The Privacy and Electronic Communications (e-Privacy) Directive was last reformed in 2009 and resulted in major changes to the way website operators display information about cookies and obtain internet users' consent to their use.
However, Jean-Claude Juncker, the new president of the European Commission, has said further reforms should be pursued, from possibly as early as next year. Juncker made the recommendation in a letter to Günther Oettinger (7-page / 153KB PDF), the new EU commissioner for digital economy and society.
"During our mandate, I would like you to focus on … supporting the vice-president for the digital single market and the commissioner for justice, consumers and gender equality in finalising the negotiations on an ambitious Data Protection Regulation in 2015," Juncker said. "On the basis of the outcome of this legislative process, you should prepare a reform of the e-Privacy Directive, liaising closely with the vice-president for the digital single market, with the support of the commissioner for justice, consumers and gender equality."
Cookies are small text files, stored on internet users' computers, which record those internet users' online activity. Cookies have many uses, such as for remembering behaviours for purposes such as personalising the user experience on websites or delivering better targeted advertising.
In 2009, the e-Privacy Directive, originally established in 2002, was changed to state that storing and accessing information on users' computers would only be lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".
Consent must be "freely given, specific and informed". An exception to this exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – for example, to take the user of an online shop from a product page to a checkout.
Information law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "The existing Data Protection Directive and the e-Privacy Directive are closely related. Some important definitions, including of 'consent', relevant to the e-Privacy rules are derived from the Data Protection Directive, so it is important that there is consistency across both instruments following the reforms to the EU data protection framework."
"It is not yet obvious from a reading of the proposed changes to consent rules under the planned data protection reforms how those rules would apply to the storage of personal information on computers under the e-Privacy Directive, so clarity on this point and other similar ones would be welcomed. Reforming the e-Privacy Directive would also provide an opportunity to improve on the way rules on cookies were altered in 2009 and address the rise of other technology that is expected to replace cookies for tracking individuals' online behaviour and the idiosyncrasies of how that technology works," Dautlich said.
The e-Privacy Directive amendments of 2009 have now been implemented in EU countries' national laws and a number of privacy watchdogs have published guidance for organisations on how they can achieve compliance with the rules in practice.
Website operators have several mechanisms available to them for presenting information about cookies and privacy to internet users and for obtaining consent to their use. Many websites now carry banners that ask visitors for their consent to cookies and which provide a link to further information about how data collected by cookies is used or shared by the website operators.