Glossary · EU Privacy Law

ePrivacy Regulation

The proposed EU regulation that would replace the 2002 ePrivacy Directive, governing electronic communications privacy including cookies, tracking, and unsolicited communications.

## What the ePrivacy Regulation actually is The ePrivacy Regulation (sometimes called "ePR") is a proposed EU regulation that would replace the existing ePrivacy Directive (Directive 2002/58/EC, sometimes called the "Cookie Directive"). It addresses electronic communications privacy with broader scope than GDPR's general personal data focus. **Important context for 2026**: the ePrivacy Regulation has been in negotiation since 2017 and remains unfinalised. The current regulatory framework is the 2002 Directive (with 2009 amendments) plus GDPR. This entry covers both the existing framework and the proposed regulation. ## The 2002 ePrivacy Directive (current law) The existing ePrivacy Directive covers four main areas: ### 1. Cookies and tracking The famous "cookie banner" requirement comes from this directive (specifically Article 5(3)). Storage of information in users' devices, or access to information already stored, requires user consent unless strictly necessary for service delivery. This is why every European website has a cookie banner. ### 2. Confidentiality of communications Electronic communications (email, phone calls, messaging) are confidential and may not be intercepted or accessed without consent. This applies broadly across communications services. ### 3. Traffic and location data Telecom operators have specific obligations regarding traffic data (who communicated with whom, when) and location data. Most must be deleted or anonymized after billing purposes are fulfilled. ### 4. Unsolicited communications Direct marketing communications generally require prior opt-in consent. This applies to email, SMS, and automated calling systems. ## Why the proposed Regulation matters The 2002 Directive has aged poorly. Several gaps the proposed Regulation addresses: **1. Inconsistent implementation across member states.** The current Directive must be transposed into national law, creating 27 different national implementations. A Regulation (binding directly without transposition) would harmonize implementation. **2. New communication services.** WhatsApp, Signal, Telegram, Threema didn't exist in 2002. The current Directive's coverage of "OTT communications services" (over-the-top messengers) is unclear. The proposed Regulation explicitly covers them. **3. Cookie banner failures.** The current cookie consent regime has produced "cookie banner fatigue" — users click through banners without meaningful consent. The proposed Regulation would shift toward browser-level consent signals and standardized consent mechanisms. **4. Internet of Things (IoT).** Smart devices, connected cars, and IoT systems have privacy implications the 2002 Directive doesn't address. The proposed Regulation covers machine-to-machine communications. ## Why the Regulation has stalled The proposed ePrivacy Regulation was published by the Commission in January 2017. As of 2026, it remains unfinalised — making it one of the longest-stuck legislative files in EU history. The reasons: **1. Industry lobbying.** The advertising and publishing industries have heavily lobbied against provisions that would weaken cookie-based tracking economics. **2. Member state divisions.** EU member states disagree on the appropriate balance between privacy protections and digital advertising industry needs. **3. Interaction with GDPR.** Coordinating ePrivacy provisions with GDPR has been technically and politically complex. **4. New technology disruption.** First-party cookie alternatives, server-side tracking, and emerging privacy-preserving technologies have changed the technical landscape mid-negotiation. The Council's most recent compromise text dates to 2024-2025 with ongoing trilogue negotiations. A finalized regulation in 2026-2027 is possible but not certain. ## What this means for European businesses in 2026 For now, the practical regulatory framework remains: **1. The 2002 Directive (as amended)** plus national transpositions **2. GDPR** for personal data processing aspects **3. ePrivacy Directive enforcement** by national data protection authorities For European businesses: **Cookies and tracking**: The current "consent for non-essential cookies" requirement applies. Most European websites need cookie consent banners. The practical workaround that's gained popularity: **cookieless analytics** (Plausible, Matomo, Pirsch) that don't require consent banners because they don't set tracking cookies. **Email marketing**: Opt-in consent generally required. Existing customer relationships have some carve-outs (Article 13(2)) but the safe approach is explicit opt-in. **OTT messaging**: Currently in a regulatory gray zone. The 2002 Directive's application is unclear. Most providers (Threema, Signal, etc.) operate as if it applies. **Direct marketing**: Opt-in for new contacts; some flexibility for existing customer relationships. ## The cookieless future The most important practical implication of ePrivacy enforcement: cookie-based tracking is increasingly economically unviable in Europe. When 30-50% of users decline cookie consent (typical European rates), conversion analytics become unreliable. Marketing teams that adapted to this earlier (using cookieless analytics, server-side tracking, or first-party data strategies) have measurable advantages. European tech tools positioned for the cookieless future: - **[Plausible](/en/alternatives/plausible-vs-google-analytics/)** (Estonia) — cookieless analytics by architecture - **Matomo** (France) — supports cookieless mode - **Pirsch** (Germany) — cookieless analytics - **Server-side tracking** via tools like n8n + database For European businesses optimizing for the regulatory direction, building on cookieless infrastructure is strategically sound regardless of when the proposed Regulation is finalized. ## What 2026-2027 might bring Several scenarios: **Scenario A: Regulation finalised** — coherent EU-wide privacy framework for electronic communications, replacing the current Directive patchwork. Possible 2026-2027 if political will materializes. **Scenario B: Continued status quo** — current Directive remains in force with national variations. Most likely scenario through 2027 absent significant political change. **Scenario C: Regulation withdrawn** — Commission could theoretically withdraw the proposal and start over. Politically difficult but not impossible. For European businesses, planning around Scenario B (status quo) is realistic. Building on cookieless infrastructure positions you well regardless of which scenario unfolds. ## Practical recommendations 1. **Implement cookie banners correctly** — under current law, this is non-negotiable for sites using non-essential cookies 2. **Consider cookieless analytics** — Plausible, Matomo, or similar reduce regulatory exposure and improve conversion measurement 3. **Use opt-in consent for email marketing** — defensive position regardless of regulatory direction 4. **Watch for finalised Regulation** — likely to bring consent harmonization, possibly browser-level signals, definitely changes 5. **Don't optimize for current Directive's specific text** — the Regulation may change the rules; build on principles (transparency, minimal data, user control) rather than specific compliance hacks

Related EU alternatives on BetterInEurope

Related glossary terms

← Back to glossary