The new EU ePrivacy Regulation: what you need to know

Everything you need to know about the upcoming EU ePrivacy Regulation on the Respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC, with updates as they occur.

While quite some organizations are investing to be more or less compliant with the upcoming EU GDPR (European General Data Protection Regulation) and others are still trying to get their heads around a GDPR strategy, the role of the Data Protection Officer or even the essence of personal data protection as foreseen in the GDPR, another EU Regulation requires your attention: the new EU ePrivacy Regulation.

The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.

On this page, which continues to be updated until the final ePrivacy Regulation is active, you find everything you need to know.

The new ePrivacy Regulation, which in January 2017 was published as a proposal text, aims to be an update of the EU’s existing ePrivacy legal framework, more specifically the EU ePrivacy Directive which goes back to 2002 and was revised in 2009, requiring prior consent regarding cookies.

Since then the Directive on Privacy and Electronic Communications (Directive 2002/58/EC and the 2009 update, Directive 2009/136) often was called the cookie law by the marketers and Internet professionals among us (and is the reason why you see cookie consent popups on many websites, including ours) since it became national law in EU countries with a gradual implementation, national differences and, let’s say relatively inconsistent enforcement across these countries.

EU ePrivacy Regulation - new electronic communication rules 2018 - impact and changes

Attention though: the ePrivacy Directive and Regulation isn’t just about cookies. It concerns electronic communications and the right of confidentiality, data/privacy protection and more. In other words: personal data protection.

Electronic communications means that it includes the Web, the Internet (email, apps, you name it), telephone, instant messaging and so on. So we are also talking about spam, direct marketing, telecommunication firms, mobile app developers, online advertising networks and, often overlooked, the IoT (Internet  of Things), among many many others. A look at the text, the impact, the challenges and the evolutions.

ePrivacy: from a Directive to a Regulation

Why is this coming new ePrivacy Regulation important, why is it needed and how is it different?

First of all note the difference in the terms: whereas now we have an ePrivacy Directive, the newcomer is called an ePrivacy Regulation. This means that the new ePrivacy Regulation is self-executing and becomes legally binding across the EU, whereas its predecessor, the ePrivacy Directive, required local regulations for implementation with the mentioned inconsistent enforcement as one consequence.

Consent for non-privacy intrusive cookies which improve the Internet experience of the user soon is not needed anymore.

Secondly, the current ePrivacy Directive came as a complement of the EU’s Data Protection Directive. It’s exactly this Data Protection Directive that is being replaced by the General Data Protection Regulation or GDPR in 2018. As a consequence but also to ‘improve’ the current so-called ‘cookie law’ and, among others, include new forms of electronic communications (IoT and more), the new ePrivacy Regulation complements the GDPR and in pretty much the same way strives towards uniformity across the single digital market as a Regulation instead of a Directive.

New stipulations and consequences of the coming ePrivacy Regulation

Is that all? No. The new ePrivacy Regulation of the EU also goes several steps further than the current laws which exist as a result of the current Directive.

Taking into account that the amended text has been approved but still needs a vote in the plenary of the EU Parliament end October 2017 before the trialogue starts and we don’t the date when the ePrivacy Regulation will become enforceable (more on that below), here are some key new stipulations and consequences regarding the use of cookies and other impacts on the Internet and electronic communications services and providers as mentioned in the proposal text and in the amended text as it was approved by the LIBE Committee on October 19th, 2017 (more below).

We tackle the majority of aspects and impact of the “new” ePrivacy Regulation but for a very handy overview of pretty much everything below is a slideshare you can first go through in order to get the specifics (before the voted ammended text).

The EU ePrivacy Regulation and cookies

Although the ePrivacy Directive has become known as the cookie law to some, as said it’s about more than just cookies.

But cookies and cookie consent are among the most visible aspects and there is also quite a bit that is poised to change in this regard.

According to the draft text of the new ePrivacy Regulation under certain conditions cookies consent is not needed anymoreThe ePrivacy Regulation AIMS to simplify the rules regarding cookies and streamline cookie consent in a more ‘user-friendly’ way. As such that is great news. In practice it, among others means that EU websites and websites with EU visitors, will not need to show those cookie consent pop-ups anymore. Hurray, that is indeed more user-friendly and less of a hassle for website owners (for us it’s another plug-in that can go).

Easier cookie rules: yes and no

HOWEVER, the current proposal says that browser settings will enable website visitors to accept – or refuse – cookies, as well as other ‘identifiers’.

Using browser settings for cookie consent/refusal de facto means that you’ll see more and more websites that show pop-ups saying “sorry, no visit if no cookies” as we already see with adblockers. So, it seems that one pop-up is indeed being replaced by another one, on a site level (unless the site doesn’t care about cookies which is not really the case for publishers nowadays). This is one of the most heard concerns from delegations and food for discussions as you can read below: the fact that the suggested cookie method will simply miss its goal.

For some cookies there is good news. In the proposal it is also foreseen that consent is not needed for “non-privacy intrusive cookies” which improve the Internet experience of the user.

Examples include e-commerce cookies, remembering shopping cart histories and cookies for Google Analytics and the many others. It’s not very likely that cookies for online advertising will be interpreted as improving the Internet experience, although opinions will obviously differ.

Advertising and marketing cookies: not simple at all

Now, all is not said yet and of course work had been done to prepare the draft text, including discussions with various stakeholders, also in the advertising space.

In the 432-pages report made by Deloitte for the European Commission  you can read the reasoning on the pros and cons of first-party and of course third-party cookies (“the backbone of digital advertising”). A link to it and all other sources below.

We don’t have to tell you that with all the marketing automation, audience measurement (on online media properties), connected databases of third-party cookies (for instance, enabling retargeting to name something still relatively simple), social network cookies, analytics cookies and so forth there is a whole lot of cookies going on. In the so-called ‘Cookie Sweep’ in 2014, it turned out that on average there were about 28.9 cookies on the analyzed media, public sector and e-commerce sites (in the EU), 70% being third-party cookies as the Deloitte report also mentions.


Infographic - the new EU ePrivacy Regulation - attention the infographic is based upon the draft text which will be adapted before it becomes a Regulation - source
Infographic – the new EU ePrivacy Regulation. Attention!!! The infographic is based upon the draft text which will be adapted before it becomes a Regulation – source (PDF opens)

While the sophisticated networks of cookies, as advertising and media bodies always say, make it possible for Internet users to get (increasingly partial) access to ‘free content’ (paid by the ads), and there is a case for ‘relevance’ of the ads in the context of the Internet user by better targeting, at the same time it’s also pretty well-known that for the average Internet user it’s far from clear how he/she is tracked across networks. We’ve rarely seen a website where those 28.9 cookies and trackers on average are mentioned nor read a cookie policy that’s understandable or makes it clear for an Internet user what really happens in the background with all those connected networks and sites and so forth when visiting a site or using some app.

Cookies beware: major fines

Even if we deduct the ones where consent won’t be needed anymore it’s still a lot and we don’t think this debate is over. It is – to say the least – complex and changes quite some things.

While the Commission finally acknowledged the important role of advertising for funding free content online, it does so at the same time as presenting a law that as a practical matter would undeniably damage the advertising business model – without achieving any real benefits for users from a privacy and data protection point of view (IAB Europe CEO Townsend Feehan expressing the IAB’s dismay about the ePrivacy Regulation proposal text)

Moreover, the stakes are high: did we mention that the same fines as in the GDPR apply? Indeed, you read that right. High fines and little margin for error in a heck of a difficult context.

It probably won’t come as a surprise that the IAB (Interactive Advertising Bureau) Europe rapidly responded as soon as the draft text was leaked, stating that it was “dismayed by the European Commission’s proposal for a new ePrivacy Regulation, the next iteration of the infamous cookie law”. Yet, so did other delegations.

From the draft text: “Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner”.

The ePrivacy Regulation and the Internet of Things

From cookies we jump to something entirely different: the Internet of Things (IoT). By now we suppose people know what it is (and it’s not an it or thing but that’s another topic).

The principle of confidentiality should apply to current and future means of communication

Before we start: do note that the Internet of Things is also tackled in the GDPR where, for instance, RFID tags, fall under the category of so-called identifiers (more about those online identifiers).

In a European context we can say that the IoT is part of the backbone of Industry 4.0 and, not unimportant, in the coming years (until 2020) growth in the consumer segment of the Internet of Things is expected to be high in Western-Europe. As a matter of fact, by 2020 consumer IoT spend will jump to the third spot of IoT spend globally (until then, the market is led by respectively IoT spend in manufacturing or Industry 4.0, IoT spend in transportation and IoT spend in utilities, three segments of the Industrial Internet of Things).

Benefits for citizens and business of the new EU ePrivacy Regulation according to the European Commission factsheet infographic - source
Benefits for citizens and business of the new EU ePrivacy Regulation according to the European Commission factsheet infographic – source (PDF opens)

However, in Western-Europe, consumer IoT already will rank second from an IoT spending perspective in 2020.

So, it’s probably noteworthy that in the proposal text of the ePrivacy Regulation, the Internet of Things is specifically mentioned and that “the principle of confidentiality which is enshrined in the Regulation should also apply to the transmission of machine-to-machine communications”. The text also calls for specific safeguards under sectorial legislation.

In the introduction, mentioning that principle of confidentiality the IoT is not specifically included but beware: it is mentioned further (and you can see it as part of ‘the current and future means on communication”).

From the introduction text: “Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media”.

The rules regarding to machine-to-machine communications are another concern of delegations and are and will be discussed.

IoT regulation: GDPR, ePrivacy and more

The ePrivacy Regulation and Over-the-Top communication services

Have you ever heard about Over-the-Top communication services or OTTs? In all honesty: we hadn’t.

Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber (PR EU)

Just as the Internet of Things is included, these new ways of communication are also subject to the ePrivacy Regulation. OK, but what are they? When we say Skype, Facebook Messenger and WhatsApp it’s probably clear enough.

So, in the new Regulation, the privacy and confidentiality and data protection rules of any company offering electronic communications services will apply to them as well: Voice over IP, instant messaging and anything else really.

Here as well, delegations asked the the Council’s Working Party on Telecommunications and Information Society to review the text.

The ePrivacy Regulation, direct marketing and email marketing

Like its predecessor, the ePrivacy Directive, the upcoming Regulation foresees various rules on spam and unsolicited electronic communications by other means such as SMS.

92% of Europeans say it is important that their emails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators (EU PR)

While spam and unsolicited electronic communications obviously aren’t marketing, we mention it under that umbrella as we know a few publishers and others that will be in for some serious surprises as they seem to keep sending “marketing” messages, even if you unsubscribed a gazillion times. Identifying other spammers is obviously another ball game.

Direct marketing also means calls and here there is something we really really like: marketing callers will need to show their phone numbers or use a prefix which indicates the call is a marketing call.

Nowadays those numbers are virtually always hidden. As a result we stopped picking them up but now and then a customer uses them as well. So, when we do pick them up and for the 694th time need to say we don’t want a subscription to a magazine that’s pretty uncool.

The impact of the correlation with the GDPR

We touched upon it previously but can’t emphasize it enough: the new ePrivacy Regulation is one single set of rules concerning all EU citizens and companies but it also ‘inherits’ several principles and stipulations from the GDPR.

The ePrivacy Regulation is lex specialis with regard to GDPR: it covers specific processing of personal data in the field of electronic communications and prevails on GDPR in case of conflict (Johan Vandendriessche, see SlideShare)

Undoubtedly one that will make many people concerned (from website owners to instant messaging developers, advertisers and – hopefully – spammers) are the fines.

Two different ‘sets’ of fines exist in the proposal’s text:

  • “Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data and time limits for erasure”: the up to 20 Million Euros or, in the case of an undertaking, up to 4 percent of worldwide annual turnover, whichever is the highest, as we know it from the GDPR.
  • “Infringements regarding obligations of legal or natural persons who process electronic communications data, the obligations of providers of publicly available directories and/or the obligations of legal/natural persons who use electronic communications services: up to 10 Million Euros or, in the case of an undertaking, up to 2 percent of worldwide annual turnover, whichever is the highest.

The further details regarding these obligations can be found in the articles 5, 6 and 7, and paragraph 1 of the text for the first set of infringements and in articles 8, 10, 15 and 16 for the second set of infringements.

(Tele)communications content and metadata

As the summary of the Regulation draft text states, privacy is guaranteed for communications content itself and for the metadata of the content.

The metadata needs to be anonymized or deleted in case there is no consent with one exception; when it’s needed for billing.

Finally the summary also states that telecommunication firms can develop new services by leveraging content and/or metadata (but see the previous statement on anonymization) when consent is given for processing. This enables them and organizations to develop new services in a Big Data scope.

Examples of this already exist in the EU, whereby whomever is interested can gain insights in data from telecommunications providers and leverage them, for instance to detect patterns and heat maps showing the location of (mobile) users.

When will the new EU ePrivacy Regulation come into action?

Originally, the ambitious intention was to let the new ePrivacy Regulation come into force by May 25th, 2018 (the same date as the GDPR).

“With regard to confidentiality of electronic communications data some delegations are concerned about differences between the new provision and the current Directive, and some consider the provision too broad and general” (Interinstitutional File, 19 May 2017, see below)

That timeline wasn’t just ambitious but also turned out to be impossible, given the fact that the draft text was published so late (January 10th, 2017), the many comments and criticism from delegations since it was published  (with tremendous lobbying) and the fact that after the final vote in plenary session end October 2017 the so-called trilogue needs to start. Yet, things do move fast as you can read further below.

The Council of the European Union responded a first time to comments on May 19 with a so-called interinstitutional file (2017/0003, PDF opens) which states that the delegations which took part in the discussion in the Council’s Working Party on Telecommunications and Information Society consider the date unrealistic.

More work was needed with several concerns to tackle and the goal was to finalize the first examination of the proposal by the end of the Maltese Presidency in June 2017. This in turn should be a ‘solid base for future progress’.

In other words: it’s unlikely that the EU ePrivacy Regulation text will become enforceable on the same day as the GDPR.

In the meantime obviously the current ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector) remains in place, which is a matter of national legislation. On October 19th a first vote on the amended text followed (see below).

It remains key to include online data and identifiers such as cookies and many others in your GDPR strategy as, regardless of where and how the text will be adapted according to discussions as a result of concerns raised by delegations (the extension to OTT companies, the machine-to-machine communications stipulations, the lack of clarity in some areas, the mentioned possibility that the suggested solution for cookies will not achieve what it aims to, the overlap with other regulations and legislation and so forth), the scope remains.

Moreover, some delegations point to the legal grounds which are available in the GDPR to tackle several of the EU Privacy Regulation’s original text, among others including the permitted processing.

October 19, 2017: LIBE Committee votes in favor of amended ePrivacy Regulation texts

On October 19th, 2017, the European Parliament Committee on on Civil Liberties, Justice and Home Affairs, a.k.a. LIBE Committee, has voted on the new ePrivacy Regulation.

A victory for advocates of strict privacy and data protection rules

Despite tremendous lobbying and the far-reaching consequences of the amended ePrivacy Regulation draft texts, the law makers who went for a strong and clear vote ‘no’ to the lobbying groups won the vote. In other words: a victory for the advocates of strict privacy and data protection rules and a major blowback for the several lobby groups

Now that the amended text with MEP Marju Lauristin as rapporteur (hence also the Lauristin report) has been approved by the LIBE Committee the next step is a vote in the plenary session of the EU Parliament end October, followed by the famous trilogue procedures. The ePrivacy Regulation is not a fact yet but as it stands now, the lobbying will certainly increase as the vote isn’t good news for the several industries that have been demanding for changes on many levels.

These lobby groups include the marketing, advertising and media industry but also other groups that have come to understand that “the vote on the Respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC” as the EU calls it on its ePrivacy update page isn’t just a vote about cookies and electronic communications as we have known  it so far but that, as previously mentioned also a range of new ‘channels’ and technologies, including IoT and the likes of WhatsApp and Skype are included.

Just as was and still is the case with the GDPR (where preparations of companies to become as GDPR compliant lag behind and are often not approached from the overall risk and personal data protection perspective), it is amazing how it took so long before the extent of the new “Regulation on Privacy and Electronic Communications” became clear. That wasn’t the case for the advertising and media industries or the telecommunications industry given the fact that they already knew the current relation with cookies but it certainly is with, among others, the inclusion of IoT, a topic we write about very often but whereby we see very little reference to the IoT and the ePrivacy Regulation, let alone GDPR.

A blow to European publishing, media and advertising industries 

Anyway, the vote has been a clear victory for the advocates of strict and clear privacy and data protection rules and a major hit for the several lobby groups, including those from the mentioned industries.

Only little over a week before the vote eight associations, representing parties from the European publishing, media and advertising industries sent an open letter to the MEPS in a warning that specific amendments to the ePrivacy Regulation text, which as the vote has shown are supported by several MEPS, are a threat to the advertising and media business models.

More specifically they asked that the ePrivacy Regulation would support the right of online services which essentially means that publishers have the right to restrict full access to their services to those online users who have not consented to the data processing which is deemed necessary to monetize a service through data-driven advertising, without forcing publishers to adopt an alternative payments-based business model without data-driven advertising as the IAB Europe puts it.

Below is the Lauristin report or the EU ePrivacy Regulation text as it was published after the vote in the LIBE Committee on October 19th 2017 and voted in favor of at the EP plenary on October 26th 2017 as you can read next, enabling you to look at the amendments in comparison with the original texts.


October 26, 2017: EP votes in favor of amended version and Lauristin report in plenary despite criticism of lobby groups and political differences

After the vote of the LIBE Committee, a.k.a. the Justice Committee of the European Parliament (EP), members of the EP voted in favor of the so-called Lauristin report in plenary.

The vote is in fact on the decision to enter the negotiations, one of the final stages (European Commission and member states) in the EU policy-making process, based upon the text. This means that the amended report drafted by MEP and rapporteur Marju Lauristin as it is in the SlideShare above also has been said yes to by the majority of MEPs in the EP’s plenary which, as said was the next step to get to the next step. And so, now, the whole process shifts to the European Commission and discussions with member states before finalization. Of the 618 voting MEPs, 318 voted for, 280 against and there were 20 abstentions.

It’s the second blow in a row for whomever wanted changes in the ePrivacy Regulation and a second victory for pro-privacy advocates in a row. Lobbying will now shift to the Commission and member states. Well, it has already started of course but now it will even more.

More about the significance of this vote in plenary and the next steps for the ePrivacy Regulation via the button below.

ePrivacy Regulation: European Parliament says yes to Lauristin report



Top image: Shutterstock – Copyright: one photo – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for the ePrivacy Regulation as soon as it is final.