Logo Logo
Cookiebot

Right behind the General Data Protection Regulation (GDPR), another EU law on personal privacy and data protection is in the making. The ePrivacy Regulation, which originally should have been finalized on the date of the enforcement of the GDPR, 25 May 2018, is now due to be approved sometime in 2019, with the implementation date yet to be seen.

What is the ePrivacy Regulation about? How does it relate to the GDPR, and why do we need two sets of EU legislations on the subject? What are the requirements of the ePrivacy Regulation? What will it mean for your website’s use of cookies, and how can you prepare for it? Find the answers below.

The EU ePrivacy Regulation and Cookies - What do I need to do?

What is the ePrivacy Regulation? I Definition


The proposal for a Regulation on Privacy and Electronic Communications, also known as The ePrivacy Regulation, is a law in the making by the EU Commission.

Its purpose is to ensure the “respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector” in the EU.

Once applied, the ePrivacy Regulation will replace the ePrivacy Directive from 2002.

Many might know the ePrivacy Directive by its nickname, “The Cookie Law”, (one of its most noticeable impacts being the cookie consent pop-ups, that made their appearance on most websites in its wake).

Once the ePrivacy Directive is replaced by the ePrivacy Regulation, the legislation will automatically apply in all EU nations.

That, in fact, is the key difference between a regulation and a directive: Whereas regulations automatically become legally binding throughout the EU on the date they take effect, directives must be incorporated into national law by EU countries.

With a directive, the countries are required to achieve a certain result, but are free to choose how to do so. However, the Regulation is not simply a stronger version of the Directive.

The proposed Regulation is based on a thorough evaluation of the Directive, and addresses shortcomings in the Directive on the one hand, and digital and legislative developments (such as the GDPR) that have occurred since its last revision in 2009, on the other.

So far, two drafts have been published: the European Commission’s and the European Parliament’s.

National governments in all 28 European countries (including the UK) have had the opportunity to react to the proposed Regulation.

Currently, the EU Commission, the EU Parliament and the EU Council are discussing in so called “trialogue negotiations”, what will become the finalized and official Regulation text.

The ePrivacy Regulation, originally planned to be approved simultaneously with the enforcement of the GDPR, will probably be finalized sometime in 2019.

Thereafter, a period of adaptation will follow, before the ePrivacy Regulation is actually enforced as EU law.

Just like the GDPR, which was approved upon on 14 April 2016, and enforced two years later, on 25 May 2018.

What does the ePrivacy Regulation mean for my use of cookies?

Cookies are an important matter - and a matter of dispute - in the negotiations concerning the final phrasing of the ePrivacy Regulation.

The proposed Regulation attempts to address the “consent fatigue” caused by the Cookie Law.

The problem with consent in the ePrivacy Directive being, that it has been interpreted in most countries as a requirement for a simple consent banner like the following:

This has proved to be highly ineffective, because:

  1. Most people don’t know what they are agreeing to when they tick the box.
  2. Too many requests for consent annoy and overwhelm users, that end up ignoring the requests or just accept without thinking.
  3. No response is interpreted as consent.

The Regulation is therefore attempting to make changes to the way in which trackers may ask for consent for setting cookies and tracking users.

The evaluation of the Directive concludes that the current consent rule is both over-inclusive and under-inclusive:

Cookie requirements: How can I prepare for the ePrivacy Regulation?


As mentioned above, the final word is yet to be said about the direct implications of the ePrivacy Regulation for website owners and their use of cookies.

However, here is a list of requirements for cookies and online tracking from the latest draft.

Those readers familiar with the requirements in the GDPR will notice redundancies. In fact, many of the rules in the ePrivacy Regulation are similar to the ones described by the GDPR.

In fact, as we describe later in this article, the ePrivacy Regulation will, once enforced, complement (and override!) the GDPR when it comes to cases within the electronic communications sector.

When will the ePrivacy regulation be enforced?

The ePrivacy Regulation was originally aimed to be approved in the EU together with the implementation of the GDPR, on 25 May 2018.

However, this schedule quickly proved to be too ambitious.

At the last notice, the Regulation will be finalized sometime in 2019.

Thereafter, a period of adaptation will follow, before the regulation is applied.

If we dare to take the process of the GDPR as an example, one might guess that the ePrivacy Regulation will enter into force in 2021.

However, indications are that the ePrivacy Regulation will be even more encompassing and restrictive than the GDPR when it comes to preventing tracking and protecting personal data on the internet.

It is therefore being met by strong voices of criticism for counteracting the internet economy and crippling entire sectors, such as the publishers’ and digital media.

Timeline and update: What is the status of the ePrivacy Regulation?


10 January 2017: Presentation of first draft by the EU Commission

The first official draft of the new ePrivacy Regulation is presented by the EU Commission. The proposed Regulation should replace the ePrivacy Directive (Directive 2009/136/EC) and clarify and supplement the GDPR, with regard to personal electronic communications data. This draft of the planned ePrivacy Regulation is forwarded to the EU Parliament and Council.

19 October 2017: Adoption of draft in the EU Parliament

After lengthy negotiations, the LIBE Committee responsible for the ePrivacy Regulation in the EU Parliament votes on the draft. Much to the surprise of the online industry, the draft, virtually unchanged, is adopted by the EU Parliament one week later. At the same time, the EU Council also discusses the draft in a working group. Member States are invited to submit their opinions by 14 August 2017.

2018: Trialogue negotiations between the Commission, Parliament and the Council

With the adoption of the draft by the EU Parliament, the mandate for the next procedural step - the EU Parliament's negotiations with the EU Council - is given.

In 2018, the so-called trialogue negotiations between the Commission, Parliament and the Council are to be concluded.

The negotiations are a complex and lengthy matter with many voices.

To get a picture of some of the agents and their draft proposals, the law firm Linklaters have written a good overview.

2019: Implementation

The Commission has renounced to keep its target date of 25 May 2018, and experts expect implementation in 2019.

Text: Where can I find the latest draft of the ePrivacy Regulation?

The official draft of the ePrivacy Regulation and its annexes can be found on the homepage of the European Commission.

On this page of the regulation-work-in-progress, you can see

What is the difference between the ePrivacy Regulation and the GDPR?


The ePrivacy Regulation is a lex specialis to the General Data Protection Regulation, meaning that it complements the GDPR with specific rules that apply specifically to the electronic communications sector.

As lex specialis, it overrides the GDPR in the specific areas that it covers.

There are two laws because they are derived from two different rights in the European Charter of Human Rights:

The GDPR covers the right to protection of personal data, while the ePrivacy Regulation encompasses a person’s right to a private life, including confidentiality.

What is the scope of the ePrivacy Regulation vs the GDPR?

The GDPR is focused on defining and protecting personal data, e.g. health data, whether paper-based or electronic. The ePrivacy Regulation, on the other hand, particularizes GDPR for electronic communications and focuses on devices, processing techniques, storage, browsers etc.

Resources


European Commission: Proposal for a Regulation on Privacy and Electronic Communications

Nice infographic illustrating the Trialogue Negotiations of the ePrivacy Regulation

ePrivacy.eu: Timeline info

i-SCOOP: The new EU ePrivacy Regulation: what you need to know

Digiday.com: On the consequences of the ePrivacy Regulation for advertisers, websites, browsers, etc.

Privacytrust.com: Simple explanation of the difference between GDPR and ePrivacy

Martechtoday: On the differences between the GDPR and the ePr

Marketingweek: About ePrivacy

Medium.com: Good article about consent

Publishers' joint campaign against the ePrivacy Regulation

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free