What is the ePrivacy Regulation?


Whilst the new GDPR regulation has dominated headlines and discussions for some time now, another new EU regulation – the ePrivacy Regulation – hasn’t received quite the same level of coverage but is just as important.

What is the ePrivacy Regulation?

On 10 January 2017 the European Commission published its draft Regulation on Privacy and Electronic Communications (the ePrivacy Regulation), which is intended to replace the existing ePrivacy Directive.

The proposed regulation is designed to strengthen the protection of EU citizens’ private lives, and create new opportunities for business. Major topics addressed in the ePrivacy regulation include the much debated use of and practices related to cookies, as well as marketing message opt-in requirements. It has not yet been finalised but once released, the ePrivacy regulation is expected to replace the existing ePrivacy directive, applying directly across all EU markets and will work in tandem with the GDPR.

Currently, it’s expected to come into force around six months after the GDPR on 25 May 2018 but could be as late as 2019, depending on how much revision it needs.

What does ePrivacy cover?

You may already have heard of the ‘cookie law’, which is what the previous ePrivacy directive was colloquially known as. But the enhanced regulation has a much broader scope in light of technological developments and the unprecedented amount of data involved in ‘the Internet of Things’ (IoT).

The previous directive covered communication channels of the time, such as cookies, email and other electronic communications channels, however the new regulation now mentions new electronic communication channels including instant messaging apps such as Facebook Messenger, WhatsApp and Snapchat and VoIP providers such as Skype.

The aim is to provide more stringent consents over these channels – both for the content of the communications and the metadata (data processed by the electronic communications network for the purpose of transmitting, distributing and exchanging the content) attached to those communications.

So what about cookies?

The regulations around the use of cookies has been the most widely debated and most contested part of the new regulation, as it could have far reaching consequences for advertisers and digital publishers. Businesses in Europe must get explicit consent to use cookies and provide clear opt-outs to users under the proposed new law.

The existing ePrivacy directive is the reason behind the cookie banners on every website, prompting users to accept the use of cookies before entering a site. The new cookie policy would see these being done away with and the privacy notices moved into browsers instead, with users being able to select their default privacy settings when setting up the browser.

The proposals therefore focus on clarifying and simplifying the consent rules to make it easier for end-users to accept or reject cookies and other identifiers through adjusting the privacy settings on their web browsers.

The customer experience

Cookies are designed to enhance the customer experience – so what happens to the customer experience when customers block cookies from their browsers? It’s also possible that the cookie banners will disappear only to be replaced with intrusive privacy notices instead.

It’s unknown at this point to what extent different types of cookies will be regulated – for example, it’s been intimated that cookies required for analytics or for improving the site experience won’t be counted – but until the regulation is finalised, we won’t know for definite.

Clearly, there’s some important clarification required around the use of cookies, as blocking cookies used for analytics could detrimentally affect the quality of data that businesses can collect. After all, this type of data is used to obtain information about their customers (and potential customers) and thus improve their offering accordingly.

What do property companies need to be aware of?

Property companies will still be able to use the ‘soft opt-in’, although it can only be retained in limited circumstances. This means that consent is not required if you are sending marketing messages about similar products and services to your customers/clients or those you have negotiated with to provide products or services, as long as:

  • You give them the opportunity to opt-out when you receive their contact information; and
  • You give them the opportunity to opt-out when you send them subsequent messages.

This processing is not based on consent, but rather the legitimate interests processing condition and can only be relied up on by the organisation that collected the contact details, not third parties.

ePrivacy and what’s to come

With the ePrivacy Regulation still to be finalised, it’s tempting to focus purely on GDPR compliance but it’s important to factor in how the ePrivacy regulation will impact how we work and collect and store data and implement proper practices now.


Note that this article represents the views of the author solely and is not intended to constitute legal advice.

Found this interesting? Sign-up to our newsletter and get more of our informative property related content straight to your inbox.