Written by: Chase Langhorne, Esq.

On February 21, 2020, Croatia released its proposal to attempt to move the ePrivacy Regulation across the finish line. The ePrivacy Regulation was proposed in 2017 with the main purpose of regulating personal data as it relates to internet cookies. The initial plan was for it to pass at the same time as the General Data Protection Regulation (“GDPR”) to align all personal privacy legislation in the European Union. However, the ePrivacy Regulation still has not been passed and there does not seem to be an end in sight. This is what led to Croatia proposing amendments to the existing text.

Croatia is taking a somewhat radical stance by introducing “legitimate interest” as a legal basis for processing metadata and the collection of information from terminal equipment (read: cookies). This could allow businesses to collect personal data via cookies without gaining a data subject’s consent, assuming they could meet the elements of legitimate interest under GDPR Article 6. Specifically, the proposed text lays out an example that would allow for an internet company whose website does not derive direct revenue from sales of a good or service, but receives its revenue from advertising, to rely on legitimate interest to collect cookies without a data subject’s consent. The practical implication of such a provision to joe-public is that this could mean the end of the ‘cookie banner’ that is popping up on every major corporation and news outlet website.

This premise is radical in that it has not been proposed before, but seems to make sense. Why should the “consent” provisions of GDPR apply to the ePrivacy Regulation, but not the “legitimate interest” provisions?”