Previous drafts of the ePrivacy Regulation provided for a general ban on technically unnecessary cookies, with the exception that users may agree to their use in advance. The initial draft of this regulation was solely concerned with web applications. The draft released on March 22nd, 2018 covers all kinds of machine-based communication like apps, email, and metadata collection for VoIP calls. It also covers inter-machine communication, like M2M communication.
The ePrivacy Regulation should also be of interest to international communication service providers, including those from the USA. The regulation stipulates that the rules apply as soon as a terminal is located within EU borders. It is irrelevant where data processing for a controlled service takes place.
Data protection here in the US, for example, is somewhat less stringent. Since the scope of the new ePrivacy Regulation applies as soon as a terminal in Europe accesses communication services, US companies will have to consider their use of cookies for European users and make decisions about whether to run targeted advertising, or whether to confront users with a paywall.
The first draft of the ePrivacy Regulation stipulated that the manufacturer should generally have the highest privacy settings pre-set in browsers. When operating with this setting checked, the browsers would not accept third-party cookies. As a result, cookie banners which are extremely popular would disappear since users would have to actively choose to accept cookies with each software installation. This requirement was based on the principle of “Privacy by Design”, as described in the GDPR. However, a more recent design has relaxed the rules for browser settings somewhat. Users can now choose whether to allow cookies according to the website again.
The prohibition of coupling declares that being able to access a website should not be dependent on whether a user consents to the use of cookies. However, there are legitimate purposes that may require the use of cookies. If, for example, a user has to authenticate a transaction while online banking or if they want to make use of an online store’s shopping cart, using cookies is necessary. If website operators inform users, and they can clearly understand the purpose, consent and use can be applied to cookies.