November 5, 2021

What is the EU ePrivacy Regulation?

Do you know what the ePrivacy Regulation is and who it applies to? Read all about what you need to know about the ePrivacy Regulation right here.

The European Commission issued a proposal for a new ePrivacy law on January 10, 2017, that sought to replace the existing ePrivacy and Electronic Communications Directive, which was enacted in 2002 to oversee privacy regulations across the EU.

The ePrivacy Regulation was meant to come into effect in May 2018 alongside the GDPR, as a replacement for the ePrivacy Directive, also known as the ‘EU Cookie Law,’ which was adopted in 2002.

However, due to intense lobbying and stakeholder discussions, 14 draft proposals under different EU Council Presidency's have been tabled without success since.

What Does The EPrivacy Regulation Apply To?

The planned ePrivacy Regulation is intended to protect the privacy of electronic communications involving residents of EU member states. Put simply, it is about who can track the digital traces of users in e-communications, whether they are chatting via text message, on the phone, shopping or engaging in other activities online. 

It is expected that ePrivacy Regulation will focus on the protection of privacy for data being communicated electronically, in contrast to GDPR, which applies to wider protection areas by ensuring a smooth flow of data between member states. Therefore, ePrivacy Regulation will impact all those who operate telecommunication services or use commercial media services, tracking cookies and customized advertising. Examples of companies likely to be affected include;

  • Messaging service providers such as Whatsapp, Facebook, and Skype
  • Natural or legal individuals conveying direct marketing communications
  •  Website owners
  • Proprietors of apps that incorporate electronic communication
  • Internet access providers
  • Telecommunication firms

What Are The Penalties?

The ePrivacy Regulation applies the same fine as the GDPR. Anyone found to violate its requirements will be fined 20 million Euros or 4% of annual global revenue.

What Is The Scope Of The EPrivacy Regulation?

Compared to the pre-existing ePrivacy Directive, which was commonly described as the ‘Cookie Law,' the ePrivacy Regulation has a wider scope. The ePrivacy Regulation will be applicable not only towards the traditional electronic communication service providers, such as mobile and landline telephone operators, but will also cover the Internet instant messaging and VOIP apps (email, apps, etc.), as well as machine-to-machine communications such as the IoT (Internet of Things).

Additionally, the latest draft of the ePrivacy Regulation sets out a much higher threshold for obtaining consent than under the current ePrivacy Directive. The crucial areas covered include;

Electronic Communications

The scope of the current Directive is limited to conventional forms of communication like  e-mails and Short Messaging Services. The ePrivacy Regulation seeks to incorporate modern forms of communication, such as messaging services on social media platforms like Whatsapp and Facebook Messenger, as well as VoIP providers.


While the ePrivacy Directive obliges the user to provide cookie consent on every website they access, the ePrivacy Regulation proposes that users offer approval through browser settings. The objective of this proposal is to  make it easier  for browser settings to allow blanket acceptance or refusal of tracking cookies and identifiers. 

Additionally, when cookies are only used for technical reasons such as remembering the contents of a cart when shopping online, users will not be expected to provide consent for their use. However, tracking, which includes targeting and retargeting of users through the use of cookies for advertising purposes, will require consent.


The ePrivacy Regulation incorporates comprehensive protections against spam that includes text messages, unsolicited e-mails, and automated calling systems. Promotional callers must also reveal their contact number or alternative distinguishing codes to specify when it is a marketing call.

Direct Mail

Under this proposed regulation, consumers will be expected to provide explicit consent to get any marketing material from a business, in addition to being accorded the option to opt-out through unsubscribe messages


The ePrivacy Regulation targets metadata, which describes information such as;

  • The number of times a day a device is connecting and transmitting data
  • The magnitude of downloadable files
  • Time, date, and location of data transfers

Cookie Walls

Tracking Walls is a term used to describe a website that restricts access to their content unless the visitor provides consent to the use of cookies. The ePrivacy Regulation aims to eliminate tracking walls. 

What Does The EPrivacy Regulation Prohibit?

This law states that any seizure or usage of electronic communications content by anyone apart from the end-user can only be done in accordance with its provisions. Keeping, tracking, listening, or scanning electronic communications will only be deemed legal if they are done in compliance with the ePrivacy Regulation.

When Will The EPrivacy Regulation Be Implemented?

Initially, this law was expected to come into effect on May 25, 2018, alongside the GDPR. Nonetheless, delays experienced during the approval phase resulted in its implementation being pushed back. Although no one knows the exact date, it is expected to be approved in 2021 followed by a transition period of 12-24 months if the current draft by the Portuguese Presidency is approved by the EU Parliament.

Read the latest ePrivacy Regulation update if you are interested in 12 key takeaways for your business. 

ePrivacy Regulation Status: Learn what the recent delays mean for Businesses.

How Does The EPrivacy Regulation Compare With GDPR?

Both the GDPR and ePrivacy Regulation are concerned with data protection practices throughout the European Union. Nonetheless, while GDPR is solely focused on personal information, the ePrivacy Regulation deals with the privacy of data involved in electronic communications explicitly. Read more about the key differences between ePrivacy Regulation and GDPR.

Who Will Not Be Affected By The EPrivacy Regulation?

This law will not cover;

  • Any activities that are not subject to EU law
  • Private electronic communications
  • EU member state activities connected to immigration and border checks
  • Radio gear that is compliant with Directive 2014.53/EU
  • Actions linked to the deterrence, investigation, or prosecution of criminal offenses

Read ePrivacy Regulation Latests Blog Posts