Two cornerstone pieces of European data privacy legislation are the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD). These frameworks serve distinct purposes and have different compliance requirements that must be understood and adhered to by organizations operating within the EU.
This is a follow-up article on “How ePrivacy Directive Trumps GDPR for Website Compliance”.
Understanding the Regulatory Framework
GDPR
Scope: GDPR applies broadly to the processing of personal data within the EU, focusing on how personal data is collected, stored, and used.
Key Principle: Emphasizes lawful processing, data minimization, transparency, and user rights, including access, correction, and deletion of personal data.
Penalties: Non-compliance can result in fines up to €20 million or 4% of global turnover, alongside significant reputational damage.
ePrivacy Directive
Scope: Also known as the "Cookie Law," it specifically governs electronic communications and the privacy of data in the digital space, including cookies and other tracking technologies.
Key Principle: Article 5(3) mandates that storing or accessing information on a user’s device requires prior consent, unless it is strictly necessary for the provision of a service explicitly requested by the user.
Implementation: Though a directive, it has been transposed (ratified) into national laws by all EU member states, making its requirements legally binding.
Guidelines: The Guidelines provided by the European Data Protection Board (EDPB) serve as the main source for Data Protection Authorities (DPAs) in member states of the European Union on how to interpret and uniformly apply the directive across all member states.
Addressing Common Misconceptions
A prevalent argument is that certain tracking technologies are "technically required" for a website’s operation and thus exempt under GDPR’s legitimate interest clause. However, this does not override the ePrivacy Directive’s consent requirements:
GDPR Article 6(1)(f): Allows data processing if necessary for legitimate interests, provided it does not override data subjects' rights and freedoms.
ePrivacy Directive Article 5(3): Requires explicit consent for storing or accessing information on a user’s device, interpreted narrowly to mean only essential cookies for core functionality are exempt.
First-Party vs. Third-Party Compliance
First-Party Solutions
Necessity for Compliance: Even first-party analytics, such as those provided by AesirX Analytics and Matomo Analytics, require prior consent under ePrivacy Directive Article 5(3).
Enhanced Trust: By obtaining user consent before data collection, businesses can ensure compliance and foster trust.
Third-Party Solutions
Compliance Challenges: Solutions like CookieBot and CookieInformation often load scripts before obtaining user consent, violating ePrivacy Directive requirements.
Guideline Clarifications: The November 14, 2023 guidelines from the EDPB have reinforced that consent must be obtained prior to loading any tracking or consent solutions.
Example 1: E-commerce Website
An e-commerce website owner uses third-party analytics to track user behavior and optimize sales strategies. Additionally, they use a third-party recommendation engine to suggest products based on browsing history. Under the ePrivacy Directive, these tools must not load without obtaining explicit user consent first. To comply:
- Implement a Consent Banner: Before any tracking scripts or recommendation engine scripts load, display a consent banner requesting user permission for tracking.
- Adjust Tracking Settings: Ensure that no tracking or recommendations occur until consent is granted. If the user denies consent, neither tracking nor recommendations should be active.
Implement a Consent Banner
Legal Basis:
ePrivacy Directive Article 5(3): Requires explicit consent for storing or accessing information on a user’s device, unless it is strictly necessary for the provision of a service explicitly requested by the user.
GDPR Article 7: Conditions for obtaining valid consent, emphasizing that it must be freely given, specific, informed, and unambiguous.
Analysis:
Explicit Consent: Implement a consent banner that appears before any third-party tracking scripts or recommendation engine scripts load. This banner must clearly request user permission for tracking activities.
Transparency: The consent banner should provide clear information about what data will be collected, how it will be used, and who will have access to it.
Adjust Tracking Settings
Legal Basis:
ePrivacy Directive Article 5(3): Storing or accessing information on a user’s device requires prior consent.
GDPR Compliance: Ensures that data processing activities respect user consent and data protection principles.
Analysis:
No Pre-Consent Tracking: Ensure that no third-party analytics or recommendation scripts load until the user has given explicit consent. This means configuring the website to block these scripts by default and only activate them once consent is obtained.
User Control: If the user denies consent, the tracking and recommendation functionalities must remain inactive, respecting the user’s privacy choices.
Example 2: Blogging Platform
A blogging platform wants to enhance user experience by using personalized content recommendations. This involves storing cookies and tracking user interactions. To ensure compliance:
- Clear Communication: Clearly inform users about what data will be collected, how it will be used, and for what purpose.
- Obtain Consent: Implement a mechanism to obtain user consent before any cookies are stored or data is accessed. This can be done through a clear and concise consent banner.
- First-Party Analytics: Consider using first-party analytics solutions that ensure compliance with Article 5(3) by requiring consent before data collection. Tools like AesirX Analytics can help you maintain compliance while gathering necessary insights.
Clear Communication
Legal Basis:
Transparency Requirement: Both GDPR and the ePrivacy Directive mandate that users must be informed about data collection practices in a clear and understandable manner.
User Rights: GDPR emphasizes user rights, including the right to be informed about how their data is collected and used.
Analysis:
Transparency: Clearly communicate to users what data will be collected, how it will be used, and for what purpose. This includes informing users about cookies and other tracking technologies used for personalized content recommendations.
Detailed Information: Provide detailed information in a privacy policy or notice accessible from the consent banner. This policy should include:
- Types of data collected
- Purpose of data collection
- Data retention periods
- User rights and how to exercise them
Obtain Consent
Legal Basis:
ePrivacy Directive Article 5(3): Requires explicit consent for storing or accessing information on a user’s device, unless it is strictly necessary for the provision of a service explicitly requested by the user.
GDPR Article 7: Specifies conditions for obtaining valid consent, emphasizing that it must be freely given, specific, informed, and unambiguous.
Analysis:
Consent Mechanism: Implement a consent mechanism that obtains user consent before any cookies are stored or data is accessed. This can be done through a clear and concise consent banner.
First-Party Analytics
Legal Basis:
ePrivacy Directive Article 5(3): Applies to all tracking technologies, including first-party analytics, requiring prior consent unless strictly necessary for providing a service requested by the user.
GDPR Compliance: Ensures that data processing activities respect user consent and data protection principles.
Analysis:
First-Party Solutions: Use first-party analytics solutions that comply with Article 5(3) by requiring consent before data collection. First-party solutions provide more control and transparency over data collection practices.
Compliance Tools: Tools like AesirX Analytics help maintain compliance by ensuring that user consent is obtained before any tracking or data collection occurs.
Example 3: SaaS Company with HubSpot CRM
A SaaS company uses HubSpot for CRM and forms to manage customer interactions. While HubSpot provides powerful tools, it also involves third-party tracking and data processing, which must comply with the ePrivacy Directive:
- Evaluate Current Practices: Ensure that HubSpot’s tracking scripts do not load before obtaining user consent.
- Implement Consent Mechanisms: Use a consent management platform that integrates seamlessly with HubSpot to ensure compliance. This could involve a consent banner that blocks HubSpot scripts until consent is granted.
- Monitor and Audit: Regularly audit your compliance status using tools like the AesirX Privacy Scanner to identify any non-compliant elements and adjust accordingly.
Evaluate Current Practices
Legal Basis:
Third-Party Processing: HubSpot CRM involves third-party data processing and tracking technologies, which require compliance with both GDPR and the ePrivacy Directive.
Consent Requirement: Article 5(3) of the ePrivacy Directive requires explicit consent before storing or accessing any information on a user’s device via third-party services.
Analysis:
Pre-Consent Loading: Ensure that HubSpot's tracking scripts, cookies, or any other data processing mechanisms do not load before the user has given explicit consent.
Compliance Check: Evaluate the current integration of HubSpot to ensure that no data collection or tracking occurs without prior user consent. This includes reviewing how forms and tracking scripts are implemented on the website.
Implement Consent Mechanisms
Legal Basis:
GDPR Compliance: Under GDPR, processing personal data must be lawful, transparent, and fair. Consent is one of the primary lawful bases for processing.
ePrivacy Directive Compliance: Article 5(3) mandates that explicit consent is needed before any third-party scripts can store or access information on a user’s device.
Analysis:
Consent Management Platform (CMP): Implement a robust CMP that can integrate seamlessly with HubSpot. This platform should:
- Display a consent banner that informs users about the data collection practices.
- Block HubSpot scripts and cookies until the user gives explicit consent.
- Record and manage user consents, ensuring compliance with both GDPR and the ePrivacy Directive.
- Be first-party based for legal compliance.
Clear Communication: The consent banner should clearly inform users about what data will be collected by HubSpot, why it is being collected, and how it will be used.
Monitor and Audit
Legal Basis:
Ongoing Compliance: Both GDPR and the ePrivacy Directive require continuous compliance efforts. Regular audits and monitoring are essential to ensure that data processing activities remain compliant.
Analysis:
Regular Audits: Use tools like the AesirX Privacy Scanner to regularly audit your website and CRM integration for compliance. These tools help identify non-compliant elements and provide actionable insights to address any issues.
Update Practices: Stay updated with any changes in regulations or guidelines and adjust your data processing practices accordingly. Ensure that any updates to HubSpot or your website are reviewed for compliance before implementation.
Read more about how 97% of all websites are at high risk when it comes to compliance and how you can follow the “State of Privacy” on the World Wide Web.
Example 4: E-commerce Website with Payment Gateway and Shopping Cart
An e-commerce website uses a third-party payment gateway to process transactions. While the shopping cart is essential for the user to complete their purchase, the payment gateway involves third-party data processing. Here’s how to ensure compliance:
- Shopping Cart: As it is functionally required and directly related to the user's actions (e.g., adding items to the cart, processing orders), consent may not be required under Article 5(3).
- Payment Gateway: This involves third-party processing, so explicit consent is needed before loading any tracking or processing scripts. Implement a consent banner that requests user permission before loading the payment gateway scripts.
- Transparent Practices: Clearly inform users about the data being collected during the payment process and ensure they consent to this collection.
Shopping Cart
Legal Basis:
Functional Necessity: Under Article 5(3) of the ePrivacy Directive, consent is not required for storing or accessing information on a user’s device if it is "strictly necessary" for the provision of an information society service explicitly requested by the user. The shopping cart functionality fits this criterion as it is essential for users to complete their purchase.
User-Requested Service: Adding items to a cart and processing orders are actions explicitly initiated by the user, making the shopping cart a core function that does not require prior consent.
Analysis:
The shopping cart’s operation falls under the "strictly necessary" exemption. Therefore, cookies or other tracking mechanisms that are essential for maintaining the cart (e.g., remembering the items the user has added) can be implemented without obtaining prior consent.
This aligns with both GDPR principles and the ePrivacy Directive’s requirements, ensuring that essential functionalities needed for user-requested services are not hindered.
Payment Gateway
Legal Basis:
Third-Party Processing: The use of a third-party payment gateway involves processing personal data by an external entity. This triggers specific obligations under both GDPR and the ePrivacy Directive.
Consent Requirement: Article 5(3) of the ePrivacy Directive mandates that explicit consent is required before any information is stored or accessed on a user’s device by third-party services unless it is strictly necessary for the service explicitly requested by the user.
Analysis:
Explicit Consent: Since the payment gateway involves third-party processing and potentially tracking (e.g., fraud detection, transaction analytics), explicit user consent is required before these scripts are loaded.
Implement a Consent Banner: Display a consent banner that explicitly asks for user permission to load the payment gateway scripts. This banner should clearly state what data will be collected, why it is necessary, and how it will be used.
Transparent Practices: Inform users transparently about the data collection process during payment transactions. This includes:
- What data is being collected (e.g., payment information, transaction details).
- Why it is being collected (e.g., to process the payment, prevent fraud).
- How it will be used and whether it will be shared with third parties (e.g., the payment gateway provider).
This example illustrates the nuanced application of data privacy laws, emphasizing the importance of distinguishing between essential services (where consent may not be needed) and third-party data processing (which typically requires explicit consent).
Ensuring Compliance
The GDPR and ePrivacy Directive together form a robust framework designed to protect user privacy in the digital age. Understanding and complying with both sets of regulations is not only a legal obligation but also a step towards building trust with users and safeguarding your business from potential fines and reputational damage.
By understanding and implementing the distinctions and examples covered in this article, organizations can better navigate the complexities of digital compliance, avoiding potential fines and fostering greater trust with their users and I hope this article serves as a guide to help navigate the complexities of compliance for many website owners; and remember if you are in doubt where to start, our free Privacy Scanner and AI Advisor is here to help.
If you are looking for a First-Party based alternative you can click here to read more.
Ronni K. Gothard Christiansen // VikingTechGuy
Creator, AesirX.io
Join our community and catch up with all the latest information and news on Telegram https://t.me/aesirx_official_community
References:
- General Data Protection Regulation (GDPR)
- ePrivacy Directive (Directive 2002/58/EC)
- EDPB Guidelines on Article 5(3) of the ePrivacy Directive
- Why the ePrivacy Directive Trumps GDPR?
About the AesirX Privacy Scanner:
The AesirX Privacy Scanner is a powerful tool designed to ensure that websites comply with the stringent requirements of the ePrivacy Directive and GDPR. Using the EU's EDPS (European Data Protection Supervisor) Inspection Tool, the AesirX Privacy Scanner conducts thorough scans of websites to identify non-compliant elements, including cookies, trackers, and beacons.
AesirX also offers a free Privacy Advisor AI Assistant that helps to explain the scanned results from the EDPS Inspection Tool and offers concrete recommendations on what is needed to resolve compliance issues found in the scan result.
By leveraging these tools, businesses can receive detailed reports and actionable insights to rectify compliance issues and avoid potential fines.