Logo Logo

Cookiebot helps make your use of cookies and online tracking GDPR and ePR compliant. The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how your website may use cookies to track your visitors from the EU.


Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

The EU ePrivacy Regulation and Cookies - What do I need to do?

Updated July 13, 2020.

Right behind the General Data Protection Regulation (GDPR), another EU law on personal privacy and data protection is in the making.

The ePrivacy Regulation, which originally should have been finalized on the date of the enforcement of the GDPR, 25 May 2018, is now due to be approved sometime in 2020, with the implementation date yet to be seen.

What is the new EU ePrivacy Regulation about? How does it relate to the GDPR and the cookie directive (ePrivacy Directive) that it will replace? Why do we need two sets of EU legislations on the subject? What are the requirements of the ePrivacy Regulation? What will it mean for your website’s use of cookies, and how can you prepare for it?

Find the answers below.

What is the ePrivacy Regulation?

The proposal for a Regulation on Privacy and Electronic Communications, also known as The ePrivacy Regulation, is a law in the making by the EU Commission.

Its purpose is to ensure the “respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector” in the EU.

Once applied, the ePrivacy Regulation will replace the ePrivacy Directive from 2002.

Many might know the ePrivacy Directive by its nicknames, the cookie law or cookie directive (one of its most noticeable impacts being the cookie consent pop-ups, that made their appearance on most websites in its wake).

Read more about the ePrivacy Directive (aka the EU cookie law or cookie directive) here.

Once the ePrivacy Directive is replaced by the ePrivacy Regulation, the legislation will automatically apply in all EU nations.

That, in fact, is the key difference between a regulation and a directive: Whereas regulations automatically become legally binding throughout the EU on the date they take effect, directives must be incorporated into national law by EU countries.

With a directive, the countries are required to achieve a certain result, but are free to choose how to do so. However, the Regulation is not simply a stronger version of the Directive. 

In other words, a cookie regulation will replace a cookie directive.

The proposed Regulation is based on a thorough evaluation of the Directive, and addresses shortcomings in the Directive on the one hand, and digital and legislative developments (such as the GDPR) that have occurred since its last revision in 2009, on the other.

So far, two drafts have been published: the European Commission’s and the European Parliament’s.

National governments in all 27 European countries (including the UK) have had the opportunity to react to the proposed Regulation.

Currently, the EU Commission, the EU Parliament and the EU Council are discussing in so called “trialogue negotiations”, what will become the finalized and official Regulation text.

The ePrivacy Regulation, originally planned to be approved simultaneously with the enforcement of the GDPR, will probably be finalized sometime in 2020.

Thereafter, a period of adaptation will follow, before the ePrivacy Regulation is actually enforced as EU law.

Just like the GDPR, which was approved upon on 14 April 2016, and enforced two years later, on 25 May 2018.

Try Cookiebot free for 30 days... or forever if you have a small website.

In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test.

What does the ePrivacy Regulation mean for my use of cookies?

Cookies are an important matter - and a matter of dispute - in the negotiations concerning the final phrasing of the ePrivacy Regulation.

The proposed Regulation attempts to address the “consent fatigue” caused by the Cookie Law.

ePrivacy Directive and cookies

The problem with consent in the EU cookie law or cookie directive, officially known as the ePrivacy Directive being, is that it has been interpreted in most countries as a requirement for a simple consent banner like the following:

This has proved to be highly ineffective, because:

  1. most people don't know what they are agreeing to when they tick the box,
  2. too many requests for consent annoy and overwhelm users, that end up ignoring the requests or just accept without thinking,
  3. no response is interpreted as consent.

The Regulation is therefore attempting to make changes to the way in which trackers may ask for consent for setting cookies and tracking users.

The evaluation of the ePrivacy Directive (you know, the EU cookie law or the cookie directive) concludes that the current consent rule is both over-inclusive and under-inclusive:

ePrivacy Regulation and cookies - how can I prepare for the new EU ePrivacy Regulation?

As mentioned above, the final word is yet to be said about the direct implications of the ePrivacy Regulation for website owners and their use of cookies.

However, here is a list of requirements for cookies and online tracking from the latest draft.

Get wiser on what a cookie solution means for your website here.

Those readers familiar with the requirements in the GDPR will notice redundancies. In fact, many of the rules in the ePrivacy Regulation are similar to the ones described by the GDPR.

In fact, as we describe later in this article, the ePrivacy Regulation will, once enforced, complement (and override!) the GDPR when it comes to cases within the electronic communications sector.

When will the ePrivacy Regulation be enforced?

The ePrivacy Regulation was originally aimed to be approved in the EU together with the implementation of the GDPR, on 25 May 2018.

However, this schedule quickly proved to be too ambitious.

At the last notice, the Regulation will be finalized sometime in 2020.

Thereafter, a period of adaptation will follow, before the regulation is applied.

If we dare to take the process of the GDPR as an example, one might guess that the ePrivacy Regulation will enter into force in 2021.

However, indications are that the ePrivacy Regulation will be even more encompassing and restrictive than the GDPR when it comes to preventing tracking and protecting personal data on the internet.

It is therefore being met by strong voices of criticism for counteracting the internet economy and crippling entire sectors, such as the publishers’ and digital media.

Timeline and update: What is the status of the ePrivacy Regulation?

2020: Implementation

The ePrivacy Regulation will again be worked on by both the Croatian EU presidency in February, and likely the German in the last half of 2020.

It is expected that the ePrivacy Regulation will be implemented in 2020.

10 January 2017: Presentation of first draft by the EU Commission

The first official draft of the new ePrivacy Regulation is presented by the EU Commission.

The proposed Regulation should replace the ePrivacy Directive (Directive 2009/136/EC) and clarify and supplement the GDPR, with regard to personal electronic communications data. This draft of the planned ePrivacy Regulation is forwarded to the EU Parliament and Council.

19 October 2017: Adoption of draft in the EU Parliament

After lengthy negotiations, the LIBE Committee responsible for the ePrivacy Regulation in the EU Parliament votes on the draft. Much to the surprise of the online industry, the draft, virtually unchanged, is adopted by the EU Parliament one week later. At the same time, the EU Council also discusses the draft in a working group. Member States are invited to submit their opinions by 14 August 2017.

2018 and 2020: Trialogue negotiations between the Commission, Parliament and the Council

With the adoption of the draft by the EU Parliament, the mandate for the next procedural step - the EU Parliament's negotiations with the EU Council - is given.

The so-called trialogue negotiations between the Commission, Parliament and the Council are to be concluded in 2020. 

The negotiations are a complex and lengthy matter with many voices.

To get a picture of some of the agents and their draft proposals, see this illustration by the European Union of the legal road towards an ePrivacy Regulation. 

Where can I find the latest draft of the ePrivacy Regulation?

The official draft of the ePrivacy Regulation and its annexes can be found on the homepage of the European Commission.

On this page of the regulation-work-in-progress, you can see

What is the difference between the ePrivacy Regulation and the GDPR?

The ePrivacy Regulation is a lex specialis to the General Data Protection Regulation, meaning that it complements the GDPR with specific rules that apply specifically to the electronic communications sector.

As lex specialis, it overrides the GDPR in the specific areas that it covers.

There are two legal instruments because they are derived from two different rights in the European Charter of Fundamental Rights:

The GDPR covers the right to protection of personal data, while the ePrivacy Regulation encompasses a person’s right to a private life, including confidentiality.

What is the scope of the ePrivacy Regulation vs the GDPR?

The GDPR is focused on defining and protecting personal data, e.g. health data, whether paper-based or electronic. The ePrivacy Regulation, on the other hand, particularizes GDPR for electronic communications and focuses on devices, processing techniques, storage, browsers etc.


What is the ePrivacy Regulation?

The ePrivacy Regulation (ePR) is an upcoming EU-wide law that will ensure data privacy in the electronic communications sector inside the European Union. The ePR is expected to particularize the personal data protection standards of the GDPR to electronic communication.

Test for free to see if your website is compliant with EU data privacy requirements

When will the ePrivacy Regulation be enforced?

The ePrivacy Regulation (ePR) is still being drafted in trialogue negotiations between the EU Commission, EU Parliament and the EU Council. It is expected that the ePrivacy Regulation will enter into force in 2021, but nothing is certain yet. Until then, the ePrivacy Directive and the General Data Protection Regulation (GDPR) is in place.

Try Cookiebot free for 30 days… or forever if you have a small website

What is the GDPR?

The General Data Protection Regulation (GDPR) is an EU-wide law that governs the processing of personal data of individuals inside the European Union. It took effect in May 2018 and requires websites to ask for and obtain the explicit consent from users before being allowed to process their personal data.

Learn more about the GDPR and cookie consent

What is the ePrivacy Directive?

The ePrivacy Directive is an EU directive that governs what websites, companies and service providers are allowed to do with user data, how they must handle it, how they are allowed to share it and for what purposes. It is also nicknamed the EU cookie law.

Learn more about the ePrivacy Directive


European Commission: Proposal for a Regulation on Privacy and Electronic Communications

Nice infographic illustrating the Trialogue Negotiations of the ePrivacy Regulation

ePrivacy.eu: Timeline info

i-SCOOP: The new EU ePrivacy Regulation: what you need to know

Digiday.com: On the consequences of the ePrivacy Regulation for advertisers, websites, browsers, etc.

Privacytrust.com: Simple explanation of the difference between GDPR and ePrivacy

Martechtoday: On the differences between the GDPR and the ePr

Marketingweek: About ePrivacy

Medium.com: Good article about consent

Publishers' joint campaign against the ePrivacy Regulation

IAPP: What happens to the ePrivacy under the Romanian presidency?

The road towards an ePrivacy Regulation

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free