What Is the EU ePrivacy Regulation?
The EU ePrivacy Regulation is the long-anticipated replacement for the ePrivacy Directive 2002/58/EC (also known as the Cookie Directive). The draft Regulation — formally COM(2017) 10 — was first proposed by the European Commission in January 2017. While it has faced years of legislative delay in the Council of the EU, it remains a live legislative file and organisations with EU operations should be actively preparing.
The ePrivacy Regulation operates as lex specialis to the GDPR — meaning it takes precedence as more specific law wherever it applies. The Regulation covers electronic communications, cookie and tracking technology consent, and direct electronic marketing. It applies to any organisation using cookies or electronic communications tools that reach users in the EU, regardless of where the organisation is based.
What Changes from the ePrivacy Directive?
The current ePrivacy Directive 2002/58/EC has been implemented differently across EU member states, creating inconsistent national rules. The draft Regulation aims to harmonise these rules directly, with no national transposition needed. Key changes:
- Consent standard elevated to GDPR Article 7: Cookie consent under the Directive varies by member state. The draft Regulation requires GDPR-standard consent — freely given, specific, informed, and unambiguous. Pre-ticked boxes are definitively prohibited.
- Browser-level consent signals: Article 10 of the draft Regulation contemplates browser or software settings as a valid consent mechanism, potentially reducing individual cookie banners for users who configure opt-out at browser level. The IAB's TCF 2.2 attempts to operationalise consent signals at the framework level.
- Scope extended to OTT communications: The Regulation extends to over-the-top communications services (WhatsApp, Signal, Teams, Zoom) — not just traditional telecoms providers covered by the Directive. This is a major change for messaging and video conferencing platforms.
- Machine-to-machine communications: The Regulation explicitly addresses IoT and M2M communications, clarifying when processing of data from connected devices requires consent or a strictly necessary justification.
- Single DPA enforcement: Enforcement will be aligned with GDPR's supervisory authority structure — the lead DPA for the organisation's main establishment. This ends the current patchwork of national telecoms regulators handling ePrivacy enforcement.
Article 5(3): The Cookie Consent Rule
Article 5(3) of the current ePrivacy Directive requires prior informed consent before storing or accessing information on a user's device — unless strictly necessary for the service explicitly requested by the user. This is the legal foundation for cookie consent banners across the EU.
The draft Regulation's Article 8 retains this structure but aligns the consent standard with GDPR Article 7. In practice, this means:
- Opt-in only: No pre-ticked boxes. Analytics cookies, advertising cookies, and personalisation cookies all require active consent.
- Granular choice: Consent must be purpose-specific. A blanket "accept all" button without granular controls is insufficient if it bundles multiple distinct purposes.
- Equal prominence for reject: EDPB Guidelines 03/2022 on deceptive design patterns make clear that a "reject all" or "decline" option must be as easy to access and as prominent as "accept all."
- Freely given: Cookie walls — where access to content is conditioned solely on accepting tracking — are prohibited under GDPR and increasingly challenged by DPAs under ePrivacy. The draft Regulation's recitals reinforce this.
Strictly Necessary Cookies: What's Exempt?
Not all cookies require consent. The strictly necessary exemption covers cookies that are technically required to deliver a service explicitly requested by the user. Examples include:
- Session cookies maintaining login state
- Shopping cart cookies during an active checkout session
- Security cookies (CSRF tokens, fraud detection)
- Load balancing cookies
What is not strictly necessary: analytics cookies (even "anonymous" ones), A/B testing cookies, advertising cookies, social media pixels, and personalisation cookies. These require consent regardless of how the vendor labels them.
Dark Patterns: DPA Enforcement Focus
The EDPB issued Guidelines 03/2022 on deceptive design patterns — a major enforcement signal. DPAs across the EU are actively investigating and fining organisations for:
- "Accept all" button on the main banner with a hidden reject path in nested menus
- Reject button in a smaller font or lower-contrast colour than accept
- "Legitimate interests" pre-ticked for advertising trackers (not a valid basis under strict interpretation)
- Consent obtained through confusing double-negatives ("Uncheck to opt out of not receiving...")
- Forced re-consent by reloading the banner if the user closes it without accepting
Significant enforcement actions: France's CNIL fined Google €150M and Facebook €60M in 2022 for making cookie rejection difficult. The IAB Europe was fined €250,000 by the Belgian DPA for TCF 2.0 violations. These are precedent-setting decisions that continue to shape DPA inspection criteria.
Article 13 / Article 16: Direct Electronic Marketing
Article 13 of the ePrivacy Directive (Article 16 of the draft Regulation) governs direct marketing by electronic means — email, SMS, automated calls. Key rules:
- Consumer opt-in: Marketing communications to individual subscribers require prior consent. This applies to email, SMS, and automated/pre-recorded calls.
- Soft opt-in (existing customer): An organisation may market to existing customers without fresh consent if: (1) the organisation obtained the contact details in the context of a sale of a product or service; (2) the marketing is for the organisation's own similar products or services; and (3) the customer is given a clear opportunity to opt out — in every communication.
- Unsubscribe mechanism: Every marketing message must contain a simple and free method to opt out. One-click unsubscribe is best practice. Suppression lists must be maintained and honoured promptly (within 10 business days is common guidance).
- Sender identity: The sender's identity must not be disguised or misrepresented. The address to which opt-out requests can be sent must be disclosed.
- B2B marketing: National rules vary — some member states apply opt-out (not opt-in) for business email marketing. Organisations marketing to EU businesses across multiple member states need jurisdiction-specific advice.
Machine-to-Machine & IoT Scope
The draft Regulation's recitals (18–22) address M2M and IoT. The key question is whether a device or service processes personal data from or about end users. For IoT devices (smart speakers, connected cars, wearables, smart TVs), the Regulation requires a clearly documented legal basis — either strictly necessary processing for the requested service, or user consent. Location data from connected vehicles, behavioural data from smart home devices, and health data from wearables all require careful legal basis mapping.
Confidentiality of Communications
Articles 5–7 of the current Directive (retained in the draft Regulation) protect the confidentiality of electronic communications — including content and metadata. Interception, monitoring, or storage of communications without consent is prohibited with limited exceptions (security, network integrity, billing). This has direct implications for:
- Employee email and communications monitoring (requires legal assessment, often consent or legitimate interest with DPIA)
- Retention of traffic data (call records, IP logs) — strict limits apply
- Messaging service providers required to maintain end-to-end encryption integrity
Consent Management Platforms: What Good Looks Like in 2026
A compliant CMP implementation in 2026 should include:
- Initial banner with accept/reject options equally prominent, without pre-selection
- Granular preference centre allowing category-level and vendor-level consent choices
- Consent record with timestamp, banner version, user identifier, and specific consents granted
- Cookie audit integrated into CMP: automatic scanning and categorisation of all cookies and trackers
- Consent renewal: re-prompting after material changes to data processing or after 12 months (some DPAs specify shorter periods)
- Third-party script blocking: no non-essential tracker fires before consent is captured
- GPC / Global Privacy Control signal recognition for users who configure opt-out at browser level
DPA Enforcement Landscape
ePrivacy enforcement in 2026 sits with DPAs (following GDPR's supervisory authority model in most member states) and national telecoms regulators in others. Key enforcement authorities and their focus areas:
- CNIL (France): Cookie consent quality, reject button prominence, TCF compliance
- DPC (Ireland): Big tech ePrivacy obligations, OTT communications scope
- BfDI / LfDI (Germany): Federal and state-level enforcement, legitimate interests for analytics
- ICO (UK): PECR enforcement (UK equivalent post-Brexit), cookie banner quality, direct marketing
- APD/GBA (Belgium): TCF violations, adtech
Assess Your ePrivacy Readiness
ComplyKit's free EU ePrivacy Regulation Readiness Assessment covers 42 controls across cookie consent, tracking technologies, direct marketing, communications confidentiality, M2M/IoT, and governance — and generates a professional readiness report with gap analysis and remediation roadmap. No account required.