New Consent Guidelines in Europe: What You Need to Know

New Consent Guidelines in Europe: What You Need to Know
Estimated Reading Time: 6 minutes

When it comes to operational aspects of privacy compliance, consent can be difficult. Is explicit consent necessary? What technologies need consent? What processing activities need consent? Add in the fact of differing requirements in different locations and it’s no wonder that recent studies have pointed to more than half of websites having non-compliant consent experiences.

Luckily, recent guidelines published by the European Data Protection Board (EDPB) help to clarify requirements for consent for digital communications in the EU. On the one hand, the guidance brings clarity to many questions about consent in Europe. On the other hand, the guidance likely will require updates to the tag and cookie consent architectures for many organizations. Let’s review what has changed and what you should be doing to ensure you are properly respecting the privacy rights of your consumers. 

What happened?

In October 2024, the EDPB published updated guidelines on the technical scope of Article 5(3) the ePrivacy Directive. The guidelines provide clarity on the nature of information, technologies, and technical activities where the ePrivacy Directive is applicable. Specifically called out is that the execution of tags or pixels on a website are in scope and thus require explicit consent to execute in a user’s browser. 

What does this mean?

The updated guidelines make it clear that, in general, the execution of tags or pixels that are not absolutely necessary for the functioning of a website require explicit consent from the user

Remind me, what is the ePrivacy Directive?

The ePrivacy Directive (ePD) is a directive in Europe which outlines a number of protections for privacy in the electronic communications sector. You may remember it from its more colloquially known name as the “EU Cookie Law”. Originally adopted in 2002, it is the law in Europe that initially introduced user choice requirements for the use of cookies and online tracking technologies. 

As a directive, it was adopted at the EU level; it was then transposed by EU Member States, each of which adopted their own country-level laws to satisfy the requirements outlined. This point is very important as each country could have specific exceptions regarding some usage of tags and pixels on a website. The updated guidelines explicitly call out that they “do not address the circumstances under which a processing operation may fall within the exemptions from the consent requirement provided for by the ePD”.

Wait, I thought GDPR was the privacy law in Europe?

The General Data Protection Regulation (GDPR) is the most comprehensive data privacy law in Europe. As a regulation, it differs from a directive in that it applies directly to all EU Member States and does not require local country-level laws. GDPR instills privacy rights for individuals with respect to their personal data and also details obligations for businesses in their processing of an individual’s personal data. This differs from ePD in that ePD is meant to provide protections specific to privacy in electronic communications. As it relates to data collection online, both are applicable and both carry consent requirements.  

Under GDPR, organizations must have a lawful basis for the processing of an individual’s personal data. There are six possible lawful bases available, with consent being the most common (and often the most appropriate) when it comes to processing for marketing, behavioral analytics, and advertising activities on a website.

ePD, on the other hand, imposes requirements for consent ‘to store information or to gain access to information stored in the terminal equipment of a user’. This is where the term “cookie law” came into effect as the setting of cookies is the storing of information in a user’s browser (i.e. terminal equipment). Initially, most countries applied an ‘implicit’ consent standard for their country-level laws to satisfy ePD but this was updated when GDPR came into effect requiring consent to be specific, explicit, and informed. The updated guidelines make it clear that the execution of tags or pixels which facilitate data collection from a user are also in scope. 

So it’s settled then, explicit consent is the requirement?

Wouldn’t it be nice if it were so simple! As mentioned above, the guidelines do call out that they do not address situations where exceptions may be provided. Exceptions come in the form of EU Member State-level laws and local guidance. It is best to review the country-level laws and guidelines that are in place to satisfy ePD for any of these exceptions. Generally, though, explicit consent for the execution of tags and pixels is the lowest-risk way to proceed for EU users. 

What should I do now?

It’s a great time to do a consent review of your website! Go through and audit to see what tags/pixels are implemented and under what consent conditions they are loading. For any tags loading prior to a user providing consent or after a user has rejected consent for tracking, review to ensure they are absolutely necessary for the operation of the website. If not (as is the case for behavioral analytics, marketing, and advertising pixels) strongly consider to stop loading those tags until the user has given their explicit consent. 

Respecting the privacy rights and preferences of your users is an important part of privacy-centric data collection. While doing so will often result in a reduction in observable data, there are plenty of ways to fill this gap and still attain desired business outcomes. Consumer trust is not possible without starting from a place of respect. The updated EDPB Guidelines provide clear guidance on how to do so.

Interested in a consent review and not sure where to start?

Contact us today to discuss how Tag Inspector can help!
Originally Published On December 18, 2024
December 18, 2024