Many are still getting their heads around the General Data Protection Regulations (GDPR) of 2018. Now, lurking over the heads of corporations and individuals alike are the e-Privacy Regulations.

ePrivacy Regulations explained

Put simply it’s the Directive on Privacy and Electronic Communications (Directive 2002/58/EC and the 2009 update, Directive 2009/136). Cookies feature heavily, however, its impact is broader than that. It is also as difficult to fully understand the practical implications of this legislation, as it was and still is with the GDPR.

Concerning the difference between e-Privacy and GDPR it’s important to understand a similarity between e-Privacy and GDPR; the UK, despite the impending EU exit - is committed to both of these manifestations of EU Law.

Now the differences; ePrivacy has unsolicited marketing at its heart. GDPR is about control of your data and prior consent to its use and purpose of use. E-Privacy defines requirements for online communications including texts, emails and other digital means. It will mean that marketers can’t send emails or other such digital communications without prior consent. Cookies, incorporating pesky pop-ups that appear to pollute your online experience by requesting consent to cookies, will be restricted.

Broadly, the e-Privacy scope surrounds the sending of direct marketing communications to end users.

GDPR as we all know is currently in effect, e-Privacy is still under consideration. However, the nature of the ePrivacy Regulation as a specific principle overrides the GDPR that is a general one.

More palatable cookie consent

ePrivacy has been lovingly referred to as the ‘cookie law’. It looks to define and simplify the user experience relating to non-intrusive cookies (such as remember shopping cart contents).

Generally, rather than having to deal with those pop-ups each time you visit a site, the Regulation sets out a framework for cookie consent in the browser settings (such as ‘accept all cookies’ or ‘reject third-party cookies’.

Taking into account the replacing of PECR 2003, given the broadness and speed with which the digital world around us has expanded – it’s surprising the legislation/directives from 2003 are still prevalent. They have had to be interpreted/stretched to fit in with modern times.

With sanctions and complaints under ePrivacy, one of the most notable aspects of GDPR was the punitive treatment of breaches via sanctions. These can go up to 20 million Euros or 4 per cent of annual global turnover. ePrivacy adopts a similar stance. These sanctions are enforced by the ICO (Information Commissioners Office).


It’s difficult to gauge the impact or likely effectiveness of e-Privacy. This is mainly because GDPR itself is still in its infancy. The challenge for the ICO and the courts to come is to provide clarity on the real impacts of both of these European provisions.