November 3, 2022

EU’s ePrivacy Regulation: 2022 Updates

This blog post will explore the EU’s ePrivacy regulation and what it means for cookies and other tracking technologies. We will also discuss updates made to the law since it was first proposed.

The General Data Protection Regulation (GDPR) was a much-needed reform to how the European Union (EU) regulates data privacy. It was a massive undertaking and one that is still being fine-tuned today. But one of the essential GDPR reforms was how it tackled cookies and similar tracking technologies, especially regarding cookie consent. The EU’s ePrivacy regulation extends the GDPR, focusing specifically on cookies and other tracking technologies. It’s set to go into effect as early as 2023 and promises to be even more stringent than the GDPR regarding protecting internet user privacy. This blog post will explore the EU’s ePrivacy regulation and what it means for cookies and other tracking technologies. We will also discuss updates made to the law since it was first proposed.

What is the ePrivacy Regulation?

The ePrivacy Regulation is a new EU law that will replace the current ePrivacy Directive. It strengthens users’ online privacy rights by giving them more control over their personal data. It also imposes stricter rules on companies that collect or process this data.

The ePrivacy Regulation applies to all electronic communications services and networks accessible by the public and that provide publicly available electronic communications services, including social media platforms, email, instant messaging, and VoIP calls. It will also cover cookies and other tracking technologies used by websites and apps.

Similar to GDPR, without a preexisting business relationship, relying on legitimate interest for messaging in a business-to-business (B2B) setting will be difficult under the ePrivacy Regulation. This implies that sending advertisements to people who have not requested them may be illegal.

The regulation is currently in the final stages of negotiation. Early in 2022, negotiators reached an agreement on a draft, but it is subject to change. The implementation of the ePrivacy Regulation is not anticipated until 2023, and a grace period of 24 months has been built in.

What are cookies?

Cookies are small text files placed on your computer or mobile device by websites you visit. They store information that is widely used to make websites work more efficiently and provide information to the site owners.

The EU’s ePrivacy regulation, originally supposed to come into force on 25 May 2018, is set to replace the EU Cookie Law or the ePrivacy Directive and aims to set out new rules governing the use of cookies and similar technologies. The regulation applies to all electronic communications providers, including website operators, app developers, and providers of browser plugins.

Under the new law, cookies may only be placed on a user’s device with prior consent. This means that website operators must get explicit consent from users before using cookies or similar technologies for purposes such as collecting data for targeted advertising. Consent should be obtained the first time a user visits your site, and cookies then remember this by assigning a unique identifier to that user.

Consent is not necessary if the cookies are necessary for audience measurement (analytics) as long as the measurement is done by the provider of the service requested by the end user or by third-party cookies on behalf of the service provider or jointly.

In addition, the regulation requires website operators to provide clear and comprehensive information about their use of cookies and similar technologies. This includes specifying the purposes for which cookies will be used and providing a link to the full text of the privacy policy. This information may also be included in the website’s cookie banner.

Finally, the regulation gives users the right to withdraw their consent at any time and requires website operators to delete any data collected through cookies if consent is withdrawn.

What are the changes to the ePrivacy Regulation in 2022?

The EU’s ePrivacy Regulation is set to be finalized by the EU Council this 2022 via trilogues to include several changes. One of the most notable changes is strengthening the enforcement of using a cookie banner to inform about cookies and get consent. This change gives users more control over their privacy and data protection rights.

Other changes that will be introduced include:

  • Avoid setting cookies before receiving consent for it;
  • Adding user-friendly options to opt-in, opt-out (or reject all), or choose cookie preferences;
  • Making it easier to withdraw user consent for the use of cookies;
  • Requiring websites to provide clear and concise information about their cookie policy to disclose details about cookies and how to manage them;
  • Banning the use of so-called “forced consent,” or “cookie walls,” where users are required to accept cookies to access website content;
  • Avoiding the use of cookies for other purposes not related to the original purpose for which consent was obtained;
  • Clarifying the rules on when consent is needed for the processing of personal data;
  • Strengthening enforcement mechanisms by giving national data protection authorities (DPAs) the power to impose fines.

How will these changes affect businesses and website owners?

The EU’s new ePrivacy Regulation will significantly impact businesses and website owners. The regulation requires websites to get explicit consent from visitors before they can use cookies or other tracking technologies.

Businesses and website owners must change how they use cookies and other tracking technologies. They will also need to provide visitors with more information about their data use, such as strictly necessary cookies (i.e., first-party session cookies) and non-essential cookies (i.e., analytics cookies).

The good news is that the regulation provides a grace period of one year, so businesses and website owners have time to make the necessary changes. However, it is essential to start planning now so you can comply when the regulation comes into effect.

If you are a business or website owner, here are some things you need to know about the EU’s new ePrivacy Regulation:

1. You will need to get explicit consent from visitors before using cookies or other tracking technologies.

2. You will need to provide visitors with more information about their data use.

3. You have one year to make the necessary changes, but it is essential to start planning now to comply with the regulation.

What steps do website owners need to take to comply with the new regulation?

Website owners need to take the following steps to avoid non-compliance with the new regulation:

1. Review their website’s cookies policy and update it as necessary to ensure that it complies with the new regulations.

2. Make sure they have a mechanism to obtain consent from users for using cookies on their websites. This can be done through a popup banner or a similar notification method.

3. Ensure that they only use cookies necessary for their website’s functioning. All other cookies should only be used if the user has given explicit consent for them to be used. This will ensure your website’s cookie compliance.

4. Keep track of all user consents so they can quickly be withdrawn at any time if the user changes their mind. This can soon be done with a consent management platform, such as Secure Privacy.

5. Make sure that users can easily disable cookies from being used on their websites. This should be clearly stated in the website’s cookies policy and implemented through an easy-to-use cookie management tool.

What is the difference between the ePrivacy Regulation and the ePrivacy Directive?

The ePrivacy Regulation (EU) 2016/679 is a regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). It has not been entered into force as of October 2022.

The ePrivacy Directive (2002/58/EC) was a directive of the European Parliament and the Council of 12 July 2002 concerning personal processing data and protecting privacy in the electronic communications sector. The Cookie Law has been superseded by the General Data Protection Regulation (GDPR).

What is the difference between the ePrivacy Regulation and the GDPR?

The GDPR and ePrivacy Regulation are designed to protect the privacy of individuals part of the member states in Europe. The main difference between the two is that the GDPR applies to all data processing activities, while the ePrivacy Regulation focuses explicitly on electronic communications.

The ePrivacy Regulation covers various electronic communications, including email, instant messaging, VoIP, and cookies. It requires that all organizations handling electronic communications must take steps to protect the confidentiality of those communications. In addition, the ePrivacy Regulation imposes strict requirements on the use of cookies and other tracking technologies.

Organizations subject to the GDPR and ePrivacy Regulation must comply with both sets of regulations. However, organizations should be aware of some important differences between the two. For example, the GDPR must obtain consent for all data processing activities. However, under the ePrivacy Regulation, consent is only required for certain types of electronic communications (such as cookies).

Organizations should also be aware that each regulation has different enforcement mechanisms. Violations of the GDPR can result in fines of up to 4% of global annual revenue or €20 million (whichever is greater). In comparison, violations of the ePrivacy Regulation can result in fines of up to €10 million or 2% of global annual revenue (whichever is greater).

When will the ePrivacy Regulation be finalized?

The regulation is still in the proposal stage and has not yet been finalized. The EU Council is currently working on completing the ePrivacy Regulation, which is expected to be released no earlier than 2023. The regulation will replace the current ePrivacy Directive and include new provisions on cookies and other trackers.

EDPB opinion on draft ePrivacy Regulation

The European Data Protection Board (EDPB) has released its opinion on the draft ePrivacy Regulation, which the European Commission is currently developing. The EDPB’s opinion is positive and supportive of the draft regulation, which seeks to replace the current ePrivacy Directive with a more modern and comprehensive framework.

The EDPB notes that the draft regulation would significantly strengthen individuals’ privacy rights in electronic communications, including introducing new rules on cookies and other tracking technologies. The EDPB welcomes these proposed changes, which it believes will help to protect individuals’ privacy better online.

The EDPB also supports the draft regulation’s provisions on data protection by design and default and its requirements for businesses to provide clear and concise information to users about their rights and how their data will be used. Overall, the EDPB believes that the draft ePrivacy Regulation would significantly improve privacy protections for individuals in the EU. It urges the European Commission to continue its work on this important issue.


When the new ePrivacy Regulation updates come into effect, they will significantly impact how cookies are used and collected by businesses. The regulation is designed to keep up with other privacy laws, such as the California Consumer Privacy Act (CCPA) and the UK Information Commissioner’s Office (ICO), which give users more control over their data and require businesses to get explicit consent from users before collecting or using their data. This is a positive step forward for privacy rights, and we hope other countries will follow suit in enacting similar regulations.