Ch 17.3.5–17.3.7 - Enforcement & reform
Cookie scrutiny, third-party cookie demise, ePrivacy Regulation
Cookie consent has drawn heavy regulatory fire: Privacy International (2019), NOYB's 422 complaints (2021), and in January 2022 France's CNIL fined firms €210 million over non-compliant cookie consent. Browsers are restricting third-party cookies (Google's Privacy Sandbox; Safari blocks them by default). A proposed ePrivacy Regulation would replace the Directive, broaden what needs consent, raise fines and harmonise rules across the EU - but it is not yet agreed.
| Development | Detail |
|---|---|
| NOYB complaints (2021) | 422 complaints to ten European DPAs over cookie consent mechanisms |
| CNIL fines (Jan 2022) | Totalling €210 million for cookie consent failures |
| Privacy Sandbox | Google's Chrome plan to replace third-party-cookie tracking |
| Safari | Already blocks all third-party cookies by default |
| ePrivacy Regulation | Would replace the Directive: broader consent scope, higher fines, harmonisation - not yet agreed |
The ePrivacy Regulation would be a regulation, giving greater harmonisation than the patchwork of national implementations of the Directive. Once finalised it won't be directly applicable in the UK, but UK organisations targeting EU individuals would still likely need to comply.
Key terms - quick answers
What is “CNIL”?
France's data protection authority (Commission nationale de l'informatique et des libertés).
What is “Privacy Sandbox”?
Google's Chrome initiative (announced 2019) to replace third-party-cookie cross-site tracking with more privacy-friendly tools.
What is “ePrivacy Regulation”?
A proposed EU regulation to replace the ePrivacy Directive - broader consent scope, higher fines, greater harmonisation; not yet agreed.