ePrivacy Directive Draft Update

Hungry for more? Cookies, Marketing and the draft Privacy Regulation

Discussion around updating the current ePrivacy Directive – which the UK applies via the Privacy and Electronic Communication Regulations (PECR) started in early 2017.

It was meant to come into force at the same time as the GDPR in May 2018. And like the GDPR, it will be a Regulation – so will apply directly to EU Member States, rather than requiring the adoption of (potentially conflicting) national laws.

After many drafts, we have the latest. This is from the Portuguese presidency, and came in early 2021. See the new draft. Here’s what we learnt.

 Before we start…Brexit

Any change is unlikely to enter into force before 2023. And this only happens if Member States agree on a final version in the next few months.

And will the UK adopt it? The Government is already making noises that we will both maintain the GDPR’s high standards but that we do not need to copy and paste the EU’s rule book…

The Brexit Agreement commits both sides to upholding “high standards of data protection” and the UK is keen to secure the Adequacy Decision.

So, the answer is…who knows, at this time. But one thing to consider. The draft Regulation has the same “territorial scope” provisions as the GDPR: it will apply to people “who are in the Union.” So, if you place cookies on the devices of data subjects in the EU and/or market to them, it would apply anyway.

 Overall idea

The draft seeks to align the rules around cookies and marketing to the GDPR. The concept of accountability, so central to the GDPR, is therefore pushed to the forefront.

You need to know, and be able to demonstrate you know, what you are doing when you decide to place cookies on peoples’ devices…and also whether you should let other companies (like Facebook) place cookies too.

 Direct Marketing

The draft proposes little change to the current position. The following remain as now:

  • You need prior consent to send Direct Marketing via email, or SMS, or make automated calls.
  • Live calls to numbers not on the TPS/CTPS can still be made on the basis of legitimate interests.
  • The soft-opt in stays – the only change being that the UK could define a cut off point after a sale when you would have to stop sending messages.
  • You can still send B2B messages (i.e. to people in their working, professional life) on the basis of legitimate interests.

The only major change is that the definition of what’s covered by “electronic message” is expanded to include “functionally equivalent applications and techniques”

  • This means that messages sent via Whatsapp, Messenger and other “over the top” services will now be covered, the same as email / SMS.


The draft provides a helpful update in how to approach cookies. It follows the GDPR method of first stating what you cannot do, and then outlining when it is possible.

So, the draft says you are prohibited from placing a cookie on a person’s device unless you can find a condition to justify doing so.

There are six conditions for when the placing of a cookie is necessary. This list consolidates the current times when cookies don’t need consent – i.e. the “communication” and “strictly necessary” exemptions in the PECR (and its amendments):

  1. For carrying out transmission of an electronic communication
  2. For providing a service specifically requested by the end-user
  3. For audience measurements, subject to certain conditions
  4. To maintain or restore the security, prevent fraud or detect technical faults
  5. For a software update, subject to conditions, or
  6. To locate their device when the person makes an emergency call.

Of most interest are #2 – e.g. the contract someone signs might require that a cookie be placed to provide a service they have requested or bought from you – and #3 – you can use cookies to collect audience data (e.g. on numbers of visitors to certain pages of your website).

But this doesn’t cover when you want to go that step further and determine who is using the site (i.e.. when you want to single out users and track them).

This, like other non-necessary cookies, will, as now, require consent.

Finally, there is a new condition, mirroring the GDPR concept of purpose compatibility: you can place a cookie if it is necessary for a purpose that is sufficiently compatible with the original purpose for which you placed the cookie in the first place.

 Consent using browser / software settings

The draft recognises that we are often requested to provide consent to cookies, due to the ubiquitous use of tracking cookies and similar tracking technologies.

This often means we’re overloaded with requests and stop reading the cookie banners…meaning the protection offered by consent is undermined.

To address this, the draft proposes the concept of providing consent via technical settings on your browsers or other software application. i.e. you can grant, through software settings, consent to a specific provider for the use of cookies for one or multiple purposes across one or more services of that provider.

So, watch this space to see if software companies take to this idea, and start developing their browsers.

 Can you make access to your website dependent on the person giving you consent for non-necessary cookies?

Yes. And no. It depends if you giving the person a genuine choice:

  • Yes: If you provide clear, user-friendly information about the purposes of cookies and there is an equivalent offer that does not involve consenting to non-necessary cookies.
  • No: If there a clear imbalance between them and you, such as there being only few or no alternatives to the service (i.e. no real choice) or you’re a provider in a dominant position.

The elephant in the room – the personal data generated by the Cookies you place

PECR, and the draft Regulation, define the rules for when you can place a cookie on a device. They do not contain any specific rule for doing anything with the data subsequently generated by the cookie.

Cookies generate data. Some of it is personal data. A recital in the draft quietly notes this: “The information collected from [someone’s device] can often contain personal data.” (recital 20).

The ICO’s Guidance on the use of cookies and similar technologies from July 2019 has a section called “Do the rules apply to the processing of personal data gained via cookies?

Yet thus fair, the focus has been on cookie banners and consent for placing the cookie, with little (if any) consideration of the lawful basis for processing the data generated by the cookie.

The ICO’s Guidance notes in an example “Tracking and profiling for direct marketing and advertising” that

consent would be required for processing like tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research due to the nature of the processing operations and the risks posed to individuals.

“…in most circumstances, legitimate interests is not considered to be an appropriate lawful basis for the processing of personal data in connection with profiling and targeted advertising.”

Yet the vast, overriding majority of organisations currently just about obtain consent for the cookie…and don’t get the second consent for the processing personal data generated by cookies for these purposes. They instead rely on legitimate interests (without quite realising they are doing so).

So, just like the shift from the DPA 1998 to the GDPR, the shift from the PECR to the new PECR will be very likely have the same underlying message: we’ve known the rules for years; we know what we should be doing…now we really must do what the law requires and be accountable for it.