New e-privacy guidance tightens the rules on tracking, cookies and consent
European data protection and privacy authorities have issued fresh guidance on electronic communications data — think cookies, pixels, SDKs and the profiling that follows. The goal: make it harder to collect and use people’s data for advertising and analytics without clear, documented permission. For companies that rely on behavioral advertising or third‑party tracking, the message is simple: update your tech, your contracts and your records — and do it now.
What the guidance changes, in plain terms
– Consent must be active, specific and demonstrable. No more pre‑ticked boxes, implied acceptance or bundled consent buried in terms of service. Users must take a clear action to agree, and you must be able to prove when and how they did.
– Legitimate interest is narrowly limited. For high‑risk processing such as cross‑site tracking, profiling and behavioral advertising, regulators make it clear that legitimate interest will rarely be an appropriate legal basis.
– Third parties are on notice. Any provider integrated into a site or app must enable granular choices and respect the user’s consent state — not override it.
– Stronger record‑keeping and transparency expectations. Consent logs should include timestamps, the exact UI the user saw, the purposes consented to, and a way to export that evidence for audits.
Why this matters
Regulators are turning up the heat. Supervisory authorities across the EU — often working together — are ready to investigate and sanction businesses that allow tracking before valid consent or that obscure user choices. Penalties can go beyond fines: stop‑processing orders, deletion requirements and public corrective notices are all on the table, and they can seriously disrupt business models that depend on behavioral advertising.
Practical impact on operations
– Tag managers, consent management platforms (CMPs) and vendor integrations must be reconfigured so non‑essential scripts are blocked until consent is granted.
– Consent flows need to be purpose‑based and granular: users must be able to accept or refuse each category without losing essential functionality.
– Technical evidence matters: store consent records in an auditable format (timestamps, dialog version, user choices). Pre‑deployment testing and versioned screenshots or hashes of consent dialogs will strengthen your position in a review.
Step‑by‑step actions companies should take now
1. Inventory everything – Map all cookies, pixels, SDKs and server‑to‑server connections. – For each element, record purpose, data types, retention period and current legal basis.
2. Fix consent UX and blocking logic – Require explicit opt‑ins for non‑essential purposes. – Separate strictly necessary cookies from other categories. – Ensure withdrawal is as easy as opt‑in.
3. Strengthen evidence and logging – Capture when consent was given, what was shown, and what choices were made. – Keep logs exportable and tamper‑evident for audits.
4. Revisit legal bases and contracts – Reassess any reliance on legitimate interest for profiling or cross‑site tracking. – Update data processing agreements with vendors to reflect purpose limits, security obligations and cross‑border rules.
5. Prioritise high‑risk items – Tackle cross‑site identifiers, third‑party ad tech and profiling flows first — these are the focus of supervisory scrutiny.
Operational best practices to reduce enforcement risk
– Governance: appoint a privacy owner to coordinate remediation, vendor oversight and evidence collection.
– Technical controls: use a CMP that supports granular consent, and implement tag‑blocking until consent is in place.
– Process: maintain a RoPA (record of processing activities), run regular audits of tracking technologies and integrate DPIAs into product roadmaps.
– Culture: train marketing and product teams on the limits of legitimate interest and on clear, user‑friendly communications.
What the guidance changes, in plain terms
– Consent must be active, specific and demonstrable. No more pre‑ticked boxes, implied acceptance or bundled consent buried in terms of service. Users must take a clear action to agree, and you must be able to prove when and how they did.
– Legitimate interest is narrowly limited. For high‑risk processing such as cross‑site tracking, profiling and behavioral advertising, regulators make it clear that legitimate interest will rarely be an appropriate legal basis.
– Third parties are on notice. Any provider integrated into a site or app must enable granular choices and respect the user’s consent state — not override it.
– Stronger record‑keeping and transparency expectations. Consent logs should include timestamps, the exact UI the user saw, the purposes consented to, and a way to export that evidence for audits.0
What the guidance changes, in plain terms
– Consent must be active, specific and demonstrable. No more pre‑ticked boxes, implied acceptance or bundled consent buried in terms of service. Users must take a clear action to agree, and you must be able to prove when and how they did.
– Legitimate interest is narrowly limited. For high‑risk processing such as cross‑site tracking, profiling and behavioral advertising, regulators make it clear that legitimate interest will rarely be an appropriate legal basis.
– Third parties are on notice. Any provider integrated into a site or app must enable granular choices and respect the user’s consent state — not override it.
– Stronger record‑keeping and transparency expectations. Consent logs should include timestamps, the exact UI the user saw, the purposes consented to, and a way to export that evidence for audits.1
What the guidance changes, in plain terms
– Consent must be active, specific and demonstrable. No more pre‑ticked boxes, implied acceptance or bundled consent buried in terms of service. Users must take a clear action to agree, and you must be able to prove when and how they did.
– Legitimate interest is narrowly limited. For high‑risk processing such as cross‑site tracking, profiling and behavioral advertising, regulators make it clear that legitimate interest will rarely be an appropriate legal basis.
– Third parties are on notice. Any provider integrated into a site or app must enable granular choices and respect the user’s consent state — not override it.
– Stronger record‑keeping and transparency expectations. Consent logs should include timestamps, the exact UI the user saw, the purposes consented to, and a way to export that evidence for audits.2