Logo Logo
Cookiebot

Cookiebot CMP helps make your use of cookies and online tracking GDPR and ePR compliant. The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how your website may use cookies to track your visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

ePrivacy Regulation and cookies - compliance for your website by Cookiebot CMP.

Updated February 23, 2021.


The EU’s ePrivacy Regulation to repeal and replace the 2002 ePrivacy Directive has been a long time coming. Originally scheduled to be finalized on the GDPR’s enforcement date in May 2018, it instead dragged on for years.

On February 10, 2021, a finalized text was agreed upon by the EU Council that pushes the ePrivacy Regulation into a whole new phase of trialogue negations, from which a new data privacy law might emerge and take effect across the European Union.

In this blogpost, we break down the ePrivacy Regulation and cookies; what the current draft means for your website, and what happens next in the long saga of the EU’s infamous ePrivacy Regulation.


Quick summary


EU’s ePrivacy Regulation, cookies and 2021 updates

The ePrivacy Regulation 2021 is a draft regulation from the EU Council that governs all electronic communications on publicly available services and networks from individuals inside the European Union.

The EU’s data privacy regime currently consists of the General Data Protection Regulation (GDPR) and the ePrivacy Directive from 2002. The new ePrivacy Regulation would repeal and replace the older 2002 directive (also known as the EU cookie law) and bring significant updates by including new technologies in its legal framework.

In short, the draft ePrivacy Regulation 2021 covers all electronic communications (such as texts, emails, Facebook messages, SnapChat and so one), protects individuals inside the EU from third-party interference into their private communication unless they give prior consent.



The ePrivacy Regulation says cookies must be given consent from end-users.

The electronic privacy of Individuals inside the EU is the subject and scope of the ePrivacy Regulation 2021.



ePrivacy Regulation 2021 quick breakdown

Try Cookiebot consent management platform (CMP) for free today

Scan your website to see if you have users from inside the EU


ePrivacy Regulation and cookie consent

When it comes to eprivacy, cookies on your website can be a real liability – they are the most used technology for collecting, processing and sharing personal data from end-users on the Internet today, but need the explicit consent from end-users before being activated.

With the EU’s GDPR that came into force in 2018, the issues around eprivacy and cookies was addressed by putting end-user consent at the very core.



Compliance on your website with the ePrivacy Regulation and cookies.

The draft ePrivacy Regulation 2021 emphasizes user consent as core to electronic data privacy.



Consent remains a core part of the ePrivacy Regulation 2021, and cookies and similar website trackers are also the target of the new draft data privacy law.

Consent will be needed from end-users to process any kind of electronic communications and its content.

The 2002 ePrivacy Directive in effect today is also known as the EU cookie law exactly because it was the first piece of EU legislation (prior to the EU’s GDPR) that specified rules for how websites are allowed to use cookies and trackers to process data from users.

Famously, the ePrivacy Directive created the need for cookie banners on websites as a means of obtaining consent from users – though most of the early, pre-GDPR website banners were actually not working as intended.

According to the new draft ePrivacy Regulation 2021, end-user consent is necessary before processing any kind of data from users’ computers or smartphones.

Should the ePrivacy Regulation 2021 pass into law, it will repeal and replace the ePrivacy Directive.

The EU’s GDPR already requires your website to obtain the explicit consent from your users before using cookies and trackers that process personal data, such as IP addresses, unique IDs, search and browser history.

What the draft ePrivacy Regulation 2021 emphasizes is that consent is a vital dynamic at the core of today’s Internet, and that consent is here to stay.

However, the ePrivacy Regulation 2021 opens the door for new ways of streamlining consent across browsers and also addresses so-called cookie consent fatigue (when users are overwhelmed with having to give consent on websites across the Internet), by-and-large cementing that user consent is necessary for true data privacy protection – now and in the future.

With a finalized text from the EU Council, the ePrivacy Regulation 2021 now moves into so-called trialogue negotiations between the EU Parliament, EU Commission and the EU Council.



Cookiebot CMP ensures compliance with the ePrivacy Regulation 2021.

The ePrivacy Regulation 2021 faces tough trialogue negotiations in the EU Parliament.



But the EU Council draft’s path into law, let alone any indication of a possible ePrivacy Regulation effective date, remains unclear, particularly since strong data privacy voices have already spoken out against it, including Germany’s Federal Data Protection Commissioner Ulrich Kelber, who urges the EU Parliament to seek stronger data privacy provisions for the ePrivacy Regulation in 2021.

One thing seems certain from the new draft ePrivacy Regulation: cookies and trackers on your website will still need the explicit and affirmative consent from users before being used.

In other words, consent is here to stay.


Try Cookiebot CMP free for 30 days – or forever if you have a small website

Scan your website to see all cookies and tracker in use

Learn more about GDPR and cookie consent

See the full draft ePrivacy Regulation text (pdf)



Compliance with Cookiebot CMP


ePrivacy Regulation and cookies

Cookiebot CMP is the leading plug-and-play compliance solution for EU’s data privacy requirements to your website.

Built around a powerful website scanner that detects and controls all cookies, trackers and trojan horses on your website, Cookiebot CMP automatically obtains the valid consents from your website’s end-users in true compliance with the EU’s GDPR/ePR requirements.

Tailored and highly customizable consent banners provide your users with all legally required information on each cookie, such as technical details, provider, duration and purpose.

With the coming ePrivacy Regulation, cookies and trackers on your website will still need the prior and explicit consent from users to be allowed activated.

Third-party cookies operating through your website’s use of analytics services or social media plugins all need the prior consent from your website’s visitors before being legally allowed to function.

Cookiebot CMP has specialized in handling EU valid cookie consents since 2012 and will keep on protecting user privacy, while making compliance easy and automatic for your website.

Cookiebot CMP also enables compliance for your website with a range of other data privacy laws around the world, including UK’s GDPR, California’s CCPA, Canada’s PIPEDA, South Africa’s POPIA, New Zealand’s Privacy Act and many others.

Try Cookiebot CPM free for 30 days – or forever if you have a small website.

Scan your website to see if you process data in the EU



Cookiebot CMP offers compliance with the ePrivacy Regulation 2021.


ePrivacy Regulation 2021, in detail


ePrivacy, cookies and timeline

Let’s break down the new ePrivacy Regulation 2021 draft from the EU Council in detail and look at how it’s different from the GDPR, and when it might take effect.


What is the difference between ePrivacy Regulation and the GDPR?

The EU’s General Data Protection Regulation (GDPR) protects the personal data of individuals inside the EU, while the ePrivacy Regulation 2021 will protect the privacy of electronic communication from individuals inside the EU – particularizing and specifying the GDPR (and its standards of consent) to the sector of communication via technologies such as Facebook, email, and text messages, among others.

The ePrivacy Regulation 2021 is a lex specialis to the General Data Protection Regulation (GDPR) lex generalis, meaning that it complements the GDPR with rules that apply specifically to the electronic communications sector.

As lex specialis, the ePrivacy Regulation 2021 will override the GDPR in the specific areas that it covers.

These will be two different laws, deriving from two different rights of the European Charter of Human Rights – the GDPR covers the right to protection of personal data, while the ePrivacy Regulation will encompass a person’s right to a private life, including confidentiality, in all electronic communications.



The new ePrivacy Regulation also covers cookies, and Cookiebot CMP offers compliance.

Particular to the electronic communications sector, the ePrivacy Regulation updates the 2002 ePrivacy Directive.



When will the ePrivacy Regulation be finalized?

On February 10, 2021, the EU Council ambassadors agreed to a draft legislation that will now go into trialogue negotiations between the EU Council, EU Parliament and EU Commission.

As it is still only a draft, there’s no ePrivacy Regulation effective date yet.

However, the draft says that it will enter into force twenty days after its publication in the EU Official Journal and would start to apply two years later – meaning that if trialogue negotiations go well and the draft passes into law sometime later in 2021, the ePrivacy Regulation would take effect across the European Union in 2023.

But this is a big if, since the draft ePrivacy Regulation has already received considerable criticism, notably from Germany’s own data protection authorities.


Here’s is a timeline of the ePrivacy Regulations so far –



EDPB opinion on draft ePrivacy Regulation 2021

On March 9, 2021, the European Data Protection Board (EDPB) adopted a statement on the ePrivacy Regulation, underlining that the coming regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive (which it would repeal and replace), and must complement the existing General Data Protection Regulation (GDPR) by providing additional strong guarantees for confidentiality and protection of all electronic communications.

The EDPB emphasizes in their statement that –

It is still uncertain what the road ahead looks like for the draft ePrivacy Regulation 2021.



FAQ


What is the ePrivacy Regulation?

The ePrivacy Regulation 2021 is a draft regulation from the EU Council which, if passed into law, will govern all electronic communication on publicly available services and networks from individuals inside the European Union (such as Facebook messages, texts, emails, SnapChats and all other popular electronic communications services). Though not a primary focus of the ePrivacy Regulation, cookies and trackers used on websites are also covered by the legislation and, like the GPDR already mandates, would require explicit consent from users in order to be activated on your website.

Learn more about the GDPR and cookie consent


When will the ePrivacy Regulation be finalized?

The ePrivacy Regulation 2021 is currently in a draft form, finalized on February 10, 2021 by the EU Council. However, the draft ePrivacy Regulation 2021 now moves into trialogue negotiations between the EU Council, the EU Parliament and EU Commission, which might result in the draft passing into law in all 27 EU member states, or it might fail and have to be drafted anew.

Scan your website to see how many cookies are in use


When will the ePrivacy Regulation take effect?

There is currently no ePrivacy Regulation effective date, since the February draft is still only a proposal from the EU Council. The draft text states that the ePrivacy Regulation will take effect twenty days after its publication in the EU Official Journal and would start to apply two years later. However, it is hard to estimate a possible ePrivacy Regulation effective date, since the trialogue negotiations can go a lot of different ways, with some EU nations calling for stronger data privacy provisions than is contained in the current draft.

Try Cookiebot CMP for GDPR compliance today


What is the difference between the ePrivacy Regulation and the GDPR?

The ePrivacy Regulation 2021 is a sector-specific law that would governs all electronic communications on publicly available services and networks from individuals inside the EU, whereas the General Data Protection Regulation (GDPR) governs the processing of personal data from individuals inside the EU. In this way, the ePrivacy Regulation 2021 would be a lex specialis to the lex generalis GDPR, specifying and particularizing the GDPR’s personal data provisions to the electronic communications sector.

Learn more about the GDPR


Resources


Press release from the EU Council on the new ePrivacy Regulation 2021

The new draft ePrivacy Regulation 2021, February 10, 2021 (pdf)

IAPP on the new developments of the ePrivacy Regulation 2021

Access Now express underwhelming response to the EU Council’s ePrivacy Regulation draft

German data protection authority, BfDI, criticizes the draft ePrivacy Regulation (in German)

Overview of ePrivacy Regulation by Lexology 

New Google Consent Mode 

Cookiebot™ CMP integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free