcribed into the Member States’ Laws. By contrast, Directives only require Member States to achieve the aims of the Directive. In theory, this means that a Regulation will be applied and enforced equally in every EU State. Whereas how a Directive is enforced may differ between States. Of course, as the GDPR has highlighted, even EU Regulations leave a surprising amount of room for “interpretation” by different countries. Hence the lack of harmonisation in how GDPR has been enforced.
But that’s a topic for another day…
Why didn’t the GDPR replace the ePrivacy Directive?
At the time it was passed, the GDPR was one of the most contentious and far-reaching EU laws to make its way through the tortuous EU Legislature. As a result, its scope was strictly limited to data protection. Of course, data protection and privacy are inextricably linked, and so many aspects of the ePrivacy Directive became duplicated in the principles that underpin the GDPR. However, the GDPR explicitly relates to the protection of data of natural persons. Whereas the ePrivacy Directive relates to privacy of electronic communications more generally. The upshot is that some aspects of privacy, such as cookie banners, remain under the purview of the ePrivacy Directive.
Thus, GDPR and ePrivacy have distinct focuses:
- GDPR: Regulates all personal data processing, in whatever form.
- ePrivacy: Covers electronic communications, which may also involve personal data processing.
Why does this matter?
The decision to leave cookie regulation as part of the ePrivacy Directive has had some pretty significant impacts on companies that do business online. The problem stems from the different ways that Directives are captured in the laws of each EU Member State. As we already saw, a Directive just requires the country to meet the aims of the Directive. In some cases, this will mean doing the minimum to achieve this, in other cases, it means adding many additional checks and balances. Implementation of cookie banners is a clear example of the weakness in this approach to EU wide legislation.
The only common requirements relating to cookie banners are:
- Display a cookie banner when a user first visits your site
- Create and implement a cookie policy that a user can view
- Provide details of all your own and 3rd party cookies that will be installed
- Capture and store a user’s consent to the cookies
- Prior to consent, only store cookies that are exempt from these requirements
However, many countries interpret these very differently, or even add their own requirements. For instance, some countries require a clear "reject all" button in a cookie banner, while others allow more flexibility. Some require you to show the user every individual cookie, others let them be grouped by type and functionality.
How can I ensure my cookie banner is compliant?
Staying compliant means keeping on top of the laws of 27 different EU States, not to mention the additional challenges in countries like Germany (home to 17 different data protection regulators!). To stay compliant, you should ensure that your cookie banner includes:
- A reject button in the first layer. Many authorities now require this!
- No pre-ticked boxes. Consent must be explicit.
- Avoid dark patterns—make all options equally visible and accessible.
- Accurately classify cookies. Know which ones are "essential" and exempt from consent, and which require explicit user approval.
- Make it easy for users to withdraw consent at any time. A simple link on all pages of your website can help with this.
In most cases, the only sane way to do this is to use one of the many tools out there that capture details of all your own and 3rd party cookies, and displays a suitable cookie banner for each country your site visitors are coming from.
But if cookie banners are about consent, how is that different from GDPR consent?
This is a great question. Consent is one of the fundamental principles underpinning the General Data Protection Regulation. We don’t have space to go into the full details, but here’s a brief summary. The GDPR only allows you to process an individual’s personal data if you have a lawful reason to do so. This so-called legal basis must be one of those set out in the regulation. The first legal basis is consent. As the regulation puts it:
“the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”
Consent simply means that you ask the person to confirm that you are OK with them processing the data and why you need to do so. If the personal data is especially sensitive like health data, then the GDPR requires a more exacting “informed consent”. This requires the user to actively read and understand what they are consenting to and should give them additional details of the processing involved.
So, consent is easier than cookie banners, right?
Sadly, consent is a real legal minefield that needs lawyers to navigate safely. This is because there are several other legal bases that may apply in certain circumstances. For instance, the data might need to be processed in order to meet some overarching legal obligation. Incidentally, this one causes a lot of complexities relating to GDPR consent. A great example is insurance companies in Germany, who can keep your record for 6 years if you filed a claim of any sort, even if you revoke consent for it or use your right to be forgotten. This is where companies like Chino.io come in. Our lawyer-led service ChecksMATE guides you through these complexities and ensures you are GDPR compliant with the minimum of fuss.
What does the future hold?
For some years there have been active efforts to upgrade the ePrivacy Directive into an ePrivacy Regulation. The problem is, at the same time we have seen a steady rise in populist politicians who decry regulations as bad and promise to “deregulate the EU”. These politicians are right in one way–maintaining compliance with EU Regulations and Directives imposes a huge burden on businesses. And this burden is especially high for SMEs and innovative startups. But as with so many issues, their solution is wrong. Deregulation won’t improve the situation because it will simply lead to even more fragmented regulation between countries. Instead, we need more harmonisation across regulations and more agreement on how to interpret and enforce the rules. Hopefully future projects will be approved and we will see harmonization soon. But until then, it’s essential to stay updated on both EU-wide regulations and local guidelines to ensure full compliance.
Need help figuring it out? We’re here to help! 🙋
Chino.io is the one-stop shop for solving all privacy and security compliance aspects.
As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.
Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.
To learn more, book a call with our experts.
