Share with your friends
  • 1000

It is time for organisations to prepare in advance of the new ePrivacy Regulation coming into force.

In January 2017, the European Commission proposed a new Regulation on Privacy and Electronic Communications. This new ePrivacy Regulation (ePR) will replace the 2002 ePrivacy Directive, known as the ‘cookies law’. The new ePR regulation aims to ensure privacy in all electronic communications which will have implications for all businesses that have a website once brought into force.

The scope of the new ePrivacy regulation:

The regulation will cover:

  • The content and metadata relating to electronic communications in both transmission and provision of services;
  • Information related to processing, emitting and storage of end users’ terminal equipment;
  • The retrieval and presentation of information on the internet by placing software that allows for electronic communications;
  • Publicly available directories of end user’s information captured through electronic communication services; and
  • Sending or presenting direct marketing communications to end users.

Key impact areas:


The regulation will make rules around cookies and consent clearer and more user friendly. Responsibility for obtaining consent and penalties will now be with the entity that collects, processes and stores end user information.


End user consent will be required for all direct marketing communications including online behavioural advertising and withdrawal of consent should be as easy as consenting.


The regulation will cover rules around electronic communications metadata which is used by most organisations’ websites. The metadata may hold, the source and destination of a communication, the location of the device being used as well as the date, time, duration and type of communication.

ePrivacy reinforces the principles of the GDPR

  • As with GDPR, there will be a two-tier regime of fines set as a maximum fine amount or a percentage of annual global turnover – whichever is greater. The largest GDPR fine to date is €204.6m.
  • ePR will have an extraterritorial effect which will apply to services provided to or targeting end users within the EU, regardless of where providers are located or processing takes place.
  • The regulation adopts the provisions for consent laid out in the GDPR, consent must be freely given, specified, informed and allowed to be withdrawn at any time.

What’s on your radar?

  • Know which cookies your websites are placing on end users terminals
  • Clearly define your cookies and their purpose
  • Put processes in place for opting in and opting out cookies and direct marketing
  • Understand how the metadata of your information is being managed
  • Beware of third party cookies active on your website going undetected

Get in touch

If you have any related questions or need further information, please get in touch with Michael Daughton or Tom Hyland of our Risk Consulting practice.

Related content