Teal blue header image

The way the cookie crumbles: a look at the new draft e-Privacy Regulation

The European Commission released its draft of the new e-Privacy Regulation on 10 January 2017.

This followed a public consultation on a review of the existing e-Privacy Directive, which governs the protection of personal data in the electronic communications sphere. The aim of the proposal is to bring the law into line with the stricter data protection requirements introduced by the General Data Protection Regulation (GDPR) and to ensure that the legislation reflects changing technologies and user behaviour. The key changes proposed are:

Regulation not a Directive

This is a significant, though unsurprising, change. It means that the law will have direct effect in all EU member states, without the need for implementing legislation. This reflects the Commission's general trend towards harmonising data protection and privacy laws across the EU. Once the legislation is in force, it will have direct effect in the UK whilst the UK remains in the EU. Post-Brexit, if the government follows its position on the GDPR, we can expect the UK to implement laws that closely reflect the regulation. In any case, many UK organisations will still be caught directly thanks to its extra-territorial scope – see below.

Application to OTT providers

The existing law places restrictions on what telcos and ISPs can do with communications data. The regulation extends the applicability of the rules to cover "over-the-top" (OTT) providers as well. This includes providers of communications services that run over the internet, such as Skype, Whatsapp, Facebook Messenger and Viber. This reflects the fact that businesses and consumers are increasingly relying on these types of communications services as well as, or instead of, traditional telecoms services. Machine-to-machine communication (i.e. over the Internet of Things) will also be caught by some of the rules.

Extra-territorial scope

Although the regulation is an EU law, the rules will apply to organisations anywhere in the world that provide electronic communications services to, or gather data from the devices of, users within the EU. This has particular implications for OTT service providers based outside the EU but with significant user bases within the EU, as they will be caught by the rules for the first time.

Uses of communications data

There are already rules restricting what communications service providers can do with the content and metadata relating to communications sent using their services. The new rules continue to require confidentiality of these types of communications, and in particular, metadata must be deleted unless it is needed for billing purposes. However, the regulation proposes that once user consent is given to process communications data, operators will be able to use that data more widely than under the current law.


Website operators will be pleased to hear that the draft regulation proposes simplification of the rules on cookies. User consent will not be required for non-privacy-intrusive cookies that are used to improve a user's internet experience (for example, cookies set to remember an online shopping basket) or cookies that are used to count the number of visitors to a website.

Other cookies continue to require consent from the user. However, under the draft, consent can be obtained through the use of browser settings. Internet browsers must offer cookies settings choices to all users at browser set-up stage. If users consent to cookies through those settings, website providers are entitled to rely on that consent to set cookies. Existing browsers will not need to be updated; the options must be provided at the time of the next browser update (but no later than by 25 August 2018).

Website providers are not obliged to rely on this form of consent and they can continue to rely on the more traditional cookies banners if they prefer. However, given the disruption they can cause to user experience, most operators will certainly be interested in the new option.

Direct marketing

The rules on direct marketing to individuals have not significantly changed under the proposed regulation. Unsolicited electronic marketing communications must not be sent to individuals unless the sender has received the individuals' consent. The main change is that, in order to be valid, consent must be "freely-given, specific, informed and unambiguous". This is a higher bar than under the current law and means that organisations wishing to send direct marketing will need to be specific with users when collecting consents.

It will also come as a relief to many organisations that the draft regulation maintains the current "soft opt-in" exemption to the requirement to obtain opt-in consent. This allows businesses to market to existing customers provided that the marketing relates to similar goods or services to those already purchased and provided customers are given a chance to opt-out when the data is collected and in each subsequent communication.

Another new element in the direct marketing context is the requirement for direct marketing calls to be identified by enabling caller-line identification and by using a specific prefix or code to designate a direct marketing call. This may present practical challenges for businesses which rely heavily on telephone marketing.


The consequences of non-compliance under the proposed regulation are far more severe than under the current law. In the UK, the current maximum fine for a breach of e-privacy law is £500,000. The draft proposes increasing this to €20m or 4% of annual worldwide turnover, whichever is greater. This aligns with the maximum level of fines under the GDPR. Significantly, there will also be a presumption in favour of individuals who have suffered damage (whether or not material) as a result of a breach of the regulation. The presumption means that the breaching company will be presumed to be responsible for that damage unless they can prove otherwise.

Next steps and key implications

The regulation is still in first draft form. It will now need to be approved by the European Parliament and the European Council before being fully implemented into European law, so we may well see some changes along the way. The draft suggests that the Commission is aiming for the regulation to come into force on 25 May 2018 (the same date that the GDPR becomes applicable). It took over four years for the GDPR to be agreed and although this draft is significantly shorter and simpler, there are still contentious elements that may cause delays.

Communications service providers in particular will be interested in the new regulation. However, the rules on cookies and direct marketing are relevant to any organisations wishing to carry out those activities. If this forms part of your business's activities you should keep a close eye on the new law as it develops to ensure that you are in the best position to comply once it is finalised. 

Contributor: Emma Fox

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all