ePrivacy Regulation | Risk Advisory | Deloitte Netherlands


ePrivacy Regulation

The current state of play

After many years, it seems that the long-debated ePrivacy Regulation might be closer to a breakthrough than ever, which will have serious implications for companies that advertise online. Are you curious about how the ePrivacy Regulation could affect your organization? Keep on reading!


Just as organizations had the sense that they had grasped what they are required to address under the GDPR, a draft of the EU’s proposed ePrivacy Regulation appeared last year. As a reminder, with the ePrivacy Regulation, the EU aims to strengthen the online privacy of citizens. It specifies what forms of electronic information enjoy its protection and how businesses can use such data. It introduces rules on cookies, direct marketing, and business-to-business communications and will replace the outdated ePrivacy Directive from 2002.

Although the first draft of the ePrivacy Regulation was presented by the EU Commission in January 2017, it has been stuck in the legislative process ever since. Initially, the intention was for it to enter into effect at the same time as the GDPR. Years in, there still is no agreement on a final text. EU Member States simply have not been able to agree on topics such as the ePrivacy Regulation’s scope, the interplay with the GDPR, and rules on device tracking and cookies.

After many years of going back and forth, the EU Council has finally succeeded to convince EU Member States of its proposal. Trilogue negotiations (between the European Commission, European Parliament, and Council) started after the EU Council’s new draft proposal was published on 10 February 2021. The final amendments are now being made.

Key elements of the ePrivacy Regulation

The ePrivacy Regulation sets out that interference with electronic communications between individuals is prohibited unless a listed exception is applicable.

In addition, the Regulation offers some ground rules for when data may be processed, with, for example, the use of pseudonymized or anonymized data. According to the ePrivacy Regulation, content is “anonymous” when no natural person or legal person can be identified. In that case, the ePrivacy Regulation will not apply. Content is “pseudonymous” if it is possible to identify a natural person or legal person with additional information. In this case, the ePrivacy Regulation will still apply.

Some of the key elements of the ePrivacy Regulation are:

Choice for a Regulation: Like the GDPR, the new legislation will take the form of a Regulation, meaning it will harmonize rules across the EU and will have a direct effect in all EU Member States, without them having to transform it into national legislation as was the case with the ePrivacy Directive.

Territorial scope of the ePrivacy Regulation: The ePrivacy Regulation will apply to “electronic communications content” (e.g. exchanged content such as text, voice, videos and, images) and “electronic communications metadata” (e.g. data used to trace the source and destination of a communication, data on the location of a device generating communications, the data, time, duration and type of communication). It also applies to legal entities. The scope of the ePrivacy Regulation is thus broader than that of the GDPR, which applies only to the personal data of natural persons.

Scope extension to new forms of communication: Whilst the ePrivacy Directive applies only to traditional communications services providers (e.g. fixed telephone lines and SMS), the ePrivacy Regulation will also cover so-called over the top (OTT) services (e.g. WhatsApp and Skype), e-mail services, and machine-to-machine transmissions (e.g. IoT devices). The Regulation applies to transmissions carried out via a publicly available electronic communications service or network.

Cookie walls and opt-outs: Rules on the use of cookies will be more strict, compared to the ePrivacy Directive. In principle, the use of cookies is prohibited by Article 8 of the ePrivacy Regulation, unless a listed exception can be used such as:

  • Cookies are “necessary for the sole purpose of providing an electronic communication service”,
  • Cookies are “necessary for providing a service specifically requested by the end-user”,
  • Cookies are necessary for the sole purpose of “audience measuring”, and
  • Consent has been acquired.

Consent is required when cookies are used for advertising purposes or personalizing a website, for instance. Pre-ticked boxes (where users have to untick boxes to get rid of optional cookies) should not be used and cookie walls (blocking access to a website, unless a user agrees with the use of cookies) can only be used if website visitors are offered a free and genuine choice between services on the basis of clear, precise and user-friendly information (e.g. choosing between access to website content against monetary payment or consenting to the use of cookies).

Unsolicited and direct marketing: The ePrivacy Regulation does not allow natural persons or businesses to use electronic communications services for direct marketing purposes unless they have obtained prior consent. This means that a webshop cannot send unsolicited advertisements through e-mail to end-users. If prior consent is provided by an end-user, withdrawal of that consent must not be more difficult than providing consent.

Infringements and enforcement: As is already the case with GDPR-infringements, organizations may face substantial fines if they do not abide by the ePrivacy Regulation. Similar to the GDPR, fines may amount to EUR 20 million or 4% of the total worldwide annual turnover. In the Netherlands, the “Autoriteit Persoonsgegevens” will be tasked with monitoring compliance and issuing fines.

More information?

For more information about ePrivacy, please do not hesitate to contact Annika Sponselee or Nicole Vreeman via the contact details below.

Did you find this useful?