Cookies, the GDPR, and the ePrivacy Directive

Every website places tiny text files on your device while you browse. These files are called cookies. Your web browser processes and stores these cookies. When you return to a website you visited before, the server reads the cookies stored in your browser and recalls information about you, like your previous browsing activity on the same website.

In this post, we will discuss what cookies do and why they matter. Different laws and regulations on the use of cookies emerge worldwide. Based on where you live and work, you must have heard something about CCPA cookie consent, GDPR cookie consent, ePrivacy Directive, or ePrivacy Regulation.

We will cover the basics of how cookies are affected by the GDPR, ePrivacy Directive and ePrivacy Regulation.

What cookies do and why they matter

Cookies are usually harmless; you can view and delete them without a problem. They are just text files, unable to run independently or install anything on your device. They cannot access or modify any other files on your device.

However, cookies have the power to identify you without your consent in some cases. Their primary purpose is to help advertisers reach you with highly customized and targeted ads. In some cases, cookies can store information that is considered personal. For this reason, cookies fall under the GDPR and the ePrivacy Directive.

All eyes are on the recent updates on a cookieless future. To understand cookie compliance rules and regulations, we need to be on the same page on the different types of cookies.

⚠️UPDATE: Google announced that it will no longer pursue its plans to phase out third-party cookies. Instead, the company will introduce a new solution: a one-time prompt that allows users to set their preferences, which will apply across all Google browsing experiences.

Types of cookies

There are three ways to classify cookies:

• Duration
• Origin
• Purpose

Let’s start with the duration criterion. Cookies are divided into such categories by their timespan:

• Session cookies. They last as long as your browser session does. When you close your browser, these cookies expire.
• Persistent cookies. Such cookies stay on your hard drive until you erase them manually or until they expire. The expiration date is written into the persistent code and can be very different. The ePrivacy Directive dictates that persistent cookies cannot remain on a device for longer than twelve months. In fact, they can remain there much longer unless you take action.

As for their origin:

• First-party cookies get to your device directly from the website you are visiting. The website you are browsing places them.
• Third-party cookies. Such cookies get to your device not directly from the website you’re on but from a third-party tool. Such cookies go to your device from a third-party service, like an analytics platform, social media, or advertising platform.

Some cookies don’t quite fit into any category. For instance, Facebook cookies are created by a third party, and working with them requires using Facebook marketing tools. However, you store them on your website like first-party cookies.

The purpose is another criterion for categorizing cookies:

• Essential. They are absolutely necessary for the website or app to function correctly and for you to use all of its functions. They are placed on your device automatically when you enter the website. Normally, they do not collect any personal information and thus do not require user consent. For instance, such cookies allow users to save items in their shopping cart while browsing the website.
• Non-essential. They are cookies that help businesses get the data they need. These cookies can be placed on the device only if the user consents to them.

Non-essential cookies can be further subcategorized into:

• Marketing cookies. These cookies track your online activity and can share that information with other advertisers or companies. Their purpose is to customize ads for you and limit how many times you see the same ad.
• Social networking tracking cookies. They allow users to share info from the websites on their social media. They also help website owners link the activity between their website and a third-party sharing platform.
• Analytics and customization cookies. Even though not crucial, these cookies help website owners understand how their website is used. This information can greatly help with website upgrades.

Now, it should be clear that different types of cookies either concern user privacy or don’t. Since cookies can affect users' privacy, companies are obliged to handle them carefully and in compliance with different regulations that are relevant to them.

The General Data Protection Regulation (GDPR) and cookies

The European Union wants to protect the privacy of its citizens with the help of the General Data Protection Regulation (GDPR). The GDPR is the data privacy and security law that includes hundreds of pages’ worth of new requirements for companies from across the globe. So far, it is the most comprehensive legislation that has ever been passed by any governing body.

It only mentions cookies once in Recital 30.

According to the GDPR, cookies qualify as personal data, since they are used to identify users. So, GDPR cookie consent compliance is a must if you are affected by it. Companies can process personal data of the users as long as it can be justified on the grounds of legitimate interests. Here’s an example of legitimate interest: your company has a legitimate interest when processing personal data within the client relationship for direct marketing purposes.

The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. It’s vital to understand these rights to ensure you are GDPR compliant. If you fall under the GDPR Directive, everything you do in your organization must, “by design and by default,” consider data protection. We recommend seeking legal advice if your business falls under the GDPR to ensure you comply with the 88-page regulation.

GDPR is complemented by the ePrivacy Directive and ePrivacy Regulation. Let’s take a closer look at two of them.

ePrivacy Directive

ePrivacy Directive was passed in 2002 and later amended in 2009. The ePrivacy Directive (EPD) has become known as the “cookie law”. It is so because its most visible effect was the proliferation of cookie consent pop-ups after it was passed. It supplements the GDPR and in some cases, overrides it, addressing crucial aspects of the confidentiality of electronic communications and the tracking of Internet users widely.

The ePrivacy Directive gives extensive instructions on how users must be informed and have consent choices when sharing their electronic data. The ePrivacy Directive focuses on the companies' responsibility to collect and handle electronic data from users.

ePrivacy Regulation

ePrivacy Regulation, although frequently mentioned together with the ePrivacy Directive, is not the same thing. ePrivacy Regulation is a law that turns the ePrivacy Directive into binding law. All data privacy violations are to be handled according to this law.

The ePrivacy Regulation is in the stage of finalizing. It sets clearer rules on cookie usage.

The main points of ePrivacy Regulation are as follows:

• New players will also fall under the regulation: The privacy rules will apply to new players who provide electronic communication services such as WhatsApp, Facebook Messenger, and Skype.
• Through this directly applicable regulation, all individuals and businesses in the EU will receive the same level of protection for their electronic communications.
• Privacy of communications content and metadata will be guaranteed. If users did not give their consent for collecting it, such data should be anonymized or deleted. The only exception is when the data is required for billing.
• New business opportunities: when consent is given for processing communications data, traditional telecom operators get more opportunities to provide additional services.
• More straightforward cookie policies: there will be no more overload of consent requests for internet users. The new rule will be more user-friendly. Browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers.
• Protection against spam: ePrivacy Regulation bans unsolicited SMS, email, or electronic calling machine communication.
• Make enforcement more effective: Data protection authorities, already in charge of the rules under the GDPR, will be responsible for enforcing the confidentiality rules in the Regulation.

If the ePrivacy Regulation is finalized in 2024, it won’t be fully in effect until 2026 due to the 24-month transition period.

Cookie compliance best practices

To comply with the cookie regulations that fall under the GDPR and the ePrivacy Directive, you must:

• Obtain user consent before using any cookies except for strictly necessary ones.
• Before the consent is received, provide precise and distinct information on the data you track and the purpose of such tracking.
• Document consent which you receive from users and store it.
• Make it possible for users to access your service without accepting non-essential cookies.
• Make withdrawing user consent as easy and transparent as giving consent.

Once more, if you fall under the GDPR and the ePrivacy Directive, we recommend seeking legal advice for implementing cookie compliance best practices in your business.

As the laws regarding user privacy become stricter and users become more cautious about sharing their data with third-party businesses, cookieless tracking becomes a hot topic for many businesses.

Server-side tracking is one of the most reliable and privacy-friendly methods of tracking user behavior without relying on cookies. With server-side tracking, the tracking code is executed on the server rather than the user's browser. This means the user's device does not need to store any tracking data, done entirely on the server side.

• Consent Settings for server GTM tags
• Consent mode in server Google Tag Manager
• Google Consent Mode V2
• Server-side consent management with sGTM and Cookiebot
• How to use consent status in the server GTM
• Cookieless tracking in Google Analytics 4
• EU-owned proxy server for sGTM or how to use Google Analytics GDPR compliant way

If you have any questions or need help understanding the concept of cookie-free tracking, contact us. Stape is an expert in server-side tracking. You can try Stape for free to see what it can do for your business.