ePrivacy: Everything you need to know about the EU Cookie Law

What do you know about the EU Cookie Law? You’ve no doubt taken efforts to comply with GDPR, but you should also be prepared for the new ePrivacy directive that’s about to take effect. How can you do that?

In this article, we have summarized everything you need to know about the new ePrivacy. And now, we will give you all the keys to anticipate and best prepare for this new directive.

You’ve probably heard about GDPR and the ePrivacy directive, but do you really know the difference between these two terms? At Mailjet, we took a close look at the new ePrivacy directive. In 2018, we commissioned a study to understand the impact that ePrivacy will have on marketing strategies and on companies’ return on investment (a survey of 200 marketing decision-makers in Europe). According to this survey, 85% of marketers say they know the difference between ePrivacy and RGPD.

But 15% do not know, and clarity is key. To put it simply, the ePrivacy regulation is a special law of the GDPR. This means that it complements the GDPR with specific rules that apply to the electronic communications sector. As a special law, it replaces the GDPR in the specific areas it covers.

The ePrivacy, also known as the European Cookie Law, makes it mandatory to obtain users’ consent before any operation to write or read cookies and other tracers, with a few exceptions. 

A cookie is a sequence of information, generally small and identified by a name, that can be transmitted to your browser by a website to which you connect. Your web browser will keep the cookie for a certain period of time, and will send it back to the web server each time you reconnect to it. 

Cookies have multiple uses. For example, they can be used to remember things like:

• Your customer ID from a merchant site so that you can log in more easily the next time you visit.
• The contents of your shopping cart so that you can find the items selected during your previous visit.
• Your navigation on a website for statistical or advertising purposes.

Cookies can be used to memorize your navigation for statistical purposes.

Although it might seem that European laws only apply in Europe, a globalized world like ours means brands have clients and website visitors all around the world. As with GDPR, the application of ePrivacy applies to all companies who serve citizens of the European Union. That means that if your company has clients in the EU, you’ll be required to comply with the regulation or risk fines.

Originally, the ePrivacy regulation was to be approved in the European Union at the same time as the implementation of the GDPR on May 25, 2018. However, this date has been pushed back so that the details of the regulation could be finalized. 

So then, where are we today? The EU Council agreed to a draft earlier in 2021, although there’s still no clear timeline for its implementation. Once the project is adopted, though, companies will likely have some time (i.e., a few months) to adapt.

To understand which cookies are affected by ePrivacy, it’s easier to look at those that are actually exempt.

The consent requirement does not apply to operations whose exclusive purpose is to enable or facilitate communication by electronic means. It also doesn’t apply to operations that are strictly necessary for the provision of an online communication service at the express request of the user. 

In particular, the following cookies can be considered exempt:  

• Cookies that retain the choice expressed by the user on the cookie storage or the user’s wish not to express a choice.  
• Cookies intended for authentication with a service.  
• Cookies intended to remember the contents of a shopping cart on a merchant site.  
• Cookies for customizing a user interface (for example, for choosing the language or presentation of a service).
• Cookies for balancing the load of equipment contributing to a communication service.  
• Cookies allowing paying sites to limit free access to their content to a predefined quantity and/or over a limited period of time.  
• In some cases, cookies that enable audience measurement.

For example, in the case of a service offered via an app or a website that requires the user to log in, the service publisher may use a cookie to authenticate the user without asking for their consent (as this cookie is necessary for the provision of the online electronic communication service). However, it can only use this same cookie for advertising purposes with the user’s consent.

As we mentioned before, a globalized world means our clients and website visitors could be anywhere. That’s why, regardless of which country an organization is based in, it’s important that they ensure they are following the general guidelines for compliance with the European Cookie Law.

If a company is not currently in compliance with the directive, some potential changes they can implement are:

• Know the and whether or not they need to be fully or partially compliant with its regulations — some organizations
• If they are not fully exempt, they should ensure that they are asking for users’ clear consent to allow tracers and cookies to collect their information. 
• Depending on their country, understand who the right authority for ePrivacy regulations is.

The European Commission–the executive branch of the European Union–is responsible for the enforcement of GDPR and ePrivacy regulations. Most countries within the EU–for example, France, Germany, and Spain–are expected to comply with data privacy laws in similar ways, and to follow the guidance and laws of the Commission.

However, countries outside the EU may have differences in their laws, guidances, and expected practices. That’s why it’s important to know who your local authority is and keep an eye on their regulation and guidelines.

• In the United Kingdom: Following the announced withdrawal of the UK from the European Union, information rights regulations are now handled by the UK-specific. Companies that are based within the UK should use the ICO to check for potential updates and changes to the European Commission’s guidelines.
• In the United States and Canada: The United States and Canada, as separate entities from the EU, do not follow the regulations of the European Commission. Data privacy laws are created, implemented, and revised on a national, state, and provincial level. 

As we have mentioned before, compliance with digital privacy laws often applies to where the company is based, but also to where its digital presence is based. The best way to ensure that your business is in full compliance is to check with your country’s data privacy regulation agency and verify what laws might apply.

According to the Mailjet study, 93% of marketers today use cookie-based advertising to reach their customers. With the new ePrivacy regulations, companies will have the obligation, with few exceptions, to collect the consent of users before any operation of writing or reading cookies and other tracers.

From a brand perspective, this could mean a drastic reduction in the amount of data held on Internet users. Professionals have understood that they will have to review their marketing strategy, with 30% planning to reduce the number of advertising based on cookies, immediately after the entry into force of the new ePrivacy regulations.

For certain sectors such as the media, the European Cookie Law even threatens their business model on the Internet. 

The European regulation bodies knew that the application of this law is likely to have an economic impact on certain businesses. This is why they have highlighted the fact that some businesses may be completely or partially exempt from the ePrivacy directive.

But then what solutions can be implemented to compensate for this reduction in the number of data retrieved via cookies? Here are some potential changes that marketers can implement:

• Collect data on their audiences through other means than cookies, for example through surveys or opinion polls. This solution has the advantage of improving the understanding of consumers’ motivations and needs.
• Review their priorities regarding their acquisition channels. For example, 80% of marketers say they will use more after the EU Cookie Law comes into being, according to the Mailjet study.
• Determine new creative advertising formats which are no longer conditioned solely by the collection of personal data. For example, Facebook will test new forms of search advertising along the lines of Google Adwords.

Despite the potential consequences of the new ePrivacy directive, a majority of professionals believe that this new regulation will represent a positive change for their business in the long term. The new Cookie Law will encourage brands to be more transparent about the information they follow, which will help customers see them as more trustworthy.

As an emailing solution, data protection is at the heart of Mailjet priorities. Mailjet holds the ISO 27001 certification, the international standard for information systems security, as well as the AFNOR certification guaranteeing compliance with the main principles of the GDPR. Mailjet offers its customers the highest level of data privacy and security.

Email is the marketing channel with the best return on investment, which is why many companies are planning to use email marketing even more after the new EU Cookie Law comes into effect. To learn how Mailjet has helped businesses boost the email program and discover what we could do for you, check out our resources and success stories.

Author: Julie Paci Julie Paci was a Strategic Marketing Manager specialist and the French Marketing Manager at Sinch Mailjet. She's a creative and passionate writer and was a resident host at our French webinars and Email Camp. She writes about email marketing strategies to help the French market make the most of their email programs.