Updated January 17, 2022.
The EU’s ePrivacy Regulation to repeal and replace the 2002 ePrivacy Directive has been a long time coming. Originally scheduled to be finalized on the GDPR’s enforcement date in May 2018, it instead dragged on for years.
On February 10, 2021, a finalized text was agreed upon by the EU Council that pushes the ePrivacy Regulation into a whole new phase of trialogue negotiations, from which a new data privacy law might emerge and take effect across the European Union.
In this blogpost, we break down the ePrivacy Regulation and cookies; what the current draft means for your website, and what happens next in the long saga of the EU’s infamous ePrivacy Regulation.
EU’s ePrivacy Regulation, quick summary
ePrivacy Regulation, cookies and 2021 updates
The ePrivacy Regulation 2021 is a draft regulation from the EU Council that governs all electronic communications on publicly available services and networks from individuals inside the European Union.
The EU’s data privacy regime currently consists of the General Data Protection Regulation (GDPR) and the ePrivacy Directive from 2002. The new ePrivacy Regulation would repeal and replace the older 2002 directive (also known as the EU cookie law) and bring significant updates by including new technologies in its legal framework.
In short, the draft ePrivacy Regulation 2021 covers all electronic communications (such as texts, emails, Facebook messages, SnapChat and so on), protects individuals inside the EU from third-party interference into their private communication unless they give prior consent.
ePrivacy Regulation 2021 quick breakdown –
- ePrivacy Regulation 2021 covers electronic communications on publicly available services and networks, including machine-to-machine data transmissions and metadata, such as location, time and data about recipients.
- ePrivacy Regulation 2021 applies to end-users located inside the EU, even if the service provider is located outside of the EU, and the processing takes place outside of the EU.
- ePrivacy Regulation 2021 protects all electronic communications as by default private and confidential – in order to process, listen, monitor or otherwise collect data about individuals’ electronic communications inside the EU, end-users must first provide explicit and affirmative consent.
- ePrivacy Regulation 2021 requires you to obtain the explicit consent from end-users before using cookies and trackers on your website, or any other technology that stores personal data on users’ terminal equipment (hardware and software).
- ePrivacy Regulation 2021 makes cookie walls a possibility, if the user is offered an equivalent that does not involve giving consent to cookies and trackers.
- ePrivacy Regulation 2021 makes it possible for end-users to whitelist cookie providers in their browser settings and encourage providers to make it easy for users to amend whitelists and to withdraw their consent at any time.
- ePrivacy Regulation 2021 will take effect two years after it is passed into law.
ePrivacy Regulation and cookie consent
When it comes to eprivacy, cookies on your website can be a real liability – they are the most used technology for collecting, processing and sharing personal data from end-users on the Internet today, but need the explicit consent from end-users before being activated.
With the EU’s GDPR that came into force in 2018, the issues around eprivacy and cookies was addressed by putting end-user consent at the very core.
Consent remains a core part of the ePrivacy Regulation 2021, and cookies and similar website trackers are also the target of the new draft data privacy law.
Consent will be needed from end-users to process any kind of electronic communications and its content.
The 2002 ePrivacy Directive in effect today is also known as the EU cookie law exactly because it was the first piece of EU legislation (prior to the EU’s GDPR) that specified rules for how websites are allowed to use cookies and trackers to process data from users.
Famously, the ePrivacy Directive created the need for cookie banners on websites as a means of obtaining consent from users – though most of the early, pre-GDPR website banners were actually not working as intended.
According to the new draft ePrivacy Regulation 2021, end-user consent is necessary before processing any kind of data from users’ computers or smartphones.
Should the ePrivacy Regulation 2021 pass into law, it will repeal and replace the ePrivacy Directive.
The EU’s GDPR already requires your website to obtain the explicit consent from your users before using cookies and trackers that process personal data, such as IP addresses, unique IDs, search and browser history.
What the draft ePrivacy Regulation 2021 emphasizes is that consent is a vital dynamic at the core of today’s Internet, and that consent is here to stay.
However, the ePrivacy Regulation 2021 opens the door for new ways of streamlining consent across browsers and also addresses so-called cookie consent fatigue (when users are overwhelmed with having to give consent on websites across the Internet), by-and-large cementing that user consent is necessary for true data privacy protection – now and in the future.
With a finalized text from the EU Council, the ePrivacy Regulation 2021 now moves into so-called trialogue negotiations between the EU Parliament, EU Commission and the EU Council.
But the EU Council draft’s path into law, let alone any indication of a possible ePrivacy Regulation effective date, remains unclear, particularly since strong data privacy voices have already spoken out against it, including Germany’s Federal Data Protection Commissioner Ulrich Kelber, who urges the EU Parliament to seek stronger data privacy provisions for the ePrivacy Regulation in 2021.
One thing seems certain from the new draft ePrivacy Regulation: cookies and trackers on your website will still need the explicit and affirmative consent from users before being used.
In other words, consent is here to stay.
Learn more about GDPR and cookie consent
See the full draft ePrivacy Regulation text (pdf)
Compliance with Cookiebot CMP
ePrivacy Regulation and cookies
Cookiebot CMP by Usercentrics is the leading plug-and-play compliance solution for EU’s data privacy requirements to your website.
Built around a powerful website scanner that detects and controls all cookies, trackers and trojan horses on your website, our solution automatically obtains the valid consents from your website’s end-users in true compliance with the EU’s GDPR/ePR requirements.
Tailored and highly customizable consent banners provide your users with all legally required information on each cookie, such as technical details, provider, duration and purpose.
With the coming ePrivacy Regulation, cookies and trackers on your website will still need the prior and explicit consent from users to be allowed activated.
Third-party cookies operating through your website’s use of analytics services or social media plugins all need the prior consent from your website’s visitors before being legally allowed to function.
Cookiebot CMP has specialized in handling EU valid cookie consents since 2012 and will keep on protecting user privacy, while making compliance easy and automatic for your website.
We also enable compliance for your website with a range of other data privacy laws around the world, including UK’s GDPR, California’s CCPA, Canada’s PIPEDA, South Africa’s POPIA, New Zealand’s Privacy Act and many others.
ePrivacy Regulation 2021, in detail
ePrivacy, cookies and timeline
Let’s break down the new ePrivacy Regulation 2021 draft from the EU Council in detail and look at how it’s different from the GDPR, and when it might take effect.
What is the difference between ePrivacy Regulation and the GDPR?
The EU’s General Data Protection Regulation (GDPR) protects the personal data of individuals inside the EU, while the ePrivacy Regulation 2021 will protect the privacy of electronic communication from individuals inside the EU – particularizing and specifying the GDPR (and its standards of consent) to the sector of communication via technologies such as Facebook, email, and text messages, among others.
The ePrivacy Regulation 2021 is a lex specialis to the General Data Protection Regulation (GDPR) lex generalis, meaning that it complements the GDPR with rules that apply specifically to the electronic communications sector.
As lex specialis, the ePrivacy Regulation 2021 will override the GDPR in the specific areas that it covers.
These will be two different laws, deriving from two different rights of the European Charter of Human Rights – the GDPR covers the right to protection of personal data, while the ePrivacy Regulation will encompass a person’s right to a private life, including confidentiality, in all electronic communications.
When will the ePrivacy Regulation be finalized?
On February 10, 2021, the EU Council ambassadors agreed to a draft legislation that will now go into trialogue negotiations between the EU Council, EU Parliament and EU Commission.
As it is still only a draft, there’s no ePrivacy Regulation effective date yet.
However, the draft says that it will enter into force twenty days after its publication in the EU Official Journal and would start to apply two years later – meaning that if trialogue negotiations go well and the draft passes into law sometime later in 2021, the ePrivacy Regulation would take effect across the European Union in 2023.
But this is a big if, since the draft ePrivacy Regulation has already received considerable criticism, notably from Germany’s own data protection authorities.
Here is a timeline of the ePrivacy Regulations so far –
- 2021 – EU Council finalizes text and new trilogue negotiations between the EU Council, EU Parliament and EU Commission can begin.
- 2020 – the ePrivacy Regulation fails to reach majority consensus through several EU Presidencies.
- 2018/2019 – the draft ePrivacy Regulation bounces back and forth in trialogue negotiations between the EU Commission, EU Parliament and the EU Council.
- 2017 – Draft of ePrivacy Regulation from the EU Parliament presented.
EDPB opinion on draft ePrivacy Regulation 2021
On March 9, 2021, the European Data Protection Board (EDPB) adopted a statement on the ePrivacy Regulation, underlining that the coming regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive (which it would repeal and replace), and must complement the existing General Data Protection Regulation (GDPR) by providing additional strong guarantees for confidentiality and protection of all electronic communications.
The EDPB emphasizes in their statement that –
- Some exceptions (in particular Article 6(1)(c), Article 6b(1)(e), Article 6b(1)(f), Article 6c) introduced by the Council seem to allow for very broad types of processing, and recalls the need to narrow down those exceptions to specific and clearly defined purposes,
- It is a necessity to obtain a genuine freely-given consent and that this should prevent service providers from using unfair practices such as “take it or leave it” solutions, which make access to services and functionalities conditional on the consent of a user to the storing of information, or gaining of access to information already stored in the terminal equipment of a user (the so-called “cookie walls”),
- There is need to include an explicit provision in the ePrivacy Regulation against service providers processing information without user consent, and in order to enable users to accept or refuse profiling,
- The ePrivacy Regulation should improve the current consent framework with an effective way to obtain consent for websites and mobile applications, by giving back control to the users and addressing the “consent fatigue”.
It is still uncertain what the road ahead looks like for the draft ePrivacy Regulation 2021.
FAQ
What is the ePrivacy Regulation?
The ePrivacy Regulation 2021 is a draft regulation from the EU Council which, if passed into law, will govern all electronic communication on publicly available services and networks from individuals inside the European Union (such as Facebook messages, texts, emails, SnapChats and all other popular electronic communications services). Though not a primary focus of the ePrivacy Regulation, cookies and trackers used on websites are also covered by the legislation and, like the GPDR already mandates, would require explicit consent from users in order to be activated on your website.
When will the ePrivacy Regulation be finalized?
The ePrivacy Regulation 2021 is currently in a draft form, finalized on February 10, 2021 by the EU Council. However, the draft ePrivacy Regulation 2021 now moves into trialogue negotiations between the EU Council, the EU Parliament and EU Commission, which might result in the draft passing into law in all 27 EU member states, or it might fail and have to be drafted anew.
When will the ePrivacy Regulation take effect?
There is currently no ePrivacy Regulation effective date, since the February draft is still only a proposal from the EU Council. The draft text states that the ePrivacy Regulation will take effect twenty days after its publication in the EU Official Journal and would start to apply two years later. However, it is hard to estimate a possible ePrivacy Regulation effective date, since the trialogue negotiations can go a lot of different ways, with some EU nations calling for stronger data privacy provisions than is contained in the current draft.
What is the difference between the ePrivacy Regulation and the GDPR?
The ePrivacy Regulation 2021 is a sector-specific law that would governs all electronic communications on publicly available services and networks from individuals inside the EU, whereas the General Data Protection Regulation (GDPR) governs the processing of personal data from individuals inside the EU. In this way, the ePrivacy Regulation 2021 would be a lex specialis to the lex generalis GDPR, specifying and particularizing the GDPR’s personal data provisions to the electronic communications sector.
Resources
Press release from the EU Council on the new ePrivacy Regulation 2021
The new draft ePrivacy Regulation 2021, February 10, 2021 (pdf)
IAPP on the new developments of the ePrivacy Regulation 2021
Access Now express underwhelming response to the EU Council’s ePrivacy Regulation draft
German data protection authority, BfDI, criticizes the draft ePrivacy Regulation (in German)