GDPR Update: Cookies, new consent guidance and what’s on the horizon

As the General Data Protection Regulation (GDPR) approaches its second anniversary, organizations are eagerly awaiting a report by the European Commissioner – set to be released on May 25th – evaluating the law’s progress. Why so much interest? The report could potentially be a springboard for changes or reforms.

Nearly two years on, the marketing community is still adapting to the law’s ambiguities, particularly in relation to consent and cookies. Here are the latest updates, and their implications for Canadian organizations.

Continued delay of the ePrivacy regulation

Since the GDPR came into force on May 25, 2018, marketers have been waiting for the new ePrivacy Regulation (set to replace the current ePrivacy Directive),acompanion regulation to the GDPR covering the processing of personal information for electronic communication, including cookie usage.

The current ePrivacy Directive specifies that users must give opt-in consent before cookies are used, with a limited exception for ‘strictly necessary’ cookies. By contrast, under Canadian privacy rules, opt-out consent is considered reasonable if certain conditions are met.

Once adopted, the ePrivacy Regulation will apply uniformly across the EU. By contrast, the existing ePrivacy Directive is only enforced by EU member states who have incorporated it into national law. This fragmented landscape has led to discrepancies in interpretations among the privacy regulators of EU member states – known as the national Data Protection Authorities (DPAs) – on what constitutes “valid” consent, especially when it comes to the use of cookies. As European legislators struggle to reach a consensus, (a draft of the ePrivacy Regulation was voted down in late 2019), implementation of the new regulation could be at least a year off.

Leave a Reply

Your email address will not be published. Required fields are marked *