What Is the EU’s ePrivacy Directive, a.k.a “The Cookie Law”?
We’ve all heard about the EU’s General Data Protection Regulation (GDPR). But a less widely publicized privacy regulation is Europe’s ePrivacy Directive. Working in tandem with GDPR, the ePrivacy directive (also known as the “cookie law”) targets cookies and similar means of tracking user data online. And while this does not specifically deal with mobile push notifications, it’s worth exploring to have a more complete understanding of data privacy and security in Europe. Moreover, the directive is likely to be expanded in the near future to take into account the prevalence of mobile devices.
Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:
What Is the ePrivacy Directive?
Stating privacy of communications as a human right, the EPD outlines the full parameters of which electronic communications and messages it protects. It also straightforwardly places the responsibility of protecting user data on the service providers, stating that they need to take “appropriate measures to safeguard the security of their services.”
Amendments to the EPD
As we have pointed out with other privacy regulations passed before the Information Age kicked into full gear, such as COPPA and HIPAA, the ePrivacy Directive quickly became outdated and not fully relevant to the new ways that evolved of people going online. In 2009, the so-called “Cookie Law” was amended with Directive 2009/136/EC, which came into effect in May 2011. It expands the original purview of EPD to cover the processing of personal data or PII in the electronic communications sector in addition to just web browsing. The 2009 amendment covers:
- the security of networks and services
- confidentiality of communications
- access to stored data
- processing of traffic and location data
- calling line identification
- public subscriber directors
- unsolicited commercial emails (i.e. spam)
Moreover, the 2009 amendment requires providers of electronic communications to notify users of data breaches where:
- user data could potentially have been lost, illegally accessed or modified by third parties, and
- the user is likely to be negatively affected by this breach
How Can Websites Comply With the ePrivacy Directive?
To comply with the EPD, all websites must gain users’ consent before using cookies, unless those cookies are absolutely necessary for your website. Moreover, websites must provide specific information about which data each cookie tracks, and why. This information must be in clear, transparent language and you must provide website visitors a link in the consent form so they can choose to read it. Users must be able to access and navigate the website even if they do not consent to being tracked by cookies, and they must be able to withdraw their consent easily at any time.
Regarding cookies, the EPD states:
“So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.
(25) However, such devices… can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment… The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”
Does OpenBack Comply With the ePrivacy Directive?
While the EPD does not cover mobile apps as of this writing, although its use of the term “terminal equipment” means it’s likely to do so in the near future. (Which we will explore more in the following section.) So any mobile app targeting the European market will want to make sure it is compliant.
If this is of concern to your mobile app, OpenBack is the only push notification platform that is fully compliant with all data privacy regulations by efault. The OpenBack SDK on the mobile device doesn’t have any access to users’ personal data/PII unless the app chooses at setup to pass some personal data to the SDK for the purpose of segmenting or personalizing push notifications.
What’s more, for Android and iOS devices, the OpenBack SDK would not be ablet oa ccess that information without the mobile app first receiving consent from the user. For example, if an app has activated the OpenBack location signal capability to deliver a notification once someone is at a specific location, that specific data cannot be accessed unless:
- the app has be specifically set up to request access to that data
- your app has prompted the user with standard mobile OS prompts
- the user has given their permission to access that data
This is in addition to any app store legal, privacy, and review requirements. Ultimately, the very framework of OpenBack has privacy built into it, which is a very different framework from the browser cookies and similar software covered by the ePrivacy Directive.
To learn more about OpenBack’s approach to privacy as it relates to COPPA, read our blog post: Keep Your Mobile App COPPA Compliant and Kid Friendly With OpenBack
How Will EPD Change in Upcoming Years?
The ePrivacy Directive has already been amended since it was originally passed. And it will likely be amended again in the near future. It has various blindspots, most prominently in that the EPD only covers data tracking in web browsers, not in mobile apps. Given that as of 2021 more than half of the world’s internet traffic was on a mobile device, it is evident that EPD is no longer sufficient for protecting the data of European citizens.
In fact, a framework is already in the works to replace the EPD: the ePrivacy Regulation (EPR). The EPR will build on the parameters already defined by the ePrivacy Directive. It will also be more authoritative, as a regulation in the EU is legally binding once it comes into effect, while a directive is something individual countries in the EU incorporate into their own national law.
In addition to encompassing mobile data tracking, the EPR – which is currently undergoing the drafting stage – will regulate browser fingerprinting as well as messaging apps, such as WhatsApp, that weren’t in the picture when the EPD was originally passed. It will also strengthen protections for metadata. Ultimately, the EPR will continue to regulate cookies while remaining flexible for ever-evolving methods of data tracking.
While mobile push notifications don’t fall under the purview of the EPD or the EPR yet, it’s likely they will in the near future. Learn how OpenBack enables your mobile app to send highly personalized and effective push notifications, while fully complying with all local data privacy regulations by reading our blog post:
Or, get in touch with one of our experts for a free demo.