Here comes the European ePrivacy Regulation – the GDPR’s forgotten sibling

7 Feb 2018

Posted by Richard Madigan

It’s fair to say that we’ve all heard about the GDPR. This new regulation and all the requirements that come with it has dominated blogs and news feeds across the EU as businesses scramble to prepare for the May deadline.

However, in the background, the European Commission have something else waiting in the wings that isn’t getting the same sort of coverage but is no less important – the ePrivacy Regulation.

What is it?

There is currently an ePrivacy Directive in existence (implemented in the UK as the Privacy and Electronic Communications Regulations 2011), much like the predecessor to the GDPR. However, just as with the GDPR, it is dated and doesn’t cater to the new and emerging channels and digital ecosystems. This new ePrivacy Regulation will repeal the previous directive and, as it is a “Regulation”, and will apply directly across EU markets when it comes into force.

The ePrivacy Regulation will work in tandem with the GDPR, enhancing it in light of technological developments (specifically the “Internet of Things”). The Regulation is designed to complement the GDPR to ensure that internet users have control over all their data and to ensure that businesses handle data with the greatest care. It also comes with those same hefty fines.

As we know the GDPR comes into force on May 25th, 2018 and the intention is that this Regulation would come into force alongside it. However, it is important to note that the Regulation has not yet been finalised – more on that later.

What does the law cover?

The previous Directive was often referred to as the “cookies law”. This new Regulation has a much broader scope and stretches out from cookies to handle a number of other aspects. It’s early days so we can’t cover everything but here are the key parts of the regulation.


Cookies are a key part of this regulation and are also one of the most contested aspects, particularly from various parties within the digital advertising sector who have raised warning flags over the perceived inefficiencies and reduced revenue that this could introduce.

In short, the proposal is to do away with the annoying cookie banners that have plagued sites for several years and move the privacy notices into the browser. If the ePrivacy Regulation has its way, you will be able to select your default privacy settings when setting up the browser and then maintain them through the browser from then on.

Already there is a big plus point – who likes the cookie banners anyway? But then there’s the reality. When people are consenting to the use of cookies through those banners they are giving you licence to push on with the all-important digital marketing features to enhance that customer experience. If the customer is blocking these from the off through their browser, how do we convince the customer to change their mind? The real danger here is that we could be introducing a wave of new, intrusive privacy notices to replace those cookie banners – damaging the customer experience in the process.

That aside, there’s still some clarification needed on which cookies count. It’s been suggested that cookies required for analytics or for improving the site experience may not be counted but until we see the final Regulation, there’s nothing guaranteed.

Electronic communications

Another major part of the regulation is around electronic communications. The previous directive covered the typical communications channels of the time, e.g. emails. However, the new regulation expands this significantly to encompass the Over-The-Tops (e.g. social media messaging services such as WhatsApp) and Voice Over Internet Protocol providers (e.g. video and audio services such as Skype).

The aim is to provide more stringent consents over these channels – both for the content of the communications and the metadata (data processed by the electronic communications network for the purpose of transmitting, distributing and exchanging the content) attached to those communications. There’s layers of consent attached to both the content and the metadata to ensure that not only are these channels safeguarding the content of the communications but also only retaining the required metadata for as long as is needed to complete the service.

Soft opt-in

The soft opt-in (consent isn’t required if you are sending them a marketing message about similar products and services) is sticking around although it can only be retained in limited circumstances, e.g. sending promo messages to existing customers to offer similar products or services or in the context of the sale of a product or service). Much of this hinges on the legitimate interests processing condition.

However, the opportunity to opt-out through unsubscribe messages and interactions still needs to be available.

B2B Consent

One of the most ambiguous aspects of the regulation is around B2B marketing communications and whether consent is required when it comes to corporate email addresses. If it is a named corporate email address then surely this falls within the personal identifiable data outlined by the GDPR?

It seems there is a choice to be made by B2B marketers over whether to seek out consent or whether to hedge their bets on legitimate interest.

Like many aspects of the regulation, it is still early so we’ll need to keep our eyes peeled to see how this aspect pans out.

What do we do about it?

There are some industries who have been pretty vocal about the potential impact of this regulation and the debate is likely to rumble for some time to come.

From an agency perspective, there are various aspects of this regulation that will need to be factored into what we do and how we work but the cookies element is an important one. Banners aside, we need to consider the potential impact of this on even simple activities like A/B testing. There are some important decisions on the horizon and we for one will be keeping a close eye on how this develops.

Having said all of that, it is important to recognise that the regulation has not yet been finalised. The initial proposal emerged in January 2017 and the first revised draft got submitted on September 8th, 2017. It took a long time to get the GDPR passed through so there are concerns across the board about the EC’s proposed launch date.

The industry’s key focus right now is GDPR and on working towards compliance across sites given the hard stop in May 2018. However, we need to keep this forgotten sibling in the corner of our eye. 

Richard Madigan
Posted by Richard Madigan

View profile

Keep your finger on the pulse

Join our mailing list to be the first to hear about cool opportunities, hot events and more.

Password Reset

Please let us know your email address and we'll send a new password straight to your inbox.