The GDPR and ePrivacy Regulation are data protection and privacy laws adopted in the EU to protect the data of EU residents. Both laws have so many similarities that they could confuse people about their application. Perhaps, not many are aware there are a few differences that draw the line between both laws.
We will cover these key differences in this article.
What is GDPR?
The General Data Protection Regulation (GDPR) is a data protection and privacy regulation of the European Union (EU) to protect EU residents’ data and privacy. It came into effect on 25 May 2018.
The Regulation applies to any organization or website, regardless of its location, if it serves users in the EU. If an organization collects and uses the personal data of individuals residing in the EU, it will be subject to GDPR compliance.
To know more about it, please read the ultimate guide to GDPR.
What is ePrivacy Regulation?
ePrivacy Regulation is the regulation proposed for protecting the confidentiality of electronic communication within the EU. It would replace the existing ePrivacy Directive and would be lex specialis to the General Data Protection Regulation (GDPR) in the EU. The Regulation was originally planned to be enforced on May 25, 2018, the same day as the GDPR’s. However, the implementation was delayed and this year, the final draft was launched. It will be subject to a trialogue and is most likely to come into effect next year.
The final draft addresses the confidentiality of electronic communication, acquiring consent for cookies, and data collection for marketing purposes.
Read the full text of the draft here.
Key differences between GDPR and ePrivacy Regulation
The differences between ePrivacy Regulation and GDPR lie in five factors, such as, objective, scope, data covered, cookies and enforcement.
Let us look at them in detail.
The objective of GDPR is to protect the rights and freedom of individuals within the EU and their right to privacy of their personal data.
Whereas, the ePrivacy Regulation is lex specialis to GDPR, covering the confidentiality of electronic communications, be it services or services offered over a network. Electronic communication will include services like messaging and video calling applications, and metadata, Internet of Things (IoT) devices, along emails and SMS messages.
This is often confusing for organizations as to when and why GDPR or ePrivacy Regulation applies to them.
The GDPR applies to entities in the world that collect and process personal data (that can be used to identify an individual, directly or indirectly) of individuals within the EU territory.
However, the ePrivacy Regulation applies to entities that provide:
- an electronic communications service.
- service over an electronic communications network.
- services or networks that are publicly available.
- services and network in the EU.
3. Data covered
The GDPR protects personal data that can identify an individual within the EU, directly or indirectly. E.g. name, email address, mailing address, location details, phone number, social media credentials.
Now here is where ePrivacy Regulation differs from the GDPR. It covers all this data, but those that are collected via a “publicly available” electronic communication service or network. For example, an unauthorized email sent for direct marketing comes under the jurisdiction of the ePrivacy Regulation. Another example is search engine services which store or access cookies on the user’s device.
Therefore, the GDPR exempts data processing from compliance if:
- it does not involve any personal data (e.g. publicly available phone number or IP address of an electronic communication machine such as a digital copier).
- the data falls outside the material scope of the GDPR.
- it falls outside the territorial scope of the GDPR.
Personal data collected and accessed via cookie identifiers fall under the material scope of both GDPR and ePrivacy Regulation.
The GDPR mentions cookies only once compared with the ePrivacy Regulation, also known as the EU Cookie Law, which has dedicated clauses for cookies.
Both regulations require website operators to obtain consent from visitors to store cookies on their devices. The difference is that the GDPR generalizes cookie identifiers as part of its personal data definition. The conditions for valid consent are the same in both laws.
So, what is the difference? Cookie walls.
Cookie walls are cookie banners that block access to website content unless the visitors give their consent to cookies. The practice of using it is looked down upon by many data privacy laws.
The GDPR does not specifically mention it, but cookie walls are illegal and rob the users of a free and genuine choice to consent as per the law requirements. The ePrivacy Regulation, on the other hand, prohibits its user but allows it if it provides an equivalent service that does not require consent. For example, a paywall gives the user different options to access the website content. One is a free subscription, where they just have to consent and access the site’s limited services. Other are paid subscriptions, where they can access full services without consent if they make a payment. The website must inform the users in clear and plain language about the purpose of cookies and the consequences of accepting them.
With CookieYes cookie consent manager, never miss out on following the GDPR and ePrivacy standards. The cookie consent tool offers a complete solution for privacy regulation compliance. Sign up for free and get access to the following features:
- Fully customizable GDPR and CCPA cookie banner
- Full website cookie scan
- Auto-block third-party cookie scripts
- Granular opt-in for cookies
- Log visitor consent
- Revocable cookie consent
- Auto-translate cookie banner
- Geotargeting cookie banner
- Cookie audit table
and much more!
The GDPR gives provision to independent data protection authorities (France’s CNIL, Germany’s DSK, etc.) to enforce its laws within the EU territory. That is, each EU member state has its own authority to enforce and supervise the implementation of the GDPR. They can adopt the GDPR and set their own laws for the member states.
CNIL recently started enforcing its cookie guidelines. Read more about it here.
The current draft of ePrivacy Regulation lacks a consistent mechanism for enforcement. It does not provide a cooperation mechanism and by the looks of it, applicable entities may have to report to over 7 supervisory authorities unless they announce a change. The EDPB believes that it requires alignment with GDPR’s framework to reach its goal and avoid any inconsistency in its enforcement.
These are the main differences between the EU’s GDPR and ePrivacy Regulation. While there are many similarities, these differences between them could affect severely if not taken into consideration. Organizations that fall within the scope are expected to comply with both the laws since a violation could lead to harsh fines, which is equal in both.