Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. ePrivacy Regulation Draft: The Basics
- 1.1. What's the difference between a directive and a regulation?
- 1.2. What is the current status of the ePrivacy Regulation?
- 1.3. Will the ePrivacy Regulation Replace the GDPR?
- 1.4. What types of data does the ePrivacy Regulation cover?
- 1.5. What types of activities does the ePrivacy Regulation cover?
- 1.6. Who does the ePrivacy Regulation apply to?
- 1.7. Where does the ePrivacy Regulation apply?
- 1.8. Will the ePrivacy Regulations apply in the UK?
- 1.9. How will the ePrivacy Regulation be enforced?
- 2. What Would the Draft ePrivacy Regulation Require?
- 2.1. Privacy of Communications
- 2.1.1. Processing Communications Data
- 2.1.2. Processing Communications Metadata
- 2.1.3. Processing for Research or Statistical Purposes
- 2.2. Cookies and the Draft ePrivacy Regulation
- 2.2.1. Basic Rules on Cookies
- 2.2.2. Cookie Walls
- 2.2.3. Browser Whitelisting
- 2.2.4. Internet of Things
- 2.3. The ePrivacy Regulation and Direct Marketing
- 2.3.1. Electronic Marketing Without Consent
- 2.3.2. The Soft Opt-In
- 2.3.3. B2B Direct Marketing
- 3. Summary
The ePrivacy Regulation will introduce new rules about cookies, direct marketing, and business-to-business (B2B) communications. Online advertisers have lobbied fiercely against many of its provisions. However, the proposals have changed a lot over a series of drafts.
This article will take a detailed overview of the draft law and consider how the final version might look.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
ePrivacy Regulation Draft: The Basics
Here's a breakdown of the basics: What the ePrivacy Regulation covers, who has to comply, and where it applies.
What's the difference between a directive and a regulation?
The ePrivacy Regulation is an update to the ePrivacy Directive, first passed back in 2002. What's the difference?
A directive is a law directed at EU Member States. The directive requires Member States to create national laws that give it effect. So, for example, the UK implemented the ePrivacy Directive as the Privacy and Electronic Communications Regulations (PECR).There is usually some variation between Member State laws implementing directives.
Unlike a directive, a regulation immediately becomes law in each Member State once it comes into effect at EU level. There's no need for Member States to create national laws to give the regulation effect. There will be less variation among how the law applies across Member States.
What is the current status of the ePrivacy Regulation?
As of early 2022, draft negotiations agreed on a draft, but this may still be changed. It is not expected that the ePrivacy Regulation would take effect until 2023, and there will be a 24 month transition period.
Will the ePrivacy Regulation Replace the GDPR?
The ePrivacy Regulation will not replace the GDPR. It's designed to complement the GDPR.
The GDPR provides a broad framework for all activities involving the processing of personal data. The ePrivacy Regulation will show how this framework applies to the area of privacy in electronic communications.
The GDPR and the ePrivacy Regulation should be compatible. But if the ePrivacy Regulation contradicts the GDPR in some way, the ePrivacy Regulation will override the GDPR.
What types of data does the ePrivacy Regulation cover?
The ePrivacy Regulation is about protecting two main things:
- Electronic communications content: "the content exchanged by means of electronic communications services, such as text, voice, videos, images, and sound" ( Article 4.3 (b)).
- Electronic communications metadata: the data about electronic communications content, such as: where it was sent from, who sent it, "the date, time, duration. and the type of communication" (Article 4.3 (c))
Together, these two things are known as "electronic communications data." You send them via an "electronic message" using "e-mail, SMS, MMS and functionally equivalent applications and techniques" (Article 4.3 (e)).
It's important to remember that electronic communications data is not the same as "personal data," about which the GDPR is principally concerned.
Electronic communications data might contain personal data, or it might not. This doesn't affect the rules under the ePrivacy Regulation.
Here's an example of why this matters in practice. Some cookies collect personal data. Some don't. This isn't a relevant consideration under the ePrivacy Regulation. The rules apply to cookies regardless of whether they collect personal data.
However, where electronic communications data does contain personal information, it falls under the scope of the GDPR as well as the ePrivacy Regulation.
What types of activities does the ePrivacy Regulation cover?
The ePrivacy Regulation sets rules about:
- Direct marketing: "Any form of advertising, whether written or oral, sent via a publicly available electronic communications service, directly to one or more specific end-users." (Article 4.3 (f))
- Cookies and similar technologies: Any software or code, including pixels, web beacons, spyware, that you place on a user's device. The Regulation also sets rules about collecting data from a user's device.
- Security of communications services
- Publicly available directories: Public databases containing information about people, such as their "name, phone numbers (including mobile phone numbers), email address, home address" (Recital 30).
Who does the ePrivacy Regulation apply to?
The ePrivacy Regulation will apply to anyone carrying out the activities in the section above. Broadly speaking, this means:
- Businesses engaged in electronic directing marketing, including emails, messages, SMS, or calls
- People or businesses operating software or websites, who must ensure that such services comply with the Regulation
Providers of electronic communications services, including:
- Internet Service Providers (ISPs)
- Voice over Internet Protocol (VoIP) providers
- Providers of messenger apps and other "over the top" services
- Phone service providers
- Internet of Things (IoT) providers
- Providers of publicly available directories: Anyone wanting to compile a telephone, fax, or email directory.
Where does the ePrivacy Regulation apply?
One of the big changes about the ePrivacy Regulation is that, like the GDPR, it will apply extraterritorially, meaning that people outside of the EU will need to comply with the Regulation under certain conditions.
Article 3 of the ePrivacy Regulation draft sets out the "territorial scope" of the law. It's a little messy in its current form (at page 44):
The rules are actually quite simple. You'll need to comply with the ePrivacy Regulation, regardless of where you're based, if you do any of the following:
- Provide electronic communications services to people in the EU
- Process communications data of people in the EU
- Access information from the devices of people in the EU
- Offer publicly available directories of people in the EU
- Send direct marketing communications to people in the EU
Note that the countries in the European Economic Area (EEA), which consists of the EU Member States plus Iceland, Liechtenstein, and Norway, will also be party to the ePrivacy Regulation. This means the rules will also apply to people in those countries.
Will the ePrivacy Regulations apply in the UK?
The short answer is "no," the ePrivacy Regulation will not apply in the UK. The Regulation will be an EU law, and the UK is no longer an EU Member State, nor is it part of the EEA.
However, the UK is seeking an adequacy decision from the EU, which would allow for easier cross-border data flows between the two jurisdictions.
Obtaining and maintaining an adequacy decision will require the UK to maintain EU-equivalent data protection and privacy standards. This means that, in order to achieve "data adequacy," the UK may adopt many of the ePrivacy Regulation's legal requirements into its own law.
Also, bear in mind that many businesses in the UK will be required to abide by the ePrivacy Regulation whenever they are dealing with end-users in the EU. Therefore, whether or not the Regulation is adopted into UK law, an understanding of the ePrivacy Regulation's requirements will be essential for many UK businesses.
How will the ePrivacy Regulation be enforced?
The draft ePrivacy Regulation sets a system of fines very similar to that present in the GDPR, namely:
- Less serious violations will result in a penalty of up to 2% of annual worldwide turnover, or up to €10 million (approx. $11.8 million), whichever is greater.
- More serious violations will result in a penalty of up to 4% of annual worldwide turnover, or up to €20 million (approx. $23.6 million), whichever is greater.
These fines will be imposed (or prosecuted in court) by the EU's Data Protection Authorities (DPAs). A range of non-financial penalties will also be available.
What Would the Draft ePrivacy Regulation Require?
Now let's look at some of the rules imposed under the draft ePrivacy Regulation.
Privacy of Communications
The basic rule imposed by the ePrivacy Regulation is that all communications must be confidential. This means providers of communications services must not "eavesdrop" on communications.
However, the Regulation provides for exceptions where electronic communications data may be intercepted or accessed.
Processing Communications Data
Providers of electronic communications services may process communications data where it is necessary to:
- Ensure communications systems are secure (Article 6.1 (c))
- Identify whether malware is present (Recital 16)
- Safeguard against threats to public security where permitted by national law (Article 6.1 (d))
Such interference with communications must always be proportionate and subject to a full assessment of people's rights and freedoms.
Processing Communications Metadata
The Regulation is more liberal with the processing of communications metadata, which can be processed where it is necessary to:
- Manage or optimize networks (Article 6b.1 (a))
- Meet technical quality of service requirements (Article 6b.1 (a))
- Perform contractual obligations, such as billing, calculating payments, detecting or stopping subscription fraud or abuse (Article 6b.1 (b))
- Fulfill one or more specified purposes, with the user's consent (Article 6b.1 (c))
- Protect a person's vital interests (this may including monitoring the spread of epidemics) (Article 6b.1 (d))
Processing for Research or Statistical Purposes
There are certain conditions under which you may process communications metadata for scientific or historical research or statistical purposes. These rules are set out at Article 6b.1 (e)-(f) and Article 6b.2a-2.
In the case of communications location metadata, such processing is permitted if the data has been pseudonymized, if:
- You cannot achieve such processing using data that has been anonymized
- You anonymize or erase the data once you no longer need it
- You're not using the data to build a profile about the user
- You do not share the data with a third party unless it has been anonymized
- In the case of communications metadata other than location data, such processing is permitted subject to national law and with appropriate safeguards in place, including encryption and pseudonymization
Such metadata may also be processed for producing "official national European statistics.
Cookies and the Draft ePrivacy Regulation
Basic Rules on Cookies
Under the draft ePrivacy Regulation, the basic rules on cookies remain in place from the ePrivacy Directive. Here's the relevant section of that law, at Article 5:
Under the ePrivacy Directive, you must request GDPR-compliant consent for all cookies, except for those that are:
- "(Used) for the sole purpose of carrying out the transmission of a communication over an electronic communications network"
- "Strictly necessary in order to provide an information society service explicitly requested by the subscriber or user to provide the service"
Some of the following activities might necessitate these types of cookies:
- Shopping carts
- Security (with strict limits on duration)
- Media playback
- UI customization
- Social media plug-ins
You don't need to get consent for these types of cookies. There are strict caveats here, however: The cookies in question must be limited in duration and fulfilling a specific purpose.
The recitals of the ePrivacy Regulation provide some interesting insights into how the types of cookies requiring consent might change.
For example, Recital 21a refers to cookies used "in assessing the effectiveness of... website design and advertising" or by "helping to measure the numbers of end-users visiting a website" as being "a legitimate and useful tool."
The ePrivacy Regulation contrasts these types of cookies with those "used to determine the nature of who is using the site," which "always require the consent of the end-user."
This suggests that counting unique page visits or ad impressions may not require consent under the ePrivacy Regulation.
A cookie wall is a cookie banner that denies access to a visitor access to a website unless the visitor consents to cookies.
Here's an example from Drugs.com:
With the cookie wall in place, the site isn't accessible beneath the cookie consent mechanism. To use the website, a visitor must consent to advertising cookies. Drugs.com does inform the visitor that they can opt-out once they've consented.
Here's what happens if the visitor clicks "Disagree":
Why are cookie walls a problem?
There are mixed views on cookie walls. On one hand, many consumers might be willing to "trade" their personal data for access to an online service. Also, many businesses depend on advertising revenue. This revenue can be increased by using tracking technologies.
On the other hand, such consent mechanisms do, arguably, contradict the GDPR's requirements around consent. There's a good reason to define consent as freely given. Recital 42 of the GDPR says that:
"Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."
The European Data Protection Board has given a statement about cookie walls, arguing that consent earned via a cookie wall is not valid.
The draft ePrivacy Regulation would allow for "cookie walls" under certain conditions.
A cookie wall is a cookie banner that won't let you access a website or service until you agree to cookies. The difficulty with this is that this doesn't meet the GDPR's definition of "consent," which refers to a "freely given" action.
Court rulings, data protection authority decisions, and May 2020 EDPB guidelines all make it clear that cookie walls are not allowed under the ePrivacy Directive and the GDPR. Access to services cannot be made conditional on consent to cookies.
This could change under the ePrivacy Regulation, which proposes the legalization of "cookie paywalls."
Recital 20aaaa (yes, that's 20 followed by four "a"'s) envisions a model whereby access to a website could be made conditional on consent to cookies, if there is "equivalent offer by the same provider that does not involve consenting to data use for additional purposes," which may require monetary payment.
The Washington Post already operates such a "cookie paywall" model:
While the Post's consent solution is problematic under the current rules, it appears that it would be allowed under the draft ePrivacy Regulation.
The ePrivacy Regulation deals with the issue of "cookie fatigue," a phenomenon that can lead to people frivolously agreeing to cookies because they are asked to do so with such frequency. As Recital 20a of the Regulation says: "This can lead to a situation where consent request information is no longer read and the protection offered by consent is undermined."
To attempt to resolve this, the draft ePrivacy Regulation seeks to allow users to provide consent en-masse, by "whitelisting one or several providers for their specified purposes" in their browser or device.
This arguably undermines the GDPR's requirement that consent is "specific," but it will likely be popular among those users feeling "fatigued" by cookie consent banners.
Internet of Things
The ePrivacy Regulation specifically addresses IoT devices, providing a few basic rules and principles about their development and deployment:
The "use of the processing and storage capacities" of an IoT device and "access to information stored therein" should not require consent if "such use or access is necessary for the provision of the service requested by the end-user" (Recital 21).
The Regulation gives the example of a smart meter: you need to access information stored on the device for the purpose of maintaining the "stability or security of the energy network" and for the "billing the end-users' energy consumption."
To use or access information stored on IoT devices for any purposes that are not "necessary for the provision of the service requested by the end-user," you'll need to obtain consent.
The ePrivacy Regulation and Direct Marketing
The ePrivacy Regulation is set to bring electronic marketing under a single framework across the whole EU.
For the purposes of this section, "electronic marketing" or "marketing communications" means marketing via email, messaging services (such as WhatsApp and Facebook Messenger), fax, and SMS.
Electronic Marketing Without Consent
Some people believe that the GDPR requires consent for practically all processing of personal data. This isn't true. Consent is only one of the six lawful bases for processing personal data under the GDPR.
The Soft Opt-In
The current law allows for a "soft opt-in." This allows businesses to send consumers direct marketing communications without consent under certain conditions.
Under the GDPR and the ePrivacy Directive, it's possible to send marketing communications under the lawful basis of "legitimate interests." This is only normally allowed under certain conditions:
- The person has made a purchase from you
- They gave you their contact details
- They had the opportunity to opt out when they gave you their contact details
- You send an "unsubscribe" mechanism with every marketing communication
Under some Member States' laws, it's also possible if the person has entered into "pre-contract negotiations" for a sale (subject to the last three of the above conditions).
Before you can rely on the lawful basis of legitimate interests, you'll also need to conduct a Legitimate Interests Assessment.
Will the soft opt-in survive?
Early drafts of the ePrivacy Regulation suggested that businesses would no longer be allowed to rely on legitimate interests for direct marketing. This would have meant that all electronic direct marketing would require opt-in consent.
This is not the case in the most recent two drafts. There is a clear mechanism allowing for a soft opt-in. This means that businesses will continue to be able to send marketing communications to their existing customers, without consent, where the soft opt-in conditions are met.
There is no mention of "pre-contract negotiations" in the proposals. This sounds like a minor omission. However, it could be significant in countries, like the UK, where national law allows businesses to send marketing communications to potential customers under certain circumstances.
To put that into context, take a look at this email from Coffee Compass:
This email alerts the customer that they have not completed a sale that they may have intended to complete. This sort of marketing email is permitted under the ePrivacy Directive in some EU Member States, even if the customer has not previously made a purchase from the company.
Under the proposed ePrivacy Regulation, communications like this would no longer be allowed without consent, unless the customer previously had made a purchase from the company.
The proposals could also make the soft opt-in narrower. Member States will be able to assign a time-limit, beyond which companies would not be allowed to rely on the mechanism.
This would mean that if you sold a person something a long time ago, you would no longer have the right to send them marketing communications without their consent. Member States could each define how long this period would be under their national law. After this time limit elapses, you'll need to remove the customer from your marketing lists or obtain their consent.
B2B Direct Marketing
The ePrivacy Regulation would expand into some uncharted territory - the realm of business-to-business (B2B) marketing.
The ePrivacy Regulation would:
- Apply to the processing of electronic communications content and metadata
- Apply to anyone processing the electronic communications data of end-users in the EU
- Impose fines of up to 4% of annual worldwide turnover or €20 million ($23.6 million)
- Require consent for the processing of most communications data except for certain limited security, national security, health, and research purposes
- Allow cookie walls as long as a paid alternative to cookies was provided
- Allow end-users to whitelist cookies from certain providers
- Set rules about consent regarding IoT devices