Ref. Ares(2018)6600682 - 20/12/2018
The EU’s proposed new cookie rules1
: digital advertising, European media, and
consumer access to online news, other content and services
The European Union is currently considering a proposed regulation on ePrivacy that, unless
amended, will have serious negative impacts on the digital advertising industry, on European
media, and ultimately on European citizens’ access to information and other online content and
services. Member States need to engage to ensure a rational outcome that protects the rights of
companies, media and consumers.
ePrivacy in the context of Europe’s data protection reform and Digital Single Market
In December 2015, after four years of difficult negotiations, the EU agreed its General Data
Protection Regulation (GDPR). The GDPR introduces strong consumer protections online, and a
range of new obligations that both companies and data protection authorities are still trying to
understand and implement2. It radically alters information disclosure requirements, vastly
improving consumer visibility as to who is processing personal data and for what purposes. It
provides for steep fines of up to four percent of global turnover, or €20,000,000 (whichever is higher)
for companies found to be in breach of the law. Its scope is broader than that of the 1995 Data
Protection Directive, which it replaced – it clearly covers cookies and other online identifiers.
The Regulation introduced such complex and comprehensive changes in comparison with the 1995
Directive, that a two-year implementation period was laid down. It will be enforced only as from 25
May 2018.
Yet less than a year after the adoption of the GDPR, and without waiting to see whether the GDPR
appeared to leave any gaps in consumer protection, the European Commission’s DG CONNECT
issued another draft law that includes provisions that cover much the same ground (indeed, the
new proposal is based on the very same Article of the Treaty 3). The new draft law is the proposed
ePrivacy Regulation. It is an update of the famous Cookie Directive of 2009.
1 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private
life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC
(Regulation on Privacy and Electronic Communication).
2 Commission Vice President Andrus Ansip and Justice and Home Affairs Commissioner Vera Jourovà welcomed
this major reform of the Union’s horizontal data protection rules. The new Regulation would "make Europe fit
for the digital age", with new consumer protections online such as the “right to be forgotten”, and a higher
legal bar for automated decisions based on profiling that might have significant negative effects on users.
3 Article 16 of the Treaty on the Functioning of the European Union, on the right to the protection of personal
data.
Negative impacts on the digital advertising industry
The new ePrivacy proposal would reduce the multiple legal bases for data processing laid down in
the GDPR to only one – consent – and consent as defined in the GDPR. A consent-only regime would
negatively impact the digital advertising industry in several ways:
Consent-only means “opt-out” business models need to be rethought
Virtually all interactions between the supplier of an online service and a user’s terminal device
require the use of storage and processing capabilities of, or the accessing of information on,
that terminal device. As a consequence, if the proposed ePrivacy regulation were adopted
without amendment, virtually all Internet activities would fall in-scope and therefore be subject
to consent. Websites, apps and providers of other online services would be deprived of other
legal bases foreseen in the General Data Protection Regulation (GDPR) that was adopted only
last year, notably the legitimate interest (opt-out) legal basis.4 This means that business
models built on the use of the legitimate interest legal basis – a legal basis that four years of
negotiations in the European Parliament and Council found to provide strong consumer
protection and accountability for data controllers – will need to be rethought.
Consent-only penalises Third Parties
‘Third parties’ such as ad tech companies with no direct link to the end-user will be unable to
collect consent, even assuming their data processing is fully in line with these conditions.
Instead, consent will need to be organised on their behalf by websites or apps that do have that
direct link. This paradigm hands a significant advantage to vertically-integrated, consumer-
facing platforms, many of which are not EU-based, who do have the direct link to the user and
so are better-placed to organise consent, and who also act as third parties in the digital
advertising delivery chain, competing with the EU-based companies who are purely ad
tech/third parties. The competitive advantage accruing to these vertically-integrated
companies, who are also able to leverage data derived from their first-party, consumer-facing
businesses, will further aggravate what some say are imbalances in the existing market
structure.
Consent under GDPR comes with heavy conditionality and may simply not work
Ironically, since consent under the ePrivacy regulation will mean consent as defined in the
GDPR, it may not even work for the vertically-integrated companies or for successful publishers
acting as first parties. Consent under the GDPR comes with important constraints, mainly to do
with the fact that in order to be valid as a legal basis, it must be “freely given”. Consent is
considered not to be freely given if the user could be considered to suffer “detriment” if he or
she could not access the service, or if he or she could be considered to be in a situation of
“imbalance” vis-à-vis the supplier of the online service, or if accessing the service required the
user to consent to any data processing that was not necessary to deliver the service from a
technical point of view. As noted above, if the consent is not “freely given” then it may not be
used as a legal basis by the provider of the online service. And if consent is the only legal basis
foreseen in the law, and it is not available, then the processing simply may not take place.
4 The GDPR will be enforced as from 25 May 2018.
Prior information requirement will “break” programmatic trading
Consent under the GDPR must be “informed”, that is, the user consenting to the processing
must have prior information as to the identity of the data controller processing his or her
personal data and the purposes of the processing.5 As it is technically impossible for the user
to have prior information about every data controller involved in a real-time bidding (RTB)
scenario, programmatic trading, the area of fastest growth in digital advertising spend, would
seem, at least prima facie, to be incompatible with consent under GDPR – and, as noted above,
if a future ePrivacy Regulation makes virtually all interactions with the Internet subject solely
to the consent legal basis, and consent is unavailable, then there will be no legal be no basis for
such processing to take place or for media to monetise their content in this way.
Negative impacts on European media
Since, for the reasons outlined above, media are likely to suffer from diminished advertising
revenue streams and an inability to customize content for individual users, the future regulation
will inevitably lead to an impoverishment of the media landscape and aggravate the already serious
problem of excessive media concentration in Europe.
Negative impacts on European citizens
The inevitable consequences of a future regulation making it more difficult for media to monetise
their content will be a less rich range of information sources for citizens to choose from and
potentially less variety and quality content produced by each media outlet, obviously an
undesirable development in any democratic society.
The way forward
The foregoing negative impacts can still be avoided by either deleting the relevant provisions of the
proposed regulation altogether, or by amending them to ensure 100% alignment with the General
Data Protection Regulation adopted last year. This would mean ensuring that media and
companies involved in delivering digital advertising had access to all the legal bases laid down in
that Regulation. Practically, this could be achieved either inserting a new exception in Article 8 for
any data processing that would satisfy the conditions for legality under the GDPR. Such
modifications are urgently needed.
In addition, in light of the constraints on consent under the GDPR discussed above, and to ensure
that those suppliers of online services for whom consent is the most appropriate legal basis (e.g.
because they have users who are already logged in and so are collecting more data anyway) are
actually able to leverage it, language from the 2009 Directive clarifying that access content may be
conditional on consent for data processing should be restored.
Amendments that would achieve these objectives are annexed to this paper.
5 See recitals 32 and 42 of the General Data Protection Regulation.
Reason for redactions: protection of personal data, in accordance with Regulation (EC) 45/2001.
For further information, please contact
or
.
June 2017
ANNEX
Article 8
Article 8
Protection of information stored in and
Protection of information stored in and
related to end-users’ terminal equipment
related to end-users’ terminal equipment
OPTION NO. 1
1. The use of processing and storage 1.
The use of processing and storage
capabilities of terminal equipment and the capabilities of terminal equipment and the
collection of information from end-users’ collection of information from end-users’
terminal equipment, including about its terminal equipment, including about its
software and hardware, other than by the software and hardware, other than by the
end-user concerned shall be prohibited, end-user concerned shall be
lawful if such
except on the following grounds:
use is performed on the basis of the consent
(a) it is necessary for the sole purpose of
of the end-user or some other legitimate
carrying out the transmission of an
basis laid down by law, in accordance with
electronic communication over an
Regulation (EU) 2016/679. prohibited,
electronic communications network; or
except on the following grounds:
(b) the end-user has given his or her consent;
(a) it is necessary for the sole purpose of
or
carrying out the transmission of an
(c) it is necessary for providing an
electronic communication over an
information society service requested by
electronic communications network;
the end-user; or
or
if it is necessary for web audience measuring,
(b) the end user has given his or her
provided that such measurement is carried
consent; or
out the provider of the information society
(c) it is necessary for providing an
service requested by the end-user.
information society service requested
by the end user; or
(d) if it is necessary for web audience
measuring, provided that such
measurement is carried out the
provider of the information society
service requested by the end user.
This amendment would perfectly align the “cookie provision” of the proposed ePrivacy regulation
with the General Data Protection Regulation (GDPR) by extending the rules of the GDPR beyond
personal data to any processing covered by the ePrivacy Regulation. This approach would provide
for the highest degree of legal certainty and consistency for both businesses and consumers, since
any modification of the legal bases of the GDPR would ‘automatically’ apply also to the future
ePrivacy regulation.
In effect, this change would maintain the level of protection of personal data laid down in the
GDPR and extend data protection rules to any information, whether personal or not, that relates
to the terminal equipment of end-users.
Article 8
Article 8
Protection of information stored in and Protection of information stored in and
related to end-users’ terminal equipment related to end-users’ terminal equipment
OPTION NO. 2
1. The use of processing and storage 1. The use of processing and storage
capabilities of terminal equipment and the capabilities of terminal equipment and the
collection of information from end-users’ collection of information from end-users’
terminal equipment, including about its terminal equipment, including about its
software and hardware, other than by the software and hardware, other than by the
end-user concerned shall be prohibited, end-user concerned shall be prohibited,
except on the following grounds:
except on the following grounds:
(a) it is necessary for the sole purpose of (a) it is necessary for the sole purpose of
carrying out the transmission of an
carrying out the transmission of an
electronic communication over an
electronic communication over an
electronic communications network; or
electronic communications network; or
(b) the end-user has given his or her consent; (b) the end-user has given his or her consent;
or
or
(c) it is necessary for providing an (c) it is necessary for providing an
information society service requested by
information society service requested by
the end-user; or
the end-user; or
(d) if it is necessary for web audience (d) if it is necessary for
web audience
measuring,
provided
that
such
measuring
or for scientific and
measurement is carried out the provider
statistical research purposes; or ,
of the information society service
provided that such measurement is
requested by the end-user.
carried out the provider of the
information society service requested
by the end user.
(e)
[NEW] if it is necessary for pursuing a
legitimate purpose and the person
responsible undertakes to comply with
specific privacy safeguards listed in
paragraph 1c; or
(f)
[NEW] it is necessary to maintain or
restore the security of information
society services, or detect technical
faults and/or errors in the functioning
of information society services, for the
duration necessary for that purpose.
This amendment would align the ePrivacy proposal with the General Data Protection Regulation
(GDPR) in a similar way to Option No. 1 above, but by explicitly calling out each of the various legal
bases for the processing of personal data that are currently foreseen in the GDPR.
In case of Option 2:
1c. (new) For the purpose of point (e) of
paragraph 1 the following specific privacy
safeguards apply:
(a) no data relating to the content of any
user communications is collected;
(b) the responsible person has put in
place
appropriate
technical
measures, such as pseudonymisation
or encryption.
(c) no effort is made or technique is
applied to re-identify the end-user
without his or her consent;
(d) the data processed do not constitute
special categories of personal data as
defined by Article 9 of Regulation (EU)
2016/679; and
(e) the responsible person has carried
out a data protection impact
assessment as defined by Article 35 of
Regulation (EU) 2016/679.
This new provision would specify under which conditions information stored in and related to end-
users’ terminal equipment may be processed without consent under the new exception of Art.
8(1)(f) in addition to the requirement of only processing anonymised or pseudonymised data.
This addition would only be necessary if “Option 2” for Art. 8(1) is pursued.
In case of Option 2:
1d. (new) The Commission shall be
empowered to adopt delegated acts to
specify additional privacy safeguards,
including differentiation of privacy
safeguards on the basis of risks associated
with the processing.
This new provision would empower the European Commission to specify additional privacy
safeguards under the new provision Art. 9(1c) to ensure the long term effectiveness of a technology-
centric provision.
This addition would only be necessary if “Option 2” for Art. 8(1) is pursued.
Article 9
Article 9
Consent
Consent
1. The definition of and conditions for 1. The definition of and conditions for consent
consent provided for under Articles 4(11) and provided for under Articles 4(11) and 7 of
7 of Regulation (EU) 2016/679/EU shall apply. Regulation (EU) 2016/679/EU shall apply.
1a. (NEW) Article 7(4) of Regulation (EU)
2016/679/EU shall not mean that the
provider of an information society service is
prohibited from making access to its
service conditional on the end-user’s
consent.
This amendment would maintain the clarification of the existing ePrivacy Directive (Recital 25)
that access to an online service may be made conditional on the well-informed consent of a user,
for example to provide interest-based advertising.
Recitals 20, 21, 22, 24
Proposed amendments
(20) Terminal equipment of end-users of
(20) Terminal equipment of end-users of
electronic communications networks and electronic communications networks and any
any information relating to the usage of such information relating to the usage of such
terminal equipment, whether in particular is terminal equipment, whether in particular is
stored in or emitted by such equipment, stored in or emitted by such equipment,
requested from or processed in order to requested from or processed in order to
enable it to connect to another device and or enable it to connect to another device and or
network equipment, are part of the private network equipment, are part of the private
sphere of the end-users requiring protection sphere of the end-users requiring protection
under the Charter of Fundamental Rights of under the Charter of Fundamental Rights of
the European Union and the European the European Union and the European
Convention for the Protection of Human Convention for the Protection of Human
Rights and Fundamental Freedoms. Given Rights and Fundamental Freedoms. Given
that such equipment contains or processes that such equipment contains or processes
information that may reveal details of an information that may reveal details of an
individual's emotional, political, social individual's emotional, political, social
complexities, including the content of complexities, including the content of
communications, pictures, the location of communications, pictures, the location of
individuals by accessing the device’s GPS individuals by accessing the device’s GPS
capabilities, contact lists, and other capabilities, contact lists, and other
information already stored in the device, the information already stored in the device, the
information related to such equipment information related to such equipment
requires enhanced privacy protection. requires
enhanced privacy
protection.
Furthermore, the so-called spyware, web Furthermore, the so-called spyware
, web
bugs, hidden identifiers, tracking cookies
bugs, hidden identifiers, tracking cookies
and other similar unwanted tracking tools and other similar unwanted tracking tools can
can enter end-user's terminal equipment enter end-user's terminal equipment without
without their knowledge in order to gain their knowledge in order to gain access to
access to information, to store hidden information, to store hidden information and
information and to trace the activities. to trace the activities
and may seriously
Information related to the end-user’s device
intrude upon the privacy of these end-
may also be collected remotely for the
users. Information related to the end-user’s
purpose of identification and tracking, using device may also be collected remotely for the
techniques such as the so-called ‘device purpose of identification and tracking, using
fingerprinting’, often without the knowledge
techniques such as the so called ‘device
of the end-user, and may seriously intrude
fingerprinting’,
often
without
the
upon the privacy of these end-users.
knowledge of the end user,
and may
Techniques that surreptitiously monitor the
seriously intrude upon the privacy of these
actions of end-users, for example by tracking
end users. web beacons, device identifiers,
their activities online or the location of their
such as device identifiers, online
terminal equipment, or subvert the
identifiers, including identifiers stored in
operation of the end-users’ terminal
so-called cookies, as well as statistical
equipment pose a serious threat to the
identifiers generated using techniques such
privacy of end-users. Therefore, any such
as ‘device fingerprinting’. Techniques that
interference with the end-user's terminal surreptitiously monitor the actions of end-
equipment should be allowed only with the users, for example by tracking their activities
end-user's consent and for specific and online or the location of their terminal
transparent purposes.
equipment, or subvert the operation of the
end-users’ terminal equipment
without his or
her knowledge may pose a serious threat to
the privacy of end-users.
At the same time,
the same technologies can be used for
legitimate and useful purposes such as
verifying the identity of users engaged in
on-line transactions and understanding the
effectiveness of website design and
advertising. Where such technologies, for
instance cookies, are used for a
legitimate purpose, such as to facilitate
the provision of information society
services, such use should be allowed on
condition that it meets the principles of
lawfulness, fairness and transparency. Therefore, any such
use interference with the
end-user's terminal equipment should be
allowed only with the end-user's consent
or
some other legitimate basis and for specific
and transparent purposes.
In line with
Regulation (EU) 2016/679, usage of the end-
user’s terminal equipment should be lawful
and fair. It should be transparent to end-
users that their terminal equipment’s
processing or storage capabilities are used
or information is collected from their
terminal equipment, to what extent and for
which purposes. The principle of
transparency requires that any information
and communication relating to the usage of
the end-user’s device be easily accessible
and easy to understand, and that clear and
plain language be used. That principle
concerns, in particular, information to the
end-user on the identity of the person
responsible, the purposes of the use, and
further information as laid down by
Regulation (EU) 2016/679.
This amendment would re-introduce existing language from the current ePrivacy Directive that
explains that cookies as a technology do not necessarily serve nefarious purposes but can be used
for legitimate purposes, too, such as analytics and advertising purposes and clarifies that the
principles of data protection, i.e. lawfulness and fairness, apply in the context of the ePrivacy
Regulation.
(21) Exceptions to the obligation to obtain
(21) Exceptions to the obligation to obtain
consent to make use of the processing and consent to make use of the processing and
storage capabilities of terminal equipment or storage capabilities of terminal equipment or
to access information stored in terminal to access information stored in terminal
equipment should be limited to situations equipment should be limited to situations
that involve no, or only very limited, intrusion that involve no, or only
very limited
, impact
of privacy. For instance, consent should not
on the intrusion of privacy
of the end-user
be requested for authorizing the technical
concerned and in accordance with
storage or access which is strictly necessary
Regulation (EU) 2016/679.
In order to
and proportionate for the legitimate purpose
ascertain whether a situation involves no,
of enabling the use of a specific service
or only limited, impact on the privacy of the
explicitly requested by the end-user. This
end user concerned, the entity responsible,
may include the storing of cookies for the
after having met all the requirements for
duration of a single established session on a
the lawfulness of using the end-user’s
website to keep track of the end-user’s input
terminal equipment, including with respect
when filling in online forms over several
to transparency, should take into account
pages. Cookies can also be a legitimate and
inter alia: the purpose for which the
useful tool, for example, in measuring web
processing and storage capabilities of the
traffic to a website. Information society
terminal equipment or information
providers that engage in configuration
accessed are used; the context in which
checking to provide the service in
information is collected, in particular the
compliance with the end-user's settings and
reasonable expectations of end-users
the mere logging of the fact that the end-
based on their relationship with the
user’s device is unable to receive content
controller as to the information’s further
requested by the end-user should not
use; the consequences of the intended
constitute access to such a device or use of
processing for end-users; and the existence
the device processing capabilities.
of appropriate safeguards such as
encryption or pseudonymisation. For
instance,
consent should not be requested
for authorizing the technical storage or
access which is strictly necessary and
proportionate for
the legitimate purpose of enabling the use of a specific service explicitly
requested by the end-user
may be regarded
as carried out for a legitimate interest. This
may include the storing of cookies for the
duration of a single established session on a
website to keep track of the end-user’s input
when filling in online forms over several
pages. Cookies can also be a legitimate and
useful tool for
other legitimate purposes, for
example
, helping to secure a service, in measuring web traffic to a website
or
delivering and measuring the effectiveness
of advertisements.
Access to information society services may
be made conditional on the well-informed
consent to the use of cookies or similar
technologies used for legitimate purposes.
Information society providers that engage in
configuration checking to provide the service
in compliance with the end-user's settings and
the
mere logging determining of the fact that
the end-user’s device is unable to receive
content requested by the end-user should not
constitute access to such a device or use of the
device processing capabilities.
This amendment would elaborate on the transparency that should be provided to end-users when
information stored in and related to their terminal equipment is accessed. It would also re-
introduce important clarifications from the existing ePrivacy Directive: Information society services
are permitted to make access to their service conditional on consent for the use of cookies and
similar technologies.
(22) The methods used for providing
(22) The methods used for providing
information and obtaining end-user's information and obtaining end-user's consent
consent should be as user-friendly as should be as user-friendly as possible. Given
possible. Given the ubiquitous use of tracking the ubiquitous use of tracking cookies and
cookies and other tracking techniques, end- other tracking techniques, end-users are
users are increasingly requested to provide increasingly requested to provide consent to
consent to store such tracking cookies in store such tracking cookies in their terminal
their terminal equipment. As a result, end- equipment. As a result, end-users are
users are overloaded with requests to overloaded with requests to provide consent.
provide consent. The use of technical means The use of technical means to provide
to provide consent, for example, through consent, for example, through transparent
transparent and user-friendly settings, may and user-friendly settings, may address this
address this problem. Therefore, this problem. Therefore, this Regulation should
Regulation should provide for the possibility provide for the possibility to express consent
to express consent by using the appropriate by using the appropriate settings of a browser
settings of a browser or other application. or other application. The choices made by
The choices made by end-users when end-users when establishing its general
establishing its general privacy settings of a privacy settings of a browser or other
browser or other application should be application should be binding on, and
binding on, and enforceable against, any enforceable against, any
third parties
third parties. Web browsers are a type of
persons other than the end-user concerned.
software application that permits the
Such general privacy settings should not
retrieval and presentation of information on
prevent an information society service
the internet. Other types of applications,
from collecting information from or about
such as the ones that permit calling and
the end user’s terminal equipment with the
messaging or provide route guidance, have
end-user’s consent. Web browsers are a type
also the same capabilities. Web browsers of software application that permits the
mediate much of what occurs between the retrieval and presentation of information on
end-user and the website. From this the internet. Other types of applications, such
perspective, they are in a privileged position as the ones that permit calling and messaging
to play an active role to help the end-user to or provide route guidance, have also the same
control the flow of information to and from capabilities. Web browsers mediate much of
the terminal equipment. More particularly what occurs between the end-user and the
web browsers may be used as gatekeepers, website. From this perspective, they are in a
thus helping end-users to prevent privileged position to play an active role to
information from their terminal equipment help the end-user to control the flow of
(for example smart phone, tablet or information to and from the terminal
computer) from being accessed or stored.
equipment.
More particularly web browsers
may be used as gatekeepers, thus helping
end users to prevent information from
their terminal equipment (for example
smart phone, tablet or computer) from
being accessed or stored.
This amendment would clarify the intention as expressed by the European Commission that
browser settings would not prevent information society services to request specific consent where
their general preference is that information is not collected. It would also strike the notion that
browsers and other applications should act as gatekeepers between information society services
and their users.
(24) For web browsers to be able to obtain
(24) For
web browsers information society
end-users’ consent as defined under
services to be able to obtain end-users’
Regulation (EU) 2016/679, for example, to the consent as defined under Regulation (EU)
storage of third party tracking cookies, they 2016/679, for example, to the storage of
third
should, among others, require a clear
party tracking cookies, they should, among
affirmative action from the end-user of others, require a clear affirmative action from
terminal equipment to signify his or her freely the end-user of terminal equipment to signify
given, specific informed, and unambiguous his or her freely given, specific informed, and
agreement to the storage and access of such unambiguous agreement to the storage and
cookies in and from the terminal equipment. access of such cookies in and from the
Such action may be considered to be terminal equipment. Such action may be
affirmative, for example, if end-users are considered to be affirmative, for example, if
required to actively select ‘accept third party end-users are required to actively select
cookies’ to confirm their agreement and are ‘accept third party cookies’ to confirm their
given the necessary information to make the agreement and are given the necessary
choice. To this end, it is necessary to require information to make the choice. To
assist
providers of software enabling access to
end-users in this end, it is necessary to
internet that, at the moment of installation,
require
expressing
their
privacy
end-users are informed about the possibility
preferences providers of software enabling
to choose the privacy settings among the access to internet
may that, at the moment of
various options and ask them to make a installation,
end users are inform
ed end-
choice. Information provided should not
users about the possibility to choose
the dissuade end-users from selecting higher privacy settings among
the various options
privacy settings and should include relevant and ask them to make a choice. Information
information about the risks associated to provided should not
unduly dissuade end-
allowing third party cookies to be stored in users from selecting higher privacy settings
the computer, including the compilation of and should include relevant information
long-term records of individuals' browsing about the
risks possible consequences
histories and the use of such records to send associated
to with allowing third party
targeted advertising. Web browsers are
cookies to be stored in the computer that
encouraged to provide easy ways for end-
choice,
including the compilation of long
users to change the privacy settings at any
term records of individuals' browsing
time during use and to allow the user to make
histories and the use of such records to
exceptions for or to whitelist certain websites
send targeted advertising. Web browsers
are
or to specify for which websites (third) party
encouraged to should provide easy ways for
cookies are always or never allowed.
information society services to ask end-
users to change the privacy settings at any
time during use and to allow the user to make
exceptions for or to whitelist certain websites
or to specify for which websites
(third) party cookies are always or never allowed.
In line with the amendments above, this amendment would change the approach from browsers
and other applications to intermediate the relationship between information society services and
their users. Importantly, it would also clarify that where browsers and other applications provide
ways for end-users to express their general preferences they should also make available
functionalities that enable users to make specific choices on a case-by-case basis. If such
functionality is merely “encouraged” information society services may effectively lose the ability to
request consent from their own users.