The ePrivacy Directive and the evolution of data privacy in the EU: What you need to know

The ePrivacy Regulation was proposed to replace the ePD, to bring a consistent, EU-wide framework that would expand data protection, cookie consent, and the scope of affected organizations. However, the data privacy landscape in the EU has changed significantly since the ePrivacy Regulation was first proposed, and as of February 2025 the proposal has been withdrawn without an explicit replacement.

We explore the ePrivacy Directive and the changes it’s undergone, current data privacy regulation, what may replace the ePrivacy Regulation, and what the challenges and opportunities are for European businesses given the evolving technology and regulatory landscapes, and consumers’ expectations.

What is the ePrivacy Regulation?

The ePrivacy Regulation (ePR) was a proposed legal framework intended to supersede the ePrivacy Directive (sometimes referred to as the “cookie law”), expanding its jurisdiction throughout the EU. 

Its core objective was to bolster privacy safeguards for electronic communications, encompassing data such as text, images, speech, video, and metadata, extending beyond traditional telecommunications to include services like instant messaging, VoIP, and email.

Who would have had to comply with the ePrivacy Regulation?

The ePrivacy Regulation would have applied to both natural and legal persons involved in sending electronic communications, and would have impacted any organization that processes data relating to online communication services, uses online tracking technologies, or engages in electronic direct marketing.

This would have included:

• Website owners
• App owners that use electronic communication
• Companies that send direct marketing communications
• Telecommunications companies
• Messaging service providers (e.g. WhatsApp, Facebook)
• Internet access providers (e.g. a café providing open Wi-Fi)
• Machine-to-machine communication providers (Internet of Things)

What is the status of the ePrivacy Regulation?

The European Commission’s proposal to expand the ePrivacy Directive (ePD) and implement the ePrivacy Regulation (ePR) was initially introduced in 2017. Their goal was to create a comprehensive regulation that would complement the GDPR by safeguarding privacy and personal data in electronic communications within the EU. The ePR was also intended to have extraterritorial reach. However, the legislative process encountered significant delays.

Ultimately, the European Commission officially withdrew the ePR on February 5, 2025, due to a lack of consensus among legislators and the recognition that the proposal had become outdated. The Commission acknowledged that, following years of delays, the proposal was no longer current in light of recent technological and legislative developments.

Has any other law replaced the intended ePrivacy Regulation?

The ePrivacy Directive’s guidelines remain in place for EU member states, but still must be interpreted and implemented into each country’s regulatory framework separately. European Commission spokesman Thomas Regnier commented that the Digital Services Act (DSA), which came into effect in November 2022, provides a “strong framework to ensure a high level of privacy, especially for minors (Article 28)”.

The DSA regulates use of personal data for advertising, among other functions. Platforms must obtain prior consent from EU audiences to use their data for advertising purposes. The DSA also bans the use of minors’ data for targeted advertising, as well as banning ad use of data categorized as sensitive, such as health information or religious or political views, in most cases.

What is the ePrivacy Directive (ePD)?

The ePrivacy Directive was implemented in 2002 and updated in 2009 to address privacy concerns in electronic communication in the EU. The ePD mandates:

• Confidentiality of communication over public networks
• Prior user consent for cookie use
• Security guidelines for electronic communication services
• Regulation of direct marketing practices

Implementation of the ePD led to increased use of cookie consent banners in the EU, which provide notifications about data collection and obtain user consent. Although required to be incorporated into national laws, the ePD’s enforcement varies across EU member states. In November 2023, the European Data Protection Board expanded the scope of technologies covered by the ePD.

Who does the ePrivacy Directive apply to?

The ePrivacy Directive (ePD) applies to a wide range of organizations that either provide electronic communications services or process the personal data of EU residents. These include:

Website operators that use cookies or other tracking technologies to collect information about site visitors and customers.

Businesses that process personal data, including those engaged in digital marketing, tracking via cookies, or otherwise using digital means to collect personal data via websites or other digital services.

Third parties using tracking technologies on websites or apps to track user behaviors or activities, such as social media platforms, advertisers, or analytics providers.

Electronic communications services providers that enable electronic communications and collection of personal data, such as internet service providers (ISP), telephone service providers, or public communications networks.

What updates have been made to the ePrivacy Directive?

Article 5(3) of the ePrivacy Directive states that companies or websites must obtain prior consent from users before they can store information on or retrieve information from a user’s device (like a computer or smartphone).

Under Guidelines 2/2023 on the Technical Scope of Article 5(3), the European Data Protection Board (EDPB) expanded the application of the ePrivacy Directive (ePD) for storing or accessing information on a user’s device. 

The EDPB adopted a broad interpretation of what constitutes terminal equipment — like smartphones or personal computers — and the nature of information, suggesting that many digital tracking methods will require prior consent unless they are necessary for delivering a requested service.

The guidelines specifically address the use of several modern tracking technologies that have become prevalent in digital marketing and online tracking, including the following.

• URL and pixel tracking: Tracking pixels are tiny images embedded in websites or emails, linked to a server. When an email containing a tracking pixel is opened or a web page with a tracking pixel is visited, it allows the server to record the action and capture details, such as the time the email was opened, the IP address of the recipient, and the type of device used. URL tracking links to websites help identify where visitors come from.
• Local processing: Sometimes, websites use APIs to access information stored on a user’s device, such as location data. If processed information is made available over the network, it is considered gaining access to stored information under ePD guidelines.
• Tracking based on IP address only: Some technologies rely only on the collection of the IP address for the tracking of users. If the IP address originates from the terminal equipment of the user, Article 5(3) of the ePrivacy Directive would apply.
• Internet of Things (IoT) reporting: Under ePD guidelines, companies require user consent for data collection and processing by devices connected directly or indirectly to the internet. This applies to smart devices like fridges or fitness trackers, whether they send data directly or through another device like a smartphone.
• Unique Identifier: Unique Identifiers (UID) are special codes that are attached to a user’s online data to signify that it belongs to the user. It often comes from persistent personal data, or personal information that doesn’t change much over time, such as email addresses, usernames or account IDs, or date of birth. UIDs are used to recognize users across different websites or apps. When a website tells a user’s browser to send this data, it’s accessing information on the device and invokes Article 5(3) of the ePD.

What is the difference between the ePrivacy Regulation and the ePrivacy Directive?

The ePrivacy Regulation and the ePrivacy Directive are/were both European legislative frameworks focused on privacy and electronic communications, but they differ primarily in their scope and legal effect, and current status.

The ePrivacy Directive is a legislative act that requires EU member states to implement its provisions into their national laws, such as Law 34/2002 in Spain and Cookiebekendtgørelsen in Denmark. On the other hand, the ePrivacy Regulation, which was is intended to replace the Directive, would have been directly applicable in all EU member states without the need to implement separate national legislation.

While both were concerned with the privacy of electronic communications, the ePrivacy Regulation aimed to update and expand the rules to align with the GDPR. It covered newer technologies and communication services, like WhatsApp and Zoom, and included new provisions on marketing communications, cookies, and the confidentiality of communications.

How do the GDPR and ePrivacy Directive compare?

While the GDPR and ePrivacy Directive overlap in certain ways and have common goals, they were created for specific purposes to address different challenges and needs. We look at how they overlap and diverge.

Key similarities between the GDPR and ePrivacy

• Regulatory body: Both laws were drafted and passed by the European Parliament and Council.
• Goals: Both laws are meant to align data privacy regulations across the EU.
• Applicability: Both laws apply to and protect EU residents and outline responsibilities for organizations handling their data.
• Personal data: Both laws apply to the collection, processing, and storage of individuals’ personal data, though the ePD applies to more types of data.

• Extraterritoriality: Both laws apply to organizations both inside and outside of the EU if they process the personal data of EU residents.
• Platforms: Both laws include digital platforms and communications, though the ePD is specific to electronic communications.
• Penalties: Both laws have high fines and other potential penalties for noncompliance.

Key differences between the GDPR and ePrivacy

• Scope and reach: The GDPR’s scope is narrower as it only covers personal data. The ePD’s reach includes both personal and non-personal data within electronic communications. Additionally, the GDPR is a regulation applicable across the EU, while the ePD guidelines must be individually legislated by EU Member States.
• Definitions: The GDPR defines “personal data” as any data that can identify an individual. The ePD focuses on “electronic communications,” including both identifying and non-identifying data.
• Purpose: The GDPR aims to give individuals control over their personal data and how it’s processed by organizations. The ePD focuses on ensuring privacy and confidentiality in electronic communications, regulating areas like tracking technologies and digital marketing.
• Types of data: The GDPR covers personal data in both electronic and hard copy formats. The ePD only applies to electronic communications data.
• Applicability: The GDPR applies to any organization that collects or uses personal data of EU residents, including both data controllers and data processors. The ePD applies to a wider range of entities involved in electronic communications, including businesses, third parties using tracking technologies, and service providers.
• Rights and protections: The GDPR grants rights and protections to natural persons (individuals). The ePD extends these rights to both natural and legal persons (organizations).

In cases of conflict, the ePrivacy Directive takes precedence over the GDPR due to its more specific focus on electronic communications.

What are the ePrivacy Directive’s cookie consent requirements?

The ePrivacy Directive states that cookies that are strictly necessary (aka “essential”) for providing a service specifically requested by the user do not require consent. These cookies, which enable a website’s basic functioning or deliver the service requested, may be used for the following purposes:

• Maintaining user session state: Including activities like preserving a user’s login status or the contents of a shopping cart during browsing
• Supporting security features: Aiding in the identification and prevention of security risks
• Remembering user input: Storing information like username, language, or region to personalize the user experience

Although exempt from consent requirements, you must still inform users about the use of these cookies, usually through a cookie and/or privacy policy.

What is the future of EU privacy regulation and the ePrivacy Directive?

The ePrivacy Directive (ePD) and GDPR are aging in light of the rapidly changing technology landscape, other legislation, and the expectations of consumers. The ePD’s last update in 2009 predates TikTok and widespread iPhone use. 

As noted, already additional laws like the DSA, DMA, and AI Act have been implemented that tackle data privacy from specific additional angles, and these laws intersect with existing regulations like the GDPR. The European Court of Justice also guides enforcement.

Transparency and obtaining valid consent remain crucial actions for companies to deliver consistently for regulatory compliance in Europe and around the world, as well as to build customer trust. It’s all part of the strong foundation of Privacy-Led Marketing strategy.

Cookiebot CMP automatically helps businesses achieve privacy compliance, and features like automated updates enable them to maintain compliance without a lot of regular manual intervention. Keep your customers informed, provide real consent choice, and demonstrate your respect for data privacy.

Although the ePrivacy Regulation is still in negotiations, taking steps towards compliance can help businesses smoothly adapt to new requirements, future-proof marketing operations, and build customer trust.

FAQ