EU ePrivacy Regulation: Everything You Need to Know About ePR

Want to know what’s the difference between legislation, rules and regulation? Need to know more about privacy and electronic communications regulations? Find the answers here in Consentric’s comprehensive review of EU ePrivacy Regulation on Respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/52/EC. While many organisations are still attempting to shore up their personal data privacy measures to comply with the EU’s General Data Protection Regulation (GDPR), or implementing systems of GDPR by design, already a further-reaching EU data privacy shake-up is on the horizon. A substantially updated EU ePrivacy Regulation (ePR) is expected to hit the market in the Autumn of 2019.

Our Opinion 

Before we begin we'd like to make our views on the impacts of ePR clear. The benefits for the consumer are obvious: more control over how online consumption is tracked and less irritating banners that push content down the webpage. For ad-funded companies, however, the laws represent a significant change in how operations will continue. Free services such as Facebook and Google could see their revenues tightened by the shift, as targeted ads are a substantial portion of their income.


This webpage (which will be continuously updated to stay in-line and at the forefront of any new legislation) is designed to act as your ePrivacy Regulation guide. You will find anything you need to know in our comprehensive and well-indexed resource. The new ‘Regulation on Privacy and Electronic Communications’, part of the EU’s digital single market strategy, is intended to bolster privacy across all forms of electronic communications – ranging from online messaging, phone and conference calling apps to objects connected over the Internet of Things (IoT).

The Current State of ePrivacy

In December 2016, a draft proposal of the ePrivacy regulation was leaked, followed by the first official draft being released the next month by the European Commission. The most recent version of the draft was published in May 2018. The drafts have been met with some strong opposition from various sectors, particularly advertising and marketing organizations. Notable objectors include the Interactive Advertising Bureau Europe (IAB Europe) and Digital Europe, who represent organisations such as Google, Apple, Microsoft, and IBM. The next stage of the ePR journey is an informal meeting between representatives of the European Parliament, the Council of the European Union, and the European Commission. Once the proposal is finalized and approved by vote, it will be adopted into EU law and enforced.

How does ePR fit with GDPR?

While there is much overlap between the two, GDPR is concerned solely with people’s personal data. The new ePrivacy Regulation (ePR) safeguards the confidentiality of any data or metadata involved in electronic communications – and the devices it came from. It will defend the integrity of information, even if this is not personal data, ensuring that communications-based mobile apps or internet services, such as Skype & WhatsApp, cannot be hijacked or recorded – or at least not without the explicit permission from the individuals concerned.

GDPR and ePrivacy Regulation, What’s the Connection?

  • The ePrivacy regulation is ‘lex specialis’ to the GDPR (In layman’s terms this fundamentally means the ePrivacy Regulation overrides the regulation of the GDPR in any areas of overlap).

    • This is due to ePR’s more specialised remit.
  • Both form a part of the updated EU data protection framework.
  • The financial consequences of non-compliance are expected to be the same (up to 4% of global annual turnover).

Additional to new controls over web cookies and tracking pixels (files stored in your browser that track your interactions with websites using computers, tablets and phones) the measures will affect the data collected from devices such as:

  • Smart utility meters
  • CCTV cameras
  • Health and fitness trackers
  • Connected vehicles and more.

The new rules also cover metadata (contextual data about any data activity). This includes information such as:

  • How many times a day a device is connecting and transmitting data
  • The size of files being downloaded
  • The time, date and location of data exchanges.

Such information is invaluable to advertisers, marketers and retailers, but will need a lot of careful handling in the future if companies are to stay within the rules.

EU ePrivacy Directive and Regulation, What’s the Difference?

There is a significant difference between the ePrivacy Directive (the current legislation widely known as ‘the cookie law’) and the ePrivacy Regulation (due to be enforced in 2019). A directive is a piece of legislation from the EU that outlines goals EU member states must achieve. It does not, however, define a clear path the members should follow to achieve the goal. This gives flexibility in how the new laws are implemented. Regulations are also a piece of EU legislation that outlines goals for member states. However, they differ in the respect that regulations outline the exact path that must be followed in order to reach this goal and automatically come into force irrespective of whether member states pass their own legislation.

In Summary:

ePrivacy Directive:

  • EU legislation
  • Requires local regulations in order to implement

    • Inconsistencies in enforcement as a result
  • Designed to work alongside ‘Data Protection Directive’ (replaced by GDPR)

ePrivacy Regulation:

  • Also EU legislation
  • Self-executing
  • Legally binding across the EU
  • Designed to work alongside GDPR

The EU ePrivacy Regulation and Cookies

The end of cookie consent popups?

The ePrivacy Regulation has set an aim to simplify rules applying to cookies and rationalise cookie consent into a more ‘user-friendly’ journey. In practice, this manifests itself as the removal of the cookie consent pop-ups that we all know and loath! Instead, you shall set your cookie settings within your browser which will interact with individual websites relaying your consent automatically. From the draft text:

Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in an easily visible and intelligible manner”.

Cookies on BBC An example of a cookie consent bar from the BBC However, there is potential downside here. It is likely that as a result, we will see more and more websites making the sharing of cookies compulsory in order to access their content (much in the same way some websites do not allow access if you have an Ad Blocker running in your browser). The European Data Protection Service (EDPS) has commented against this notion saying the proposal “lacks ambition” with regard to ‘tracking walls’, also known as ‘cookie walls’. The Supervisor argues that access to websites must not be made conditional upon the individual being forced to ‘consent’ to being tracked across websites. Therefore the EDPS recommends a complete and explicit ban on so-called ‘tracking walls’. To complete the provision the EDPS further recommends an explicit prohibition on the practice of excluding users who have ad-blocking or other applications installed to protect their information and terminal equipment

Not all cookies are created equal

For some forms of cookie under new legislation, no consent will be required at all. This is for “non-privacy intrusive cookies” used to improve the browsing experience, such as remembering items in your shopping cart or for use in Google Analytics. This is a hotly disputed aspect to the legislation and we will, of course, keep this up to date as new views emerge.

When will EU ePrivacy regulation come into effect?

A considerably updated EU ePrivacy Regulation (ePR) is expected to be released at some in 2019, however, the exact date is not yet known.

You May Also Like:

Beyond GDPR: new EU ePrivacy Regulation


Ready to get started?

No setup costs or contract – start managing your customers permissions today

Sign up now