January 21, 2022

ePrivacy Regulation: What you need to know | Secure Privacy 

The final draft of the ePrivacy Regulation was adopted and it is now in the next stage of negotiations before becoming a law in the EU. What does the ePrivacy Regulations cover, and why should you be preparing for that? Find out more here!

What is the ePrivacy Regulation?

Regulation on Privacy and Electronic Communications, also known as ePrivacy Regulation is the proposal of the EU which aims to regulate privacy and confidentiality in electronic communications within the EU. It was first adopted as a proposal in 2017 and has since gone through several revisions. 

The ePrivacy Regulation would repeal the Privacy and Electronic Communications Directive 2002 (“ePrivacy Directive”) and would complement the General Data Protection Regulation (“GDPR”) with regards to data protection-related topics. 

The final draft was adopted in February 2021 and the law progressed to the next stage of negotiations before becoming an applicable law across the EU. The ePrivacy Regulation is an EU regulation which means that once enacted, it will be binding across all member states of the EU without having to be implemented into national laws. 

The Regulation would leave room for minor adaptations by the member states as they would be able to introduce national provisions to further specify and clarify the application of the rules of the ePrivacy Regulation.

What does the ePrivacy Regulation apply to?

The planned ePrivacy Regulation is intended to protect the privacy of electronic communications involving residents of EU member states. Put simply, it is about who can track the digital traces of users in e-communications, whether they are chatting via text message, on the phone, shopping or engaging in other activities online. 

It is expected that ePrivacy Regulation will focus on the protection of privacy for data being communicated electronically, in contrast to GDPR, which applies to wider protection areas by ensuring a smooth flow of data between member states. Therefore, ePrivacy Regulation will impact all those who operate telecommunication services or use commercial media services, tracking cookies and customized advertising. Examples of companies likely to be affected include:

  • Messaging service providers such as WhatsApp, Facebook, and Skype
  • Natural or legal individuals conveying direct marketing communications
  • Website owners
  • Proprietors of apps that incorporate electronic communication
  • Internet access providers
  • Telecommunication firms

Why was the ePrivacy regulation adopted?

The ePrivacy Directive was passed in 2002 and went through amendments in 2009 to reflect the changes in electronic communications. The Directive became known as the “EU Cookie law” since it set out rules on online tracking through cookies and other techniques. However, the Directive has not fully kept pace with the evolution of technological and market reality which resulted in insufficient protection of privacy and confidentiality in the electronic communications sector. Further, the ePrivacy Directive was an EU directive which had to be transposed into national laws by EU member states. This led to an inconsistent application of its rules by individual member states. These reasons paved the way for a more effective law which would be applicable across the EU without being implemented by member states. 

the ePrivacy Regulation has been pushed back a couple of times since then because of significant lobbying from different stakeholders and institutional dialogues that resulted in delays in its implementation. See more about ePrivacy Regulation Status.

What is the scope of the ePrivacy Regulation?

Compared to the pre-existing ePrivacy Directive, which was commonly described as the ‘Cookie Law,' the ePrivacy Regulation has a wider scope. The ePrivacy Regulation will be applicable not only towards the traditional electronic communication service providers, such as mobile and landline telephone operators but will also cover the Internet instant messaging and VOIP apps (email, apps, etc.), as well as machine-to-machine communications such as the IoT (Internet of Things).

Additionally, the latest draft of the ePrivacy Regulation sets out a much higher threshold for obtaining consent than under the current ePrivacy Directive. The crucial areas covered include:

Electronic Communications

The scope of the current Directive is limited to conventional forms of communication like e-mails and Short Messaging Services. The ePrivacy Regulation seeks to incorporate modern forms of communication, such as messaging services on social media platforms like WhatsApp and Facebook Messenger, as well as VoIP providers.


While the ePrivacy Directive obliges the user to provide cookie consent on every website they access, the ePrivacy Regulation proposes that users offer approval through browser settings. The objective of this proposal is to make it easier for browser settings to allow blanket acceptance or refusal of tracking cookies and identifiers. 

Additionally, when cookies are only used for technical reasons such as remembering the contents of a cart when shopping online, users will not be expected to provide consent for their use. However, tracking, which includes targeting and retargeting users with cookies for advertising purposes, will require consent.


The ePrivacy Regulation has comprehensive protections against spam that includes text messages, unsolicited emails, and automated calling systems. Promotional callers must also reveal their contact number or alternative distinguishing codes to specify when it is a marketing call.

Direct Mail

Under this proposed regulation, consumers will be expected to provide explicit consent to get any marketing material from a business, in addition to being given the option to opt-out through unsubscribe messages.


The ePrivacy Regulation targets the metadata of electronic communications along with their content. Metadata is data that describes other data, such as author, date created and location. Metadata should be anonymized or deleted unless users give their consent, except for the circumstance where the data is needed for billing purposes.

Cookie Walls

Tracking Walls is a term used to describe a website that restricts access to its content unless the visitor provides consent to the use of cookies. The ePrivacy Regulation aims to eliminate tracking walls. However, tracking walls could be acceptable under the ePrivacy Regulation if you give the user a choice between paying for a service or consenting to cookies as long as you give them clear, simple, and user-friendly information about why you use cookies on your website.

What does the ePrivacy Regulation prohibit?

This law states that any seizure or usage of electronic communications content by anyone apart from the end-user can only be done in accordance with its provisions. Keeping, tracking, listening, or scanning electronic communications will only be deemed legal if they are done in compliance with the ePrivacy Regulation.

Why is the ePrivacy Regulation important?

The ePrivacy regulation is important as it aims to regulate confidentiality and privacy in electronic communications. The content of electronic communications may reveal highly sensitive information about the individuals involved in the communication. This may include health conditions, sexual preferences, or political views, which, if disclosed, could result in personal harm, economic loss or social embarrassment. 

The ePrivacy Regulation also aims to regulate metadata in electronic communications which includes numbers called, websites visited, geographical location, and the time, date and duration of said activities, etc. Metadata may also reveal very sensitive and personal information as it could allow conclusions to be made about the private lives of the persons involved in the electronic communication, such as their social relationships, everyday lives, habits, interests, tastes etc.

Furthermore, electronic communications data may also reveal important information about legal entities. These could be business secrets or other sensitive information that has economic value. Therefore, the provisions of this Regulation should apply to both natural and legal persons.

How does the ePrivacy Regulation compare with GDPR?

Both the GDPR and ePrivacy Regulation are concerned with data protection practices throughout the European Union. While GDPR is mostly focused on personal information, the ePrivacy Regulation deals with the privacy of data involved in electronic communications explicitly.

Although both laws embody similar aspects of privacy, they operate under unique legal bases. GDPR and the ePrivacy Regulation will reinforce each other. However, if a data protection problem arises which is connected to electronic communications, the ePrivacy Regulation takes precedence.

Will the ePrivacy Regulation replace the GDPR?

No. The ePrivacy Regulation is not meant to be a substitute for the GDPR. It was designed to complement it. The GDPR provides an oversight framework for activities involving the processing of personal data. On the other hand, the ePrivacy Regulation focuses on supporting the GDPR’s general requirements by providing specific rules to govern the confidentiality of electronic communications of EU residents. 

What is the difference between the ePrivacy Regulation and the GDPR?

The ePrivacy Regulation is created to complement and particularize the GDPR. Both regulations thus share a lot of similarities. While both regulations revolve around data and privacy, there are some differences between the two.

Scope. Once the ePrivacy Regulation becomes law, you will be expected to comply if: 

(i) you provide an electronic communications service, 

(ii) the service you offer is delivered over an electronic communications network, 

(iii) your service and network are available publicly, and 

(iv) you offer the service and network within the EU. On the other hand, GDPR covers any kind of processing of EU residents’ personal data, irrespective of the kind of technology you rely on for this purpose. 

Data Covered. While GDPR is only concerned about the processing of personal data, the ePrivacy Regulation aims to ensure the confidentiality of communications, which may also contain non-personal data and data related to a legal person. 

Cookie Walls. Even though cookie walls are not specifically mentioned in the GDPR, it does, however, provide rules to render cookie walls illegal as the consent of the users was not freely and genuinely given. On the contrary, a cookie wall may be acceptable under the ePrivacy Regulation if the user is given a choice between paying for a service or consenting to cookies provided that they are given clear, simple, and user-friendly information about the purposes of cookies used on the website. Read our blog to get a simplified breakdown of the latest EDPB Cookie Consent Guidelines.

When will the ePrivacy Regulation come into force?

It is still unknown when the ePrivacy Regulation will have full applicability. The final draft of the ePrivacy Regulation was adopted in February 2021. The next stage is trilogue negotiations among the EU Parliament, EU Council, and EU Commission. However, there is no exact date as to when the trilogue negotiations will start. It is likely that the current draft will undergo a few more changes during these negotiations. After this stage is completed, the Regulation is expected to enter into force. The final stage is the transition period composed of 24 months after which the ePrivacy Regulation would take into full effect across the EU.

Who will enforce ePrivacy Regulation?

National data protection authorities that are charged with the power of monitoring the application of the GDPR will also be responsible for monitoring the application of the ePrivacy Regulation. 

Furthermore, the European Data Protection Board, established pursuant to the GDPR, will be able to ensure the consistent application of the ePrivacy Regulation across the EU. 

How can my organization prepare for the ePrivacy Regulation?

This law is not meant to replace GDPR. Instead, the two regulations are intended to work in tandem. What this means is that the ePrivacy Regulation will not introduce changes that would compel already GDPR-compliant businesses to restart the entire process from scratch. It will only broaden the scope of EU privacy regulations and companies will be expected to comply with both rules.

When the ePrivacy regulation is adopted fully, consent is likely to be the core legal ground for data handling. However, the law utilizes the GDPR designation of consent. Devising a technique of obtaining consent that is compliant with GDPR requirements is an excellent place to start.

How can Secure Privacy help you with the ePrivacy Regulation?

Under the ePrivacy Regulation, you need the user’s explicit consent before you collect, store, or process their personal data. To achieve this, you must give your users a genuine choice whether or not to accept cookies and other related tracking technologies. Secure Privacy’s GDPR compliant cookie banner allows you to give your users control over their cookie consent choices.

If you would like to get all your questions about the ePrivacy Regulation answered by a data privacy legal expert, book a 30-minute call and we will be more than happy to assist with your compliance efforts.

Read ePrivacy Regulation Latests Blog Posts