ePrivacy Regulation: What Is It & How Does It Affect Cookies?

The ePrivacy Regulation proposal is a proposed European Union law that seeks to protect the rights of internet users. It would update the existing ePrivacy Directive, which includes rules on privacy and electronic communications.

The ePrivacy Regulation will set data protection standards for all electronic communications such as text messages, emails, WhatsApp messages, and any other form of digital communication. This would include contents of calls, metadata (such as location tracking), and cookies (online trackers). In this blog, you will also find a checklist to comply with the cookie rules proposed by the Regulation so that you can be ready when it comes into force.

Effective from: 2023 (expected)

Official text: EU Council mandate

ePrivacy Regulation is a new European Union (EU) regulation that replaces the ePrivacy Directive, which was drafted in 2002. It was supposed to come into force on May 25, 2018, the same day as the GDPR. However, it was delayed a few times. Once it comes into effect, it will provide stronger privacy protections for electronic communications (including emails and chat) while also ensuring that companies have easy access to clear and consistent rules across Europe.

In the last few years, technological and economic developments have changed the way consumers communicate. They are increasingly using new internet-based services like Voice over IP, instant messaging, and web-based e-mail services. The Directive does not cover these Over-the-Top communications services (“OTTs”). As a result, there is a need for this new regulation to ensure that users have control over their information.

The new effective date of the Regulation is unknown as the draft is still subject to dialogues between various European bodies. However, once agreed, it will come into force in two years from the twentieth day following its publication. The Regulation is not expected to come into force before 2023.

Like the GDPR, the ePrivacy Regulation will be enforced by EU member state councils.

The European Union’s ePrivacy Regulation will apply to any business or individual who transmits information by “electronic communication services” within the EU. This includes not only emails but also text messages, chat apps like WhatsApp, and videoconferencing tools like Skype or Zoom.

The Regulation will also have extraterritorial reach to non-EU organizations that process EU residents’ data.

Personal data are in any information related to a natural person or “data subject” that can identify them, directly or indirectly (e.g. name, address, email address). This definition also includes indirect identifiers such as device ID numbers, IP addresses, mobile location IDs, cookies, and other tracking technologies.

The Regulation specifically mentions:

• electronic communications content and metadata carried out in connection with the provision and use of electronic communications services;
• end users’ terminal equipment information;
• the offering of a publicly available directory of end-users of electronic communications services; and/or
• the sending of direct marketing communications to end-users.

The ePrivacy Regulation applies to all electronic communications services and networks that are accessible by the public and that provide publicly available electronic communications services (such as email, instant messaging, and social media platforms). For example, an unauthorized email sent for direct marketing comes under the jurisdiction of the ePrivacy Regulation. Another example is search engine services that store or access cookies on the user’s device. 

It does not apply to information processed by services or networks used for purely internal communications purposes between public institutions, courts, financial institutions, and employment administrations. However, the Regulation applies to electronic communications data if it is transferred from such a closed group network to a public electronic communications network.

All provisions of the ePrivacy Directive, for cookies, also known as EU cookie law, will apply under the ePrivacy Regulation as well. However, the ePrivacy Regulation’s draft introduces a few new changes. Let’s look at them in detail:

Cookie walls

Cookie walls, which block users from accessing a website if they refuse to accept the use of cookies, may be acceptable under certain circumstances. If a website provides user-friendly equivalent cookie-less service that does not require consent, then the website can use cookie walls. If there is no alternative way for visitors to access content on a website without accepting cookies, then blocking them from accessing the site is unfair—especially if there is no information about what types of data these cookies collect and how they will be used.

For example, a paywall gives the user different options to access the website content. One is a free subscription, where they just have to consent and access the site’s limited services. Other are paid subscriptions, where they can access full services without consent if they make a payment. The website must inform the users in clear and plain language about the purpose of cookies and the consequences of accepting them.

Whitelisting service providers

To prevent users from getting fatigued by consent requests, they should be able to white list the cookies they want to accept in their browser settings. Service providers must make it easy for users to set up and amend their whitelists, and withdraw consent at any time. However, consent directly given by users overrides any software settings.

Cookies for audience measurement 

Consent is not necessary if the cookies are necessary for audience measurement (analytics), as long as the measurement is being done by the provider of the service requested by the end-user or by a third party on behalf of the service provider or jointly.

Consent exemption remains the same for cookies (as described in the ePrivacy Directive) that are used for security, preventing fraud, detecting incidents, or updating software (for security or fixing vulnerabilities).

Here’s a checklist for complying with the EU cookie law on your website:

• Use a cookie banner to inform about cookies and get consent
• Add user-friendly options to accept, reject, or choose cookie preferences
• Allow users to withdraw consent at any time
• Do not set cookies before receiving consent for it
• Use cookie walls cautiously; give an equivalent option to access the site without having users accept cookies
• Do not use cookies for other purposes not related to the original purpose for which consent was obtained
• Add a privacy or cookie policy to disclose details about cookies and how to manage them

​​The draft ePrivacy Regulation’s fines are very similar to GDPR’s:

• Less serious violations: up to 2% of annual global turnover, or up to €10 million (approx. $11.8 million), whichever is greater.
• More serious violations: up to 4% of annual global turnover, or up to €20 million (approx. $23.6 million), whichever is greater.

Those who suffered damages from the violations can claim compensation.

The ePrivacy Regulation is a broader law than the GDPR, applying not only to online communications but also to other electronic communications such as text messages and phone calls.

One key difference between the two laws is that while the GDPR focuses primarily on data protection, the ePrivacy Regulation focuses primarily on privacy.

Here’s a quick look at the differences between the two regulations:

Let us look at in detail the four key factors for the comparison, such as the objective, scope, data covered, and cookies.

1. Objective 

The objective of GDPR is to protect the rights and freedom of individuals within the EU and their right to privacy of their personal data. 

Whereas, the ePrivacy Regulation is lex specialis to GDPR, covering the confidentiality of electronic communications, be it services or services offered over a network. Electronic communication will include services like messaging and video calling applications, metadata, Internet of Things (IoT) devices, along with emails and SMS messages.

2. Scope

This is often confusing for organizations as to when and why GDPR or ePrivacy Regulation applies to them.

The GDPR applies to entities in the world that collect and process personal data (that can be used to identify an individual, directly or indirectly) of individuals within the EU territory. 

However, the ePrivacy Regulation applies to entities that provide: 

• an electronic communications service.
• service over an electronic communications network.
• services or networks that are publicly available.
• services and network in the EU.

3. Data covered

The GDPR protects personal data that can identify an individual within the EU, directly or indirectly. E.g. name, email address, mailing address, location details, phone number, and social media credentials. 

Now here is where the ePrivacy Regulation differs from the GDPR. It covers all this data, but those that are collected via a “publicly available” electronic communication service or network. Therefore, the GDPR exempts data processing from compliance if:

• it does not involve any personal data (e.g. publicly available phone number or IP address of an electronic communication machine such as a digital copier).
• the data falls outside the material scope of the GDPR.
• it falls outside the territorial scope of the GDPR.

4. Cookies

Personal data collected and accessed via cookie identifiers fall under the material scope of both GDPR and ePrivacy Regulation.

The GDPR mentions cookies only once compared with the ePrivacy Regulation, also known as the EU Cookie Law, which has dedicated clauses for cookies.

Both regulations require website operators to obtain consent from visitors to store cookies on their devices. The difference is that the GDPR generalizes cookie identifiers as part of its personal data definition.  The conditions for valid consent are the same in both laws.

So, what is the difference? Cookie walls.

The GDPR does not specifically mention it, but cookie walls are illegal and rob the users of a free and genuine choice to consent as per the law requirements. The ePrivacy Regulation, as we discussed, prohibits its user but allows it if it provides an equivalent service that does not require consent. 

Is the ePrivacy Regulation in force?

No, the ePrivacy Regulation is not in force yet. It is not expected to come into effect before 2023.

What is the ePrivacy law relationship with the GDPR?

The ePrivacy law is a separate piece of legislation that is related to the GDPR. It was created as a response to concerns about how data privacy is handled by online services. The ePrivacy law is not directly connected with the GDPR, but it does include similar provisions for how cookies are used on devices.

Will the UK adopt the ePrivacy Regulation?

Yes, the UK will adopt the ePrivacy Regulation. The UK left the EU in January 2021 and since then, PECR (Privacy and Electronic Communications Regulations 2003) is the UK’s national implementation of the European ePrivacy Directive. 

What does the ePrivacy Directive apply to?

The ePrivacy Directive applies to all websites that collect or process personal data for electronic communication. In other words, it covers any website that collects personal data through cookies or any other form of web tracking.

Will the ePrivacy Regulation replace the GDPR?

No, the ePrivacy Regulation will not replace the GDPR. It will be used in conjunction with the GDPR.  The GDPR is a set of rules that apply to the processing of the personal data of EU residents. The ePrivacy Regulation, on the other hand, focuses on the confidentiality of electronic communications of EU residents.