The European Union (EU) has some of the world’s most stringent data privacy laws, the General Data Protection Regulation (GDPR) and ePrivacy Directive, which are already in effect. But the proposed ePrivacy Regulation is set to bring some changes to data protection and cookie consent, and it will broaden the scope of organizations that will be impacted.
Let’s take a look at ePrivacy requirements and what the changes mean for data protection.
1. What is ePrivacy?
ePrivacy encompasses both the ePrivacy Directive (Directive 2002/58/EC) and the proposed ePrivacy Regulation, which aim to ensure privacy and protection in electronic communications within the EU. It is designed to complement the GDPR.
2. What is the ePrivacy Directive?
The EU ePrivacy Directive (known as the “cookie law”) was enacted in 2002 and updated in 2009. It specifically addresses privacy issues in electronic communication. It mandates the confidentiality of communication over public networks, requires user consent for cookies, sets guidelines for the security of electronic communication services, and regulates direct marketing practices. Cookie consent banners became more prominent after the ePrivacy Directive’s enactment, as they are a practical way to collect explicit consent from users.
This directive requires incorporation into national laws of EU member states, leading to variations in enforcement across the Union.
In November 2023, the European Data Protection Board (EDPB) issued new guidelines that widened the scope of technologies covered under the directive.
3. What are the proposed changes to the ePrivacy Directive?
Article 5(3) of the ePrivacy Directive provides that before a company or website can store information on or get information from a user’s device (like a computer or smartphone), they must obtain prior consent from the user.
Under the Guidelines 2/2023 on the Technical Scope of Article 5(3) of ePrivacy Directive, the EDPB expands the directive’s application for storing or accessing information on a user’s device. The EDPB adopts a wide reading of what constitutes terminal equipment and the nature of information, suggesting that many digital tracking methods will require prior opt-in consent unless they are necessary for delivering a requested service.
The guidelines specifically address the use of several modern tracking technologies, which have become prevalent in digital marketing and online tracking.
URL and pixel tracking
Tracking pixels are tiny images embedded in websites or emails, linking to a server. When an email containing a tracking pixel is opened or a webpage with a tracking pixel is visited, it allows the server to record the action and capture details such as the time the email was opened, the IP address of the recipient, and the type of device used. URL tracking links to websites help identify where visitors come from.
Local processing
Sometimes, websites use APIs to access information stored on a user’s device, such as location data. If processed information is made available over the network, it is considered gaining access to stored information under these guidelines.
Tracking based on IP only
Some technologies rely only on the collection of the IP address for the tracking of users. If the IP Address originates from the terminal equipment of the user, Article 5(3) of the ePrivacy Directive would apply.
Internet of Things (IoT) reporting
Under the guidelines, you will require user consent for data collection and processing by devices connected directly or indirectly to the internet. This applies to smart devices like fridges or fitness trackers, whether they send data directly or through another device like a smartphone.
Unique Identifier
Unique Identifiers are special codes that are attached to a user’s online data to signify that it belongs to the user. It often comes from persistent personal data, or personal information that doesn’t change much over time, such as email addresses, usernames or account IDs, or date of birth. They’re used to recognize users across different websites or apps. When a website tells a user’s browser to send this data, it’s accessing information on the device and invokes Article 5(3).
4. Do all cookies require consent under the ePrivacy Directive?
No, under the ePrivacy Directive, cookies that are “strictly necessary” for the delivery of a service explicitly requested by the user do not require consent. These cookies are essential for the basic functioning of the website or to provide the service the user has directly requested. Examples include:
- cookies that are used to maintain the state of a user’s activities on a website during a browsing session, such as maintaining logged-in status
- cookies used to support security features and to help identify and prevent security risks
- cookies that remember information entered by the user, such as username, language, or region, to provide a more personalized experience
While these cookies are exempt from the consent requirement, you are still expected to inform users about the use of such cookies, often through a privacy policy or cookie policy.
5. What is the new ePrivacy Regulation?
The ePrivacy Regulation is a proposed legal framework by the EU intended to update and replace the existing ePrivacy Directive. The primary focus of the ePrivacy Regulation is to enhance privacy protections in electronic communications, extending beyond traditional telecommunications providers to include new communication services like instant messaging applications, VoIP services, and email. It includes text, images, speech, videos, and metadata.
Unlike directives, which require transposition into national laws, regulations are directly applicable, meaning they enforce uniformity across the EU upon taking effect. The ePrivacy Regulation is designed to align closely with the GDPR, ensuring a coherent and unified approach to data protection and privacy across the EU.
6. Who does ePrivacy Regulation apply to?
The ePrivacy Regulation aims to extend privacy protections to a wider range of electronic communications beyond traditional telecom operators. It will apply to any business that processes data in connection with any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing, encompassing both natural and legal persons involved in electronic communication.
Examples of who the regulation applies to are:
- website owners
- owners of apps that have electronic communication as a component
- natural or legal persons sending direct marketing communications
- telecommunications companies
- messaging service providers (WhatsApp, Facebook and Skype)
- internet access providers, (ex. a store or café providing open Wi-Fi access)
The regulation will also apply to machine-to-machine communications (Internet of Things).
Like the GDPR, the territorial scope of the regulation extends outside the EU. It will apply to data from end-users located in the EU, even if the data collecting and/or processing take place outside the EU or by providers outside the EU.
7. What actions does the ePrivacy Regulation prohibit?
The ePrivacy Regulation sets forth several specific prohibitions to protect users’ privacy rights:
- any interception, storage, monitoring, scanning, or otherwise surveilling of electronic communications data by anyone other than the end users (unless expressly permitted by the regulation)
- use of tracking technologies for non-technical purposes without obtaining explicit consent
- gaining access to information stored on a user’s terminal equipment without their consent
- sending unsolicited electronic communications or spam, covering unsolicited emails, text messages, and automated calling systems
- processing metadata derived from electronic communications (such as location data, call times, and recipient information) without user consent or another legal basis
8. What will be new with the ePrivacy Regulation?
The ePrivacy Regulation isn’t implemented yet and is subject to change before it is passed as a binding regulation. Key areas of focus in the proposed ePrivacy Regulation include:
Electronic communications
It expands the scope of the current directive to encompass modern forms of communication, including messaging services on social media platforms (WhatsApp, Facebook Messenger) and VoIP providers, aiming for a comprehensive coverage of digital communication methods.
Cookie walls
A cookie wall is a mechanism by which websites refuse access to users unless the user consents to cookies. The proposed ePrivacy Regulation does not prohibit cookie walls outright and allows them under certain conditions. Specifically, a website can ask users to consent to cookies if it also offers a similar option that doesn’t require cookie consent. The key is providing users with a clear choice, ensuring they have an alternative means to access services without being forced to accept cookies.
Confidentiality
Providers of any electronic communication service, like Gmail, Skype, Facebook Messenger and WhatsApp, will be required to provide higher data safety standards to make sure communications data is kept confidential. They will be required to secure all communications data through the best available techniques.
Metadata
The regulation also protects electronic communications metadata. Examples of metadata include:
- time and date of the communication
- how long the communication lasted
- where the sender and receiver of the communication were located at the time of the communication
- whether the communication was a voice call, video call, text message, email, etc.
- information about the devices used for the communication, including device types and identifiers
- details regarding the network used for the communication, such as Wi-Fi or cellular network identifiers and signal strength.
Interception of metadata can only happen in accordance with the regulation.
Directive vs. Regulation
There is a significant difference between EU directives, like the EU cookie law from 2002, and regulations, like the proposed ePrivacy Regulation. While a directive needs to be implemented by different countries on a national level, a regulation becomes legally binding in the EU countries immediately.
Directives are implemented with slight differences across country borders, while regulations have the exact same content in all EU countries. That the ePrivacy laws will now be a regulation shows the EU’s continuing dedication to thorough data protection across the EU.
Unsolicited marketing
Marketers will not be able to send emails, text or any other form of communication without prior permission from users, which will lead to a reduction in spam.
9. How does the ePrivacy Regulation compare to the GDPR?
The GDPR and ePrivacy Regulation share several similarities:
- They share the same high fines for non-compliance
- Both aim to align data privacy laws across the EU
- Both apply to the processing of data of individuals residing in EU territory, whether or not the processors themselves are located within the EU
- Both are EU regulations
There are, however, some major differences between the two regulations, which are outlined in the table below.
GDPR | ePrivacy Regulation | |
Scope | Applies to the processing of EU residents’ personal data, irrespective of the technology used. | Focused on the processing of personal data and metadata in electronic communications. |
Definition | “Personal data” means any data that can be used to identify someone. | “Electronic communications” means any data that is communicated electronically, whether or not it can be used to identify someone. |
Reach | Since “personal data” is not as wide of a definition as “electronic communications”, the GDPR has a smaller reach than the ePrivacy Regulation. | “Electronic communications” is a wider definition than “personal data” and therefore makes the ePrivacy Regulation far-reaching. |
Purpose | To protect the personal data of individuals within the EU, providing them with greater control over their personal information and ensuring that their data is processed securely and transparently by organizations. | To ensure privacy and confidentiality in electronic communications across the EU, specifically regulating tracking technologies, electronic marketing, and the security of users’ communications data. |
Type of data | Covers any personal data, whether it is electronic or in hard copy format. | Covers only “electronic” communications data, not hard copy data. |
Lex Specialis | GDPR is the less specific law when it comes to electronic communications. Because of this, the ePrivacy Regulation takes precedence over the GDPR in electronic communications cases. | The ePrivacy Regulation is lex specialis — the more specific law compared to the GDPR — when it comes to electronic communications. Because of this, it takes precedence over the GDPR in electronic communications cases. |
Who is given responsibilities | Anyone who is the controller or processor of personal data. Data controllers are those who decide why and how personal data should be processed. Data processors are the ones doing the actual data processing for the controller. As an example, if a restaurant has a payroll company pay the restaurant employees, then the restaurant is the data controller and the payroll company is the processor of the employees’ personal data. | Anyone processing content of electronic communications, including website owners, owners of communication apps, anyone engaging in direct marketing, telecommunications companies, messaging service providers (WhatsApp, Facebook, Skype), internet access providers. |
Who is given rights and protections | Provides protection only to natural persons, or people. | Provides protections for both natural and legal persons, that means people as well as organizations, companies and businesses. |
Coming into effect | Came into effect on 25th May 2018 | Still in the approval stage with EU legislators. It was expected to come into effect in 2023 but has been delayed. |
10. When will the ePrivacy Regulation come into force?
The ePrivacy Regulation was initially intended to come into effect alongside the GDPR on May 25, 2018, but it has not yet been adopted. The EU Council published a draft, finalized on February 10, 2021, which is now in negotiations between the Council and European Parliament. If the draft is approved, it will pass into law in all 27 EU member states.
Once the draft is approved, there will be a two-year period before the regulation will be enforced. This gives you time to make the necessary changes and become compliant if your organization is impacted.
11. Why and how should companies prepare for the ePrivacy Regulation?
Fines
GDPR penalties are substantial, and the same fines will apply to non-compliance with the ePrivacy Regulation: up to €20 million or 4% of yearly global revenue for the preceding financial year, whichever is higher.
When the ePrivacy Regulation becomes effective it will immediately apply to electronic communications processors across the EU, and companies should make sure to be compliant before that time.
Preparing for the ePrivacy Regulation
The ePrivacy Regulation will not replace the GDPR; rather the two regulations are meant to coexist and complement each other. It is not the case that the ePrivacy Regulation will totally change privacy rules so that GDPR-compliant companies have to start over again. The ePrivacy Regulation will only expand EU privacy laws. Even after it becomes effective, companies will be required to comply with both the GDPR and the ePrivacy Regulation or risk being fined.
Furthermore, consent will likely be more heavily relied upon as a legal basis for data processing after the ePrivacy Regulation comes into effect, and the ePrivacy Regulation uses the GDPR definition of consent. Having a GDPR-compliant method of obtaining consent in place already is a great way to prepare for the ePrivacy Regulation.
Usercentrics keeps track of regulatory developments to make sure that our product is up to date with the latest standards. Companies can use our consent management platform (CMP) to enable GDPR compliance and ePrivacy compliance and prepare for future data privacy laws such as the ePrivacy Regulation.
Further information:
- January 2017: Draft text of the ePrivacy Regulation was published
- September 2017: European Council published proposed amendments
- February 2021: European Council published mandate for negotiations with the European Parliament
Usercentrics GmbH does not provide legal advice. The contents of the above article are not to be understood as legally binding. The article constitutes the opinion of Usercentrics.