Data Protection Reform: ePrivacy Regulation - what are the new cookie laws?

In our previous articles we considered the key changes under the General Data Protection Regulation (GDPR) and what steps organisations should be taking to prepare. Here we summarise the key changes of the draft E-Privacy Regulation (the "Regulation").


The Regulation states that it shall apply from 25 May 2018 - the same date the GDPR comes into effect. The Regulation is designed to align with the new, stricter privacy rules in the GDPR, particularly the requirements for valid consent.


Elements of the regulation will apply to any organisation that uses cookies or carries out online marketing.

The draft Regulation applies to all providers of electronic communications services in the EU, and non-EU providers of such services to EU residents.

It applies to over-the-top service providers, such as Whatsapp and Skype, and internet of things devices to the extent that such connected devices process personal data.


Content data and metadata
The draft Regulation creates specific rules for processing content data and metadata derived from electronic communications (e.g. time of a call and location). Essentially these will need to be anonymised or deleted if users have not given their consent, unless the data is required for specific requirements (e.g. billing).

The rules on cookies are being simplified. In short, consent is still needed unless using the cookie is necessary for the sole purpose of carrying out the communication, or strictly necessary and proportionate for the legitimate purposes of enabling the use of a specific service requested by the end-user. No consent will be required for cookies that improve internet experience and do not impact on privacy (e.g. remembering shopping cart history) nor for cookies that are used to analyse visitor numbers. Third-party cookies will require consent but this can be provided through browser settings, provided the consent meets GDPR requirements.

For business-to-consumer communications, the sender must obtain opt-in consent from individuals for direct e-marketing purposes. Consent will not be required when marketing similar products and services, although individuals must be granted the right to object.

For business-to-business communications, the draft Regulation leaves it to Member States to ensure that the legitimate interest of corporate end-users are sufficiently protected from unsolicited communications. Any consent given for direct marketing can be withdrawn at any time.

Individuals will need to opt-in to receiving marketing calls, unless national laws provide otherwise. This could represent a change from the current position under UK law, which permits non-automated marketing calls unless the individual has opted out.


Like the GDPR, breaches of the proposed Regulation can attract fines of up to 4% of annual global turnover.

Send us a message