The ePrivacy Regulation

The ePrivacy Regulation: what you need to know

IS Consult Service consultants can help you assess, implement and operate with ePrivacy regulation requirements in your actual business case.

The ePrivacy Regulation is an EU regulation on the data protection of electronic communications within the European Union.

Unlike a directive, a regulation immediately becomes law in each member state once it enters into force at EU level. Member States are not required to enact national laws to give effect to the Regulation.

Its full name is "Regulation of the European Parliament and of the Council on respect for privacy and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications)."

The ePrivacy Regulation will not replace the GDPR. It is designed to complement the GDPR. The European ePrivacy Regulation is the "lex specialist" to the General Data Protection Regulation (GDPR). This is a Latin phrase meaning "law governing a particular matter". The ePrivacy Regulation is complementary legislation to the General Data Protection Regulation (GDPR).

What types of data does the ePrivacy Regulation cover?

The ePrivacy Regulation protects two main things:

  1. Content of electronic communications: "the content exchanged through electronic communications services, such as text, voice, video, images and sound" (Article 4.3 (b)).
  2. Metadata for electronic messages: the data about the content of electronic messages, such as: where it was sent from, who sent it, "date, time, duration. and type of communication" (Article 4.3 (c))

Some cookies collect personal data. Some don't. This is not a relevant consideration under the ePrivacy Regulation. The rules apply to cookies regardless of whether they collect personal data. However, when electronic communication data contains personal information, it falls under the GDPR as well as the ePrivacy Regulation.

What types of activities does the ePrivacy Regulation cover?

The ePrivacy Regulation sets out rules on:

  • Direct marketing: "Any form of advertising, written or oral, sent through a publicly available electronic communications service directly to one or more specific end users." (Article 4.3 (f))
  • Cookies and similar technologies: Any software or code, including pixels, web beacons, spyware, that you place on a user's device. The regulation also sets rules for collecting data from the user's device.
  • Security of communication services
  • Publicly accessible directories : Public databases containing information about people, such as their "names, telephone numbers (including mobile telephone numbers), e-mail address, home address" (Recital 30).
  • Internet of Things (IoT) vendors.

Who does the ePrivacy Regulation apply to?

The ePrivacy Regulation applies to anyone who carries out the activities described above. Broadly speaking, this means:

  • Businesses engaged in electronic referral marketing, including emails, messages, SMS, or calls.
  • Developers creating software or websites, insofar as they use cookies and similar technologies.
  • People or businesses operating software or websites who must ensure that these services comply with the Regulation.
  • Providers of electronic communication services, including:
    • Internet Service Providers (ISPs)
    • Voice over Internet Protocol (VoIP) providers
    • Providers of messenger apps and other "over the top" services
    • Telephone service providers
    • Internet of Things (IoT) vendors.
  • Providers of publicly available directories: Anyone who wants to compile a telephone, fax or e-mail directory.

Where does the ePrivacy Regulation apply?

One of the big changes in the ePrivacy Regulation is that, like the GDPR, it also applies outside the EU, meaning that people and companies outside the EU must comply with the Regulation under certain conditions if they want to make business with European Union.

You will need to comply with the ePrivacy Regulation, regardless of where you are located, if you provide the following services:

  • Provision of electronic communication services to people in the EU
  • Process communication data of people in the EU
  • Access information from people's devices in the EU
  • Offer publicly available directories of people in the EU
  • Send direct marketing messages to people in the EU

Note that countries in the European Economic Area (EEA), which consists of the EU member states plus United Kingdom, Iceland, Liechtenstein and Norway, are also parties to the ePrivacy Regulation. This means that the rules will also apply to people in those countries.

How does the ePrivacy Regulation apply?

The ePrivacy Regulation sets out a system of fines very similar to that in the GDPR, namely:

  • Less serious violations will result in a fine of up to 2% of annual worldwide turnover or up to €10 million, whichever is greater.
  • More serious violations will result in a fine of up to 4% of annual global turnover or up to €20 million, whichever is greater.

These fines will be imposed (or prosecuted) by EU data protection authorities (DPAs). There will also be a range of non-financial sanctions.


Companies have the following commitments to the Regulation:

  • carry out data protection impact assessments;
  • to consult with the relevant supervisory authority;
  • apply appropriate security measures;
  • provide information to end users about data processing activities and the right to object to such data processing;
  • not share metadata or information collected through the use of cookies or similar technologies with third parties, unless it is anonymous.

The ePrivacy Regulation in short:

  • Applies to the processing of content and metadata of electronic messages
  • Applies to anyone processing electronic communications data of end users in the EU
  • Impose fines of up to 4% of annual worldwide turnover or €20 million
  • Require consent for the processing of most communications data, except for certain limited security, national security, health and research purposes
  • Allows cookie walls if a paid cookie alternative is provided
  • Allows end users to trustlist cookies from certain vendors
  • Sets consent rules regarding IoT devices

Our ePrivacy services that we can provide you with:

What can we do for you and what services do we offer in regards to ePrivacy COM/2017/010 Final - 2017/03 (COD) Directive 2002/58/EC (Regulation on privacy and electronic communications)?

  1. Comprehensive audit and diagnosis of your compliance with the ePrivacy Directive. (ePrivacy audit type of gap analysis)
  2. Consulting on already discovered inconsistencies and the easy handling of all of them.
  3. Possibility to purchase a ready-made questionnaire prepared by us, which questionnaire can serve you to identify and analyze your environment yourself and come to the differences between your organization and the standard yourself. The questionnaire is easy and convenient to use and can be conducted as an internal audit by your organization. If necessary, you can combine this service with our consulting service to achieve the best and most effective results.

Complying with the ePrivacy Directive is a vital step in your development in response to rising threats to privacy and data integrity at the right time for you!

Contact us and ensure privacy & electronic communications of individuals and companies in the provision and use of electronic communications services is an easy win for all the affected parties and stakeholders.