Introduction to ePrivacy

The introduction of the GDPR in 2018 has created stricter accountability and transparency requirements, especially in relation to ePrivacy. These requirements are built on a core principle of data protection: allowing individuals to be in control of their own data.

Privacy Notice and Transparency

The GDPR grants data subjects a right to transparency. Data subjects are entitled to information on how their data is collected and used. On websites, this must be done by publishing a privacy notice. This privacy notice shall inform data subjects of data processing purposes, data retention, and other procedures that are related to the processing of personal data. Therefore, one main concern of drafting a comprehensive privacy notice is the website’s use of cookies.

Nature and Purpose of Cookies

Cookies are small text files that contain data of website users. Cookies are stored in a web browser and can then be retrieved by the website at another time. The main purposes of cookies are session management, personalisation, and tracking. For example, a retail business might use cookies to track items that have been viewed by a customer to improve their shopping experience by suggesting similar items. Other cookies might be used to remember user customization, such as font size.

Transparent Use of Cookies

In order to be transparent, the use of cookies must allow individuals to be in control of their own data. This principle of data subject control raises the question of how businesses can facilitate this. In short, if a business intends to process an individual’s data, the business must obtain the individual’s consent. In addition, the business must ask for this consent in a way that is easy for individuals to comprehend. It is necessary to receive an express “yes”. This is often called “opt-in” consent, as opposed to “opt-out” consent that would merely require an individual not saying “no”.

To ask for explicit or affirmative “opt-in” consent, businesses can display a cookie banner or pop-up that gives information about the use of cookies and enables users to change their cookie settings easily.

The same standards apply to email marketing and individuals must actively consent to a website’s Terms & Conditions.

Ensuring Website Compliance

To be compliant with the GDPR and the ePrivacy Directive, the following checklist can be used as a guide to ensure transparency:

  • Your website must have a compliant cookie banner.
  • Consent must be obtained to use cookies, except for strictly necessary cookies.
  • Individuals must be easily able to change their cookie settings.
  • You must accurately inform about cookies and their purpose in accessible language.
  • You must be able to demonstrate consent, i.e., document and store it.
  • Even if consent is not obtained, individuals should still be able to access the site.
  • Individuals must be able to withdraw consent if they wish.
  • Email marketing and newsletters may not be sent unless consent has been obtained.
  • Active acceptance of Terms & Conditions should also be documented and stored.

At HewardMills, we champion data dignity and diversity. Due to our commitment to high social and environmental performance and ensuring accountability and transparency, HewardMills has received B Corp Certification. As an accomplished Data Protection Officer service, we can support your business in upholding these values in data processing activities.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at