ePrivacy Regulation is a new privacy law in the EU that is designed to complement the General Data Protection Regulation and replace the ePrivacy Directive. Read this article to explore the EU’s ePrivacy regulation and what it means for cookies and other tracking technologies.
European Union has always been at the forefront of implementing data protection laws to protect the privacy of EU citizens. The General Data Protection Regulation has paved the path for many data protection laws in the world. It has been one of the most stringent data protection laws ever since it was introduced in 2018.
Now, the European Union is about to introduce the ePrivacy Regulation, which extends the GDPR, focusing on electronic communications services and public networks. In this blog post, you will learn what ePrivacy Regulation is, why it is important, and how to comply with it.
Let’s begin by addressing the obvious question.
ePrivacy Regulation, also known as EU cookie law, is a new European Union law that will replace the ePrivacy Directive of 2002. The law was initially planned to come into force with the GDPR, but got delayed due to various reasons. After undergoing some changes and revisals, it was planned to come into force in 2023. However, it is still undergoing legislative processes and hasn’t been officially adopted by the European Union.
The ePrivacy Regulation provides stronger privacy protections for electronic communication services (emails, social media services, etc) and gives users more control over their personal data. It will also apply to cookies and other tracking technologies used by websites and services.
The European Union has outlined the definitions for key terms for the purpose of the ePrivacy regulation. Here are some of the key definitions:
Electronic communications data: The electronic communications data combines the electronic communications content and electronic communications metadata.
Electronic communications content: Any data exchanged by means of electronic communications services. This includes text, voice, videos, images, and sound.
Electronic communications metadata: Data processed through electronic communication services for the purpose of transmitting, distributing, or exchanging messages between individuals. This includes data used to track and identify the sender and recipient of communications, location data, timestamp, duration of the conversation, and the type of communication.
Publicly available directory: A directory of users of number-based interpersonal communication services (SMS, text message) in printer or electronic form that is made available to the public.
Location data: Any information processed by electronic communication services that reveals the geographic location of a user’s device on a publicly accessible electronic communication network or service.
Direct marketing communications: Any written or oral advertising sent directly to one or more end users through a publicly available electronic communication service, using methods such as voice calls or automated calling.
Also Read: China’s Personal Information Protection Law (PIPL)
The ePrivacy Regulation applies to the following cases:
- Processing of electronic communications content and metadata when using any electronic communications services.
- Identification of end-users device information.
- Processing of electronic communications services directory available to the public.
- Sending direct marketing communications to users.
The ePrivacy Regulation does not apply to the following cases:
- If the data processing happens outside the EU region, and if it concerns national security and defence, and is conducted by either a public authority or a private operator acting upon the request of a public authority.
- The activities of the Member States of the EU and fall within the scope of Chapter 2 of Title V of the Treaty on European Union.
- If the electronic communication services are not available to the public.
- The activities including data processing activities, of competent authorities aimed at preventing, investigating, detecting, or prosecuting criminal offenses or executing criminal penalties, including safeguarding against and preventing threats to public security.
- The electronic communications data is processed after receipt by the concerned user.
The ePrivacy Regulation specifically mentions cookies and other tracking technologies. It requires websites to get explicit consent from site visitors before using cookies or similar technologies.
Some websites offer free access to their content by using cookies or tracking scripts for targeted advertising. In such cases, the website should offer users a choice: either access the content by making a payment or access it for free by agreeing to the use of cookies.
See the above example from Le Monde, a French newspaper. They have explicitly stated the use of cookies and given users the choice to decline cookies. Users can still access the website content either by opting for a premium subscription or by viewing a promotional banner.
Consent should be obtained the first time a user visits your site, and websites should remember the users’ preferences every time they visit. Websites should not overwhelm users with consent requests. Instead, they should use transparent and user-friendly cookie consent solutions and encourage users to provide informed consent.
The law also states that the users’ preferences should be applied immediately without any delay. So if a user declines tracking cookies, the website should refrain from loading tracking cookies from that point onward.
The table below shows the major differences between the ePrivacy Regulation and the General Data Protection Regulation
Aspect | GDPR | ePrivacy Regulation |
Scope | Applies to all data processing activities | Focuses on electronic communications |
Coverage | Covers all data processing activities | Specifically covers email, instant messaging, VoIP, and cookies |
Requirements on Cookies | Requires consent for all data processing activities | Imposes strict requirements on the use of cookies and tracking technologies |
Compliance Obligations | Applicable to organizations handling any type of data | Applicable to organizations handling electronic communications |
Penalty | Violations can result in fines up to 4% of global annual revenue or €20 million (whichever is greater) | Violations can result in fines up to €10 million or 2% of global annual revenue (whichever is greater) |
In short, GDPR applies to a broader concept and restricts data processing activities entirely. Whereas ePrivacy Regulations specifically focus on data processing by electronic communication services.
Also Read: A Complete Guide to WordPress GDPR Compliance
Follow the below guidelines to comply with ePrivacy Regulations for your website.
- Display a cookie banner to inform visitors about the use of cookies. and provide users with the option to accept or decline cookies.
- Create a privacy policy or cookie policy on your website and disclose what type of cookies you use, why it is used and how to manage them.
- Do not load cookies before getting consent from site visitors.
- Allow website visitors to revoke the consent any time they want to.
- Use cookies only for the specific purpose for which consent was obtained.
- Regularly update policies and terms and notify users of any changes in cookie usage.
- Keep a report of users’ consent with details such as cookies consented to, date and time, anonymized IP, etc.
- Avoid any dark patterns in cookie banners to confuse users to get consent.
What Is EU Cookie Law?
The ePrivacy Regulation is also known as EU Cookie law because it specifically mentions about cookies and regulates the use of cookies by websites to track and monitor site visitors.
When Will ePrivacy Regulation Take Effect?
The ePrivacy Regulation was expected to take effect in 2023 but got delayed. It is still undergoing legislative processes there’s no definitive date yet. ( As of 30, January, 2024)
Who Will Be Affected by ePrivacy Regulation?
The ePrivacy Regulation will affect various entities involved in electronic communications, such as websites, social media platforms, internet service providers, telecom companies, advertising and marketing agencies, and more.
Will the ePrivacy Regulation Replace the GDPR?
No, the ePrivacy Regulation will not replace the GDPR. They are separate yet complementary regulations focusing on different aspects of data privacy. GDPR is a comprehensive data protection law that applies to all types of data processing activities. Whereas ePrivacy Regulation primarily focuses on data processing carried out by electronic communication services.
Also Read: Privacy in the Age of Digital Surveillance
Conclusion
The EU’s ePrivacy Regulation is a significant data protection regulation that will complement the General Data Protection Regulation. While its arrival date remains uncertain, the law will empower users with rights to protect their personal data and online privacy.
As we prepare for its implementation, businesses must understand the regulations and ensure compliance through clear communication, user-friendly cookie consent mechanisms, and a commitment to a privacy-focused approach. To comply with these laws, you may use a consent management platform like our GDPR cookie consent plugin. It will reduce your effort of compliance.
We hope this article has covered everything you need to know about ePrivacy Regulation. If you find this to be helpful, please let us know in the comments section below.
We also recommend reading the below articles.