Updated February 23, 2021.
The EU’s ePrivacy Regulation to repeal and replace the 2002 ePrivacy Directive has been a long time coming. Originally scheduled to be finalized on the GDPR’s enforcement date in May 2018, it instead dragged on for years.
On February 10, 2021, a finalized text was agreed upon by the EU Council that pushes the ePrivacy Regulation into a whole new phase of trialogue negations, from which a new data privacy law might emerge and take effect across the European Union.
In this blogpost, we break down the ePrivacy Regulation and cookies; what the current draft means for your website, and what happens next in the long saga of the EU’s infamous ePrivacy Regulation.
The ePrivacy Regulation 2021 is a draft regulation from the EU Council that governs all electronic communications on publicly available services and networks from individuals inside the European Union.
The EU’s data privacy regime currently consists of the General Data Protection Regulation (GDPR) and the ePrivacy Directive from 2002. The new ePrivacy Regulation would repeal and replace the older 2002 directive (also known as the EU cookie law) and bring significant updates by including new technologies in its legal framework.
In short, the draft ePrivacy Regulation 2021 covers all electronic communications (such as texts, emails, Facebook messages, SnapChat and so one), protects individuals inside the EU from third-party interference into their private communication unless they give prior consent.
The electronic privacy of Individuals inside the EU is the subject and scope of the ePrivacy Regulation 2021.
ePrivacy Regulation 2021 quick breakdown –
When it comes to eprivacy, cookies on your website can be a real liability – they are the most used technology for collecting, processing and sharing personal data from end-users on the Internet today, but need the explicit consent from end-users before being activated.
With the EU’s GDPR that came into force in 2018, the issues around eprivacy and cookies was addressed by putting end-user consent at the very core.
The draft ePrivacy Regulation 2021 emphasizes user consent as core to electronic data privacy.
Consent remains a core part of the ePrivacy Regulation 2021, and cookies and similar website trackers are also the target of the new draft data privacy law.
Consent will be needed from end-users to process any kind of electronic communications and its content.
Famously, the ePrivacy Directive created the need for cookie banners on websites as a means of obtaining consent from users – though most of the early, pre-GDPR website banners were actually not working as intended.
According to the new draft ePrivacy Regulation 2021, end-user consent is necessary before processing any kind of data from users’ computers or smartphones.
Should the ePrivacy Regulation 2021 pass into law, it will repeal and replace the ePrivacy Directive.
The EU’s GDPR already requires your website to obtain the explicit consent from your users before using cookies and trackers that process personal data, such as IP addresses, unique IDs, search and browser history.
What the draft ePrivacy Regulation 2021 emphasizes is that consent is a vital dynamic at the core of today’s Internet, and that consent is here to stay.
However, the ePrivacy Regulation 2021 opens the door for new ways of streamlining consent across browsers and also addresses so-called cookie consent fatigue (when users are overwhelmed with having to give consent on websites across the Internet), by-and-large cementing that user consent is necessary for true data privacy protection – now and in the future.
With a finalized text from the EU Council, the ePrivacy Regulation 2021 now moves into so-called trialogue negotiations between the EU Parliament, EU Commission and the EU Council.
The ePrivacy Regulation 2021 faces tough trialogue negotiations in the EU Parliament.
But the EU Council draft’s path into law, let alone any indication of a possible ePrivacy Regulation effective date, remains unclear, particularly since strong data privacy voices have already spoken out against it, including Germany’s Federal Data Protection Commissioner Ulrich Kelber, who urges the EU Parliament to seek stronger data privacy provisions for the ePrivacy Regulation in 2021.
One thing seems certain from the new draft ePrivacy Regulation: cookies and trackers on your website will still need the explicit and affirmative consent from users before being used.
In other words, consent is here to stay.
Try Cookiebot CMP free for 30 days – or forever if you have a small website
Cookiebot CMP is the leading plug-and-play compliance solution for EU’s data privacy requirements to your website.
Built around a powerful website scanner that detects and controls all cookies, trackers and trojan horses on your website, Cookiebot CMP automatically obtains the valid consents from your website’s end-users in true compliance with the EU’s GDPR/ePR requirements.
Tailored and highly customizable consent banners provide your users with all legally required information on each cookie, such as technical details, provider, duration and purpose.
With the coming ePrivacy Regulation, cookies and trackers on your website will still need the prior and explicit consent from users to be allowed activated.
Third-party cookies operating through your website’s use of analytics services or social media plugins all need the prior consent from your website’s visitors before being legally allowed to function.
Cookiebot CMP has specialized in handling EU valid cookie consents since 2012 and will keep on protecting user privacy, while making compliance easy and automatic for your website.
Cookiebot CMP also enables compliance for your website with a range of other data privacy laws around the world, including UK’s GDPR, California’s CCPA, Canada’s PIPEDA, South Africa’s POPIA, New Zealand’s Privacy Act and many others.
Try Cookiebot CPM free for 30 days – or forever if you have a small website.
Let’s break down the new ePrivacy Regulation 2021 draft from the EU Council in detail and look at how it’s different from the GDPR, and when it might take effect.
The EU’s General Data Protection Regulation (GDPR) protects the personal data of individuals inside the EU, while the ePrivacy Regulation 2021 will protect the privacy of electronic communication from individuals inside the EU – particularizing and specifying the GDPR (and its standards of consent) to the sector of communication via technologies such as Facebook, email, and text messages, among others.
The ePrivacy Regulation 2021 is a lex specialis to the General Data Protection Regulation (GDPR) lex generalis, meaning that it complements the GDPR with rules that apply specifically to the electronic communications sector.
As lex specialis, the ePrivacy Regulation 2021 will override the GDPR in the specific areas that it covers.
These will be two different laws, deriving from two different rights of the European Charter of Human Rights – the GDPR covers the right to protection of personal data, while the ePrivacy Regulation will encompass a person’s right to a private life, including confidentiality, in all electronic communications.
Particular to the electronic communications sector, the ePrivacy Regulation updates the 2002 ePrivacy Directive.
On February 10, 2021, the EU Council ambassadors agreed to a draft legislation that will now go into trialogue negotiations between the EU Council, EU Parliament and EU Commission.
As it is still only a draft, there’s no ePrivacy Regulation effective date yet.
However, the draft says that it will enter into force twenty days after its publication in the EU Official Journal and would start to apply two years later – meaning that if trialogue negotiations go well and the draft passes into law sometime later in 2021, the ePrivacy Regulation would take effect across the European Union in 2023.
But this is a big if, since the draft ePrivacy Regulation has already received considerable criticism, notably from Germany’s own data protection authorities.
On March 9, 2021, the European Data Protection Board (EDPB) adopted a statement on the ePrivacy Regulation, underlining that the coming regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive (which it would repeal and replace), and must complement the existing General Data Protection Regulation (GDPR) by providing additional strong guarantees for confidentiality and protection of all electronic communications.
The EDPB emphasizes in their statement that –
It is still uncertain what the road ahead looks like for the draft ePrivacy Regulation 2021.
The ePrivacy Regulation 2021 is a draft regulation from the EU Council which, if passed into law, will govern all electronic communication on publicly available services and networks from individuals inside the European Union (such as Facebook messages, texts, emails, SnapChats and all other popular electronic communications services). Though not a primary focus of the ePrivacy Regulation, cookies and trackers used on websites are also covered by the legislation and, like the GPDR already mandates, would require explicit consent from users in order to be activated on your website.
The ePrivacy Regulation 2021 is currently in a draft form, finalized on February 10, 2021 by the EU Council. However, the draft ePrivacy Regulation 2021 now moves into trialogue negotiations between the EU Council, the EU Parliament and EU Commission, which might result in the draft passing into law in all 27 EU member states, or it might fail and have to be drafted anew.
There is currently no ePrivacy Regulation effective date, since the February draft is still only a proposal from the EU Council. The draft text states that the ePrivacy Regulation will take effect twenty days after its publication in the EU Official Journal and would start to apply two years later. However, it is hard to estimate a possible ePrivacy Regulation effective date, since the trialogue negotiations can go a lot of different ways, with some EU nations calling for stronger data privacy provisions than is contained in the current draft.
The ePrivacy Regulation 2021 is a sector-specific law that would governs all electronic communications on publicly available services and networks from individuals inside the EU, whereas the General Data Protection Regulation (GDPR) governs the processing of personal data from individuals inside the EU. In this way, the ePrivacy Regulation 2021 would be a lex specialis to the lex generalis GDPR, specifying and particularizing the GDPR’s personal data provisions to the electronic communications sector.