EU Legal framework for web tracking
In the EU, two key laws govern web tracking: the ePrivacy Directive (1) and the GDPR (2). Both must be adhered to for compliance with the EU data protection legal framework.
ePrivacy Directive: setting a cookie
The ePrivacy Directive (§5.3) regulates the use of cookies and trackers on users’ devices. It requires informed consent from a user before a cookie is set on a user device (.i.e information is stored on or accessed from a user device).
As an exception to this rule, consent is not required for “technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”
GDPR: personal data processing
Once cookies are placed, the GDPR governs the processing of any personal data collected via a website.
Key requirements include:
Legal basis: Data processing must be justified by either consent, performance of a contract, or legitimate interest. Legal basis must be documented.
Transparency: Users must be informed about what data is collected, how it is used, and their rights.
Controller responsibility: A controller is responsible for determining the legal basis, purposes and means of processing personal data and ensuring compliance with data protection laws, including informing individuals about data use and safeguarding their rights.
\
Last updated
Was this helpful?