The EU ePrivacy Regulation: what it is and what to expect

What is the ePrivacy Regulation?

The ePrivacy Regulation is a draft European Union (EU) regulation that governs all electronic communications on publicly available services and networks inside the European Union.

The EU’s data privacy laws currently consist of the General Data Protection Regulation (GDPR) and the 2002  ePrivacy Directive, sometimes known as the “cookie law”. If passed, the new ePrivacy Regulation would repeal and replace the ePrivacy Directive and bring significant updates by including new technologies in its legal framework.

Its goal is to strengthen data privacy safeguards, extending protections not only to data processed by traditional telecommunications providers, but by all electronic communications services, such as texts, emails, voiceover internet protocol (VoIP), and instant messaging services like WhatsApp and Facebook Messenger.

Timeline of the ePrivacy Regulation

The ePrivacy Regulation was intended to come into force alongside the GDPR in May 2018. There have, however, been considerable delays since the draft was first published. Key dates include:

• January 2017: the draft text of the ePrivacy Regulation was published
• October 2017: the European Parliament published a report with proposed amendments
• February 2021: the European Council published its proposed amendments and a mandate for negotiations with the European Parliament
• May 2021: trilogue negotiations officially began, involving the European Commission (EC), European Parliament, and European Council, aiming to reach a consensus on the final text

What is the status of the ePrivacy Regulation?

As of August 2024, the ePrivacy Regulation is still in trilogue discussions involving the European Parliament, the European Council, and the European Commission. If the draft ePrivacy Regulation is finalized, it will officially become law 20 days after its publication in the EU Official Journal. However, it will only start to apply two years after this date, giving organizations affected by the regulation time to achieve compliance.

What is the difference between the ePrivacy Regulation and the ePrivacy Directive?

The ePrivacy Regulation and the ePrivacy Directive are both European legislative frameworks focused on privacy and electronic communications, but they differ primarily in their scope and legal effect, and current status.

The ePrivacy Directive is a legislative act that requires EU member states to implement its provisions into their national laws, such as Law 34/2002 in Spain and Cookiebekendtgørelsen in Denmark. On the other hand, the ePrivacy Regulation, which is intended to replace the Directive, is a regulation that would be directly applicable in all EU member states without the need to implement national legislation.

While both are concerned with the privacy of electronic communications, the ePrivacy Regulation aims to update and expand the rules to align with the GDPR. It covers newer technologies and communication services, like WhatsApp and Zoom, and includes new provisions on marketing communications, cookies, and the confidentiality of communications.

What is the difference between the ePrivacy Regulation and the GDPR?

The GDPR protects the personal data of individuals inside the EU, while the ePrivacy Regulation will protect the privacy of electronic communication of individuals and businesses inside the EU.

The ePrivacy Regulation is a lex specialis to the GDPR, which is a lex generalis. This means that it complements the GDPR with rules that apply specifically to the electronic communications sector, which are not explicitly addressed in the GDPR. As lex specialis, the ePrivacy Regulation will override the GDPR in the specific areas that it covers.

The EU ePrivacy Regulation, when it comes into effect, will not replace the GDPR. Rather, these will be two different and complementary laws, deriving from two different rights of the European Charter of Human Rights. The GDPR covers the right to protection of personal data, while the ePrivacy Regulation will encompass a person’s right to a private life, including confidentiality, in all electronic communications.

Who does the ePrivacy Regulation apply to?

The ePrivacy Regulation includes an array of electronic communications services beyond traditional telecom companies. It applies to both businesses and individuals involved in electronic communication who: 

• handle data related to online communication services
• use online tracking tools like tracking cookies and other website tracking technologies
• provide directories of end users
• engage in electronic direct marketing

This includes website owners using cookies, app developers, direct marketers using emails or messages, telecommunications firms, online messaging services, and Internet of Things (IoT) providers, among others.

It has extraterritorial scope like the GDPR, and regulates data pertaining to end users within the EU regardless of where the data collection or processing occurs. This means that entities both inside and outside the EU must comply if they handle data of EU residents.

Who does the ePrivacy Regulation protect?

Unlike the GDPR and ePrivacy Directive, which protect the personal data of individuals or natural persons, the ePrivacy Regulation aims to protect the fundamental rights and freedoms of “legal persons” with respect to electronic communications services. Legal persons would include not only individuals but any legally registered entity or business.

What are the ePrivacy Regulation’s requirements?

Since the ePrivacy Regulation is still in the negotiation stage, the specific obligations and rules could be subject to change until it is finalized and adopted. However, if the draft is passed without any amendments, the following requirements will apply for all persons and businesses subject to it.

Confidentiality under the ePrivacy Regulation

Entities that handle electronic communications data must keep them confidential by default. The draft regulation specifically forbids the following actions related to electronic communications data by someone other than the data owner: 

• listening
• tapping
• storing
• monitoring
• scanning or other kinds of interception
• surveillance
• processing

Art. 6 of the draft regulation permits processing electronic communications data in specific cases, such as for ensuring the transmission of a communication, maintaining or restoring network security, identifying technical issues in the communication’s delivery, or if the end user has given explicit consent for a specific purpose.

Electronic communications data under the regulation includes:

• electronic communications content, defined as “content exchanged by means of electronic communications services, such as text, voice, videos, images, and sound”
• electronic communications metadata, defined as data processed electronically “for the purposes of transmitting, distributing or exchanging electronic communications content.” including the method of communication, device location, date, time, duration, and type of communication

Storage and erasure under the ePrivacy Regulation

Under Art. 7 of the draft regulation, electronic communications service providers must: 

• delete the content or anonymize the data once the intended recipient receives it
• erase the metadata or anonymize it when it’s no longer needed for transmitting the communication

Cookies under the ePrivacy Regulation 

Cookies are a widely used technology for collecting, processing, and sharing personal data from end users on the internet today, and the GDPR requires explicit consent from end users before non-essential cookies can be activated.

Cookie consent remains a core part of the EU ePrivacy Regulation, and cookies and similar website trackers are also covered under the new draft data privacy law. The draft regulation largely retains the current requirement to obtain consent to set or read a cookie unless the cookie is necessary for the provision of the relevant electronic communication services. 

Consent has the same meaning, and must meet the same strict conditions as consent under the GDPR. 

Under Art. 8 of the draft ePrivacy Regulation, cookies and other tracking technologies are prohibited except when:

• they are necessary for the sole purpose of transmitting the electronic communication
• the end user has given their explicit consent
• the end user has requested a service that requires them
• they are necessary for website analytics, where:
  • the data collection and analytics is done by the website
  • if done by a third-party service, this third party complies with the requirements of the GDPR

Recital 21 states that cookies should be used without consent only in “situations that involve no, or only very limited, intrusion of privacy.” Examples include:

• to keep track of a multi-page form’s inputs
• identity verification during online transactions
• remembering items placed in a shopping cart
• security-related software updates for IoT devices

The draft ePrivacy Regulation also deals with cookie walls, a mechanism that some websites use to refuse access without cookie consent. The regulation does not prohibit cookie walls if the user is offered an equivalent experience or access that does not involve giving consent to cookies and trackers.

A new provision in the ePrivacy Regulation aims to reduce consent fatigue that arises when users are inundated with cookie consent requests from each website they visit. The draft ePrivacy Regulation makes it possible for end users to whitelist cookie providers in their browser settings and encourages providers to make it easy for users to amend whitelists and withdraw their consent at any time.

Direct marketing communications under the ePrivacy Regulation

Businesses are not permitted to send marketing messages to individuals through electronic means, such as emails or texts, unless these individuals have explicitly agreed to receive them. This means businesses must obtain the person’s specific, explicit consent before sending them marketing materials or communications.

If a business obtains a natural or legal person’s contact details at the time of making a purchase, the business can use this information to send marketing emails or messages about similar products or services they offer. However, they must provide a clear and straightforward way to opt out of these messages, both when they first collect the contact details and every time they send such a marketing message.

Spam under the ePrivacy Regulation

Providers of number-based interpersonal communications services — for example, traditional telephone, SMS, or VoIP — cannot add natural persons to a publicly available directory without their explicit consent. If the directory has a search function related to data other than end users’ names and numbers, they must also obtain end users’ consent before enabling this search function for their data.

For legal persons listed in a directory, the provider must give them the option to opt out of having their data included. Individuals and businesses should also be able to verify, correct, or delete their data from these directories free of charge.

These providers must also enable end users to block incoming calls from specific numbers or anonymous sources and stop automatic call forwarding from third parties.

Opinion of the European Data Protection Board on the ePrivacy Regulation

On March 9, 2021, the European Data Protection Board (EDPB) adopted a statement on the ePrivacy Regulation, underlining that the coming regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive, which it would repeal and replace, and must complement the existing GDPR by providing additional strong guarantees for confidentiality and protection of all electronic communications.

The EDPB emphasized in its statement that:

• some exceptions (in particular Article 6(1)(c), Article 6b(1)(e), Article 6b(1)(f), Article 6c) introduced by the Council seem to allow for very broad types of processing, and recalls the need to narrow down those exceptions to specific and clearly defined purposes
• it is necessary to obtain consent that is genuinely freely given, and that this should prevent service providers from using unfair practices, such as “take it or leave it” solutions like cookie walls, which make access to services and functionality conditional on user consent
• there is a need to include an explicit provision in the ePrivacy Regulation against service providers processing information without user consent, and that enables users to accept or refuse profiling
• the ePrivacy Regulation should improve the current consent framework with an effective way to obtain consent for websites and mobile applications, by giving back control to the users and addressing the “consent fatigue”

It is still uncertain what the road ahead looks like for the draft ePrivacy Regulation while trilogue negotiations remain underway.

Enforcement of the ePrivacy Regulation and penalties

The enforcement of the ePrivacy Regulation aligns closely with the established framework under the GDPR. The same independent supervisory authorities tasked with monitoring GDPR compliance — the Data Protection Authorities of the EU Member States — will oversee application of the ePrivacy Regulation. The EDPB will ensure the regulation is uniformly applied across all EU Member States. End users of electronic communication services can seek remedies under the same legal provisions that protect data subjects under the GDPR.

For violations of the EU ePrivacy Regulation, penalties will be tiered based on severity, which is also how the GDPR and a number of other international privacy regulations are set up. Less serious infractions can lead to penalties up to 2 percent of the violator’s annual worldwide turnover or up to EUR 10 million, whichever is greater. More severe violations may result in fines up to 4 percent of annual worldwide turnover or up to EUR 20 million, whichever is greater.

How can businesses prepare for ePrivacy Regulation compliance?

Businesses can take steps towards ePrivacy Regulation compliance by implementing several key practices, including:

• displaying GDPR-compliant cookie banners to inform end users about your website’s cookie usage and to obtain explicit user consent before setting cookies
• simplifying the management of user consents and enabling users to easily withdraw consent with a consent management platform (CMP) like Cookiebot CMP
• employing Google Consent Mode alongside Google Tag Manager to ensure that tags aren’t triggered unless a user has explicitly consented to the collection of their data
• keeping your cookie policy and/or privacy policy updated to reflect your organization’s privacy practices and evolving legal requirements

Although the ePrivacy Regulation is still in negotiations, taking steps towards compliance can help businesses smoothly adapt to new requirements, future-proof marketing operations, and build customer trust.

FAQ