After the GDPR Comes ePrivacy

Photo Courtesy of Pixabay

The European Union (EU) has always strived to unify the legal coverage of the citizens of its Member States and to amalgamate the laws in which they operate. Many aspects of the online world have been expanded over time and with that, the need to expand the laws that cover them has risen. With the sheer amount of personal data that we give companies through browsing the internet and the need for it to be protected; the EU introduced on May 25, 2018, the General Data Protection Regulation (GDPR), which updated the rules to keep up with the fast pace of development of the IT sector. Data privacy within the EU is covered by the new GDPR and by the ePrivacy directive.

Understanding the differences between the two is important for both businesses that handle personal data and consumers alike. This article aims to explain the main differences between both and why they are needed.

The ePrivacy directive is being updated to reach the same standard of protection that the GDPR provides for EU citizens and the same authority that is responsible for the GDPR is also responsible for ePrivacy. As with every data law, it can be extremely dry and confusing to understand for the average person. Perfectly Plain has broken down some of the most important points about it.


The (GDPR)was created to align data privacy laws across all EU member states. Under it the processing of any EU citizens’ personal data is protected, regardless of whether the information processing is done within the EU or not, and regardless of the business’s physical location. If the company is selling to EU citizens, it is bound by the GDPR to protect citizens’ data.

The GDPR has expanded the definition of personal data to include all metadata that comes as a result of communications. It also strengthened the consent to how an individual’s personal information can be used, or if it can be shared. The GDPR made it easier for people to access their personal data because businesses and websites that store any information about a user need to maintain it and make it available to the individual on request. The GDPR also included a “right to be forgotten” clause and a right to data portability (to learn more check out “Six Things Businesses Need to Know About the GDPR”)

What is ePrivacy?

ePrivacy is concerned with protecting users communications data, specifically metadata. Metadata can be information about when you made a phone call, where you were and how long the call lasted. It doesn’t include any information about what you actually said.

Many companies, from the likes of WhatsApp and Facebook, to mobile networks and internet providers, hold this kind of information on users. For the most part, users have no control over this, however, if ePrivacy comes into force, this will change. Under the proposed law, users would have much more control over their metadata. If people don’t consent, companies will have to delete that information and would no longer be able to collect it by default.

The EU ePrivacy directive, also known as the EU cookie directive, is set to be revised in order to correlate better with the GDPR. Europeans are all too well familiar with the annoying pop-ups that appear on every website they visit that asks for permission to collect cookies. No, not the chocolatey good kind of cookies.

These cookies are small files stored on your computer that are designed to hold a “modest amount of data specific to a particular website and client and can be accessed either by a web server or the client computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and so is able to carry information from one visit to the website (or related site) to the next.”

To put it simply, a cookie is a small plain text that is stored by your browser, which can be used to identify the individual user.

The banners on websites (as you can see we also ask for your consent on collecting cookies) is a product of the existing EU cookie directive. The cookie law requires websites to get “consent from visitors to store or retrieve any information on a computer, smartphone or tablet.” The newly planned expansion of this directive, with the ePrivacy Regulation (it isn’t passed into law yet, but you can read the draft here), is trying to regulate how companies collect personal data online and give people more control over how their cookies are used to track them.

This in of itself isn’t a bad thing, but the question of how it can actually be executed is complex and messy and could result in a worse user experience. The latest cookie law in the EU proposes for the banners asking users for permission to be dropped, as they can be quite annoying. The problem with the alternative for publishers and businesses that run a website may, ironically, be more banners. The new proposals could mean that anyone collecting or analyzing data for the purposes of advertising will have to jump through more hoops to get the necessary consent from their users.

The revised ePrivacy law will require consumers to set their own privacy settings through their browsers and apps that they use. Theoretically, users will be able to choose how much they will let themselves be tracked (people may agree to provide all of their cookies, some or none) through their browser settings. Supposedly this way servers will use that preference and use it. However, if a user doesn’t allow most cookies, businesses might have to issue pop-up banners every time the users use their website to inform them that permission is needed first. If you have ever used any ad-blocking add-ons on your browser you will be all too familiar with these.

The question of whether publishers are legally within their right to use ad blocking detection software has been somewhat answered with the European Commission revealing that it is completely fine.

Another thing of note is that the new ePrivacy regulation has tougher rules on the way messaging services, like Skype and WhatsApp, to ensure confidentiality of messages. Currently, there are regulations on SMS text messages that telecommunication companies have to abide by, but the newer communication services like the previously mentioned aren’t included. The revised regulation aims to rectify this.

The inclusion of all types of communication in the ePrivacy regulation will mean that marketers won’t be able to send emails or text without prior consent from each individual account holder. Hooray, less spam!

Broadening the scope of protection to include online communications providers under the same requirements as traditional telecommunications providers will increase the protection of consumer communications. This means that companies like WhatsApp and Facebook will now have to provide the same level of personal data security as bricks and mortar providers. The updated ePrivacy law will make metadata the same as the actual content of the communication. This data will no longer be allowed to be intercepted, except where authorized specifically under the law by an EU Member State.

You can check out the key points of the new ePrivacy here.

GDPR vs. ePrivacy

Both regulations reflect a different part of EU law. The GDPR was created to embody Article 8 of the European Charter of Human Rights in terms of protecting personal data, while ePrivacy embodies Article 7 relating to a person’s private life. The privacy of end users is covered under the ePrivacy regulations, requiring that individuals privacy is protected at every stage of each interaction on the internet.

The ePrivacy regulation was created to complement and particularize the GDPR so the rules of the GDPR are always relevant and part of ePrivacy. The directive takes the online retail sector into account in terms of how personal information can be used and it adds to the overall regulations that make up the GDPR.

The cookie law is being revised in order to align better with the GDPR because one big difference between the two is that ePrivacy is currently a directive, while GDPR is a regulation. The difference is quite important. A regulation makes each member state of the EU adhere to the exact same laws and ways of implementing them — there is no wiggle room for interpretation. A directive can, however, be implemented in whatever way it best works for their individual markets. As such, countries with a more developed digital advertising scene don’t need to apply as strict rules as other countries. However, the ePrivacy proposal will turn it into a regulation.

Both laws work together to ensure that internet users have full control over their data and that all websites and businesses safeguard the personal data. The expanded definition of personal data increases the amount of protected data and creates ownership over IP addresses and all online identifiers that should help to strengthen the rights of individuals online across the whole of the EU.

Originally published at on August 21, 2018.

Reporter from Bulgaria. Freelance journalist and founder of @PlainPerfectly.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store