UK: The New ePrivacy Regulation: How Will It Impact Your Business?

Last Updated: 18 April 2017
Article by Elle Todd

With the GDPR on the horizon, the EU is now overhauling and expanding the reach of the more specific privacy rules which relate to direct marketing, cookies and other forms of online monitoring. The ability of social media and messaging services to track users is one of many areas touched on in the European Commission's newly proposed ePrivacy Regulation, which was officially unveiled last week. We highlight some key impacts for the tech and media sectors, provided the proposed draft passes through the legislative process without dramatic changes. Businesses should incorporate these new requirements into their GDPR readiness planning.

Read this guide as a PDF here.

Why are the rules being updated?

  • The regime for electronic communications, based on the EU's Privacy and E-communications Directive (PECD), which dates back to 2002, is being overhauled as part of the Commission's Digital Single Market package.
  • Since the last review of the PECD in 2009, a new typology of players has emerged offering communication services that many end-users perceive as comparable to traditional electronic communications services such as telephone calls and SMS messaging.
  • These new players, so-called Over-the-Top communications services ('OTTs') (e.g. Skype, Gmail, WhatsApp), are generally not subject to the current EU electronic communications rules (although often voluntarily comply); the Regulation is proposing to change this.
  • The proposed new rules are designed to align with the stricter new general privacy rules under the GDPR (drawing on certain definitions and concepts used in that Regulation), which will come into force in 2018. Like the GDPR, the proposed new e-communications rules would take the form of a directly effective Regulation, to help iron out differences in different EU Member States.

When will the new e-privacy rules come into force?

  • The Commission's aim is for the Regulation to apply from 25 May 2018; purposely the same date as the GDPR comes into force. However, as the proposal is at the start of the Brussels legislative process this may be overly ambitious. Being narrower in scope, it is unlikely to take as long to adopt as the GDPR, but there may be some areas of contention. In particular, representatives from the European Parliament have already mentioned disappointment that the consent requirements are not stricter and could look to push back on this. We will be tracking the Regulation's progress.

Which current EU and UK rules will the Regulation replace?

  • In terms of EU law, the Regulation will repeal the PECD - its current relationship with the regulatory framework of electronic communications (likely to soon be replaced by the European Electronic Communications Code) will be maintained by the new Regulation.
  • In the UK, the Regulation will repeal the 2003 Privacy and Electronic Communications (EC Directive) Regulations. This assumes that the rules take effect before Brexit and, in the same way as the GDPR, that post-Brexit, the UK continues to adhere to EU style rules. See here for more analysis of the Brexit dimension for data regulation.

What is the risk factor? What are the increased sanctions for non-compliance?

The fines are in line with GDPR levels and are as follows.

  • Infringements of the following rules could result in administrative fines of, the higher of 10,000,000 EUR, or up to 2% of the total worldwide annual turnover:
    • "cookie" information and consent rules
    • privacy by design obligations
    • rules on unsolicited communications (i.e. failure to respect opt-in rules) and
    • provisions on publicly available directories
  • Infringements of the following would be subject to administrative fines of, the higher of 20,000,000 EUR, or up to 4% of the total worldwide annual turnover:
    • the principle of confidentiality of communications
    • unlawful processing of electronic communications data and
    • time limits for erasure

Is the scope of the regime changing?

  • The new Regulation, like the GDPR, will have extra-territorial effect. It applies to the processing of electronic communications data carried out in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union.
  • In addition to traditional voice, text and e-mail services, the provisions on confidentiality, the processing of electronic communications data, and storage and erasure of such data would apply to:
    • Over-the-top service providers ('OTT') such as unmanaged VoIP, instant messaging, web mail and social media messaging, and
    • Machine-to-machine communication (i.e. IoT technology), should the information or metadata exchanged between two devices be deemed to contain personal data.
  • The proposal's broad definition of "electronic communications services" is likely apply to all services that have a communications element - meaning dating apps, video game services, travel and e-commerce sites, even if they are just "ancillary" to another service.
  • As now, the rules on direct marketing and use of cookies and other tracking technologies would apply to all marketers and websites, regardless of whether they fall within the definition of electronic communications services.
  • Software providers and potentially retailers will also be impacted, as e-communications software placed on the market will be required to offer privacy settings which enable the blocking of third party cookies, and on installation, the software must inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

What are the proposed changes to the rules for cookies?

The current rules on cookie consent, introduced by the 2009 amendments to the PECD, have attracted much controversy and resulted in an overload of consent requirements for internet users. There are some important changes to the rules.

  • The new Regulation applies to cookies, spyware, web bugs, hidden identifiers and device fingerprinting. It prohibits the use of "processing and storage capabilities of terminal equipment and the collection of information from users' terminal equipment, including about its software and hardware", unless consent – or some other narrow conditions – are met.
  • "Consent" has the same meaning as under the GDPR, i.e. freely given, specific, informed, active and unambiguous consent expressed by a statement or clear affirmative action.
  • However, in the context of cookies, such consent may be expressed by browser settings and the Regulation places specific obligations on browser providers to ensure that appropriate consent settings and options are given to individuals.
  • There are some new exceptions to the cookie consent rules, meaning those awkward banners and pop-ups won't be needed where cookies are only used for:
    • web audience measuring – but this applies only to first party cookies,
  • Alongside the familiar exceptions i.e.:
    • if it is necessary for the sole purpose of carrying out the transmission; or
    • it is necessary for providing an information society service, e.g. to add items to a shopping cart.
  • Websites wanting to rely on cookies for marketing, tracking and behavioural purposes will therefore need to consider the browser consent users have given. In practice, we expect that websites will continue to want to get opt-in consent to override this and therefore pop-up consent boxes will remain a regular sight despite the European Commission's intentions.
  • The collection of device information e.g. for Wi-Fi log-ins is prohibited, other than for the purposes of establishing the connection, unless a "clear and prominent" notice is displayed "on the edge of the area of coverage" informing the user of:
    • how the data will be collected,
    • the purposes for which it will be used, and
    • the person responsible for collecting it and any other information required under the transparency requirement of the GDPR to make such processing fair.
  • Such notices may be provided by means of standardised icons – to be developed under the "delegated acts" provisions of the Regulation – to make this information user-friendly.
  • The Regulation proposes web browsers, and other applications that permit the retrieval and presentation of information on the internet, should provide users, at the moment of installation, with a clear and accessible choice on their privacy settings, which will be binding on third parties.
  • The 'choice' should be as user-friendly as possible, whereby users are offered a set of privacy setting options, ranging from higher (e.g. never accept cookies) to lower (e.g. always accept cookies).
  • Further, the information provided, should not dissuade users from selecting these higher privacy settings.
  • Software installed before 25 May 2018 (assuming the Commission's implementation target is met) would need to offer the option to block third party cookies on the first update of the software, and at the latest by 25 August 2018.

Can users still use ad blockers?

  • The proposal does not regulate the use of ad blockers specifically, but instead gives website providers the ability to check if an end-users device is able to receive their content, without obtaining the end-user's consent – this is a useful clarification.
  • Should the end-user's device be unable to receive the content requested, due to the user's own configuration, it is then up to the website provider to respond appropriately, for example by asking the user if they would be willing to switch off their ad blocker for the relevant website.

How would the rules on direct marketing differ?

The rules for opt-in and opt-out marketing consents are similar to the current position under the PECD (and there will have been a collective sigh of relief that 'soft opt-in' appears to have been retained), but there are some important changes to note.

  • The restrictions on unsolicited marketing communications apply to all direct marketing communications sent via the broadly defined "electronic communications services" (in contrast to the PECD). The recitals indicate that this is intended to cover instant messaging applications, MMS and Bluetooth.
  • The rules protect business recipients as well as individuals.
  • There is no change in that organisations would be required to obtain end-users' prior consent, before sending commercial electronic communications for direct marketing purposes.
  • Once given, the end-user's consent can then be withdrawn at any time.
  • A soft opt-in remains for the use of e-mail contact details within the context of an existing customer relationship for the offering of the marketer's own similar products or services. Note that the draft Regulation, like the PECD, restricts the use of the soft opt-in to the context of "a sale of a product or a service" whereas the current UK Regulations extend this to the "sale or negotiations for the sale".
  • Member States still have discretion to make live telemarketing calls opt-out (the current position in the UK).
  • There are similar requirements for marketers to be transparent, i.e. make it clear that communications are marketing, the identity of the marketer and to facilitate opt-outs.

What does it say about metadata vs content of communications?

  • Metadata is specifically mentioned in the Regulation. The basic rule is that both the content and metadata of e-communications are confidential and that all interference is prohibited.
  • Service providers will need users' consent to in order to use the metadata, such as location data, to provide services.
  • There are a few exceptions to this, such as transmission and / or security.
  • Certain high-risk processing of communications metadata may also require a Privacy Impact Assessment under the GDPR. In practice this is unlikely to mean much change.
  • For the use of communications content in order to provide services, the rules are stricter. Providers of electronic communications services may process electronic communications content only:
    • when providing a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of their electronic communications content and the provision of that service cannot be fulfilled without the processing of such content, unless
    • all end-users concerned have given their consent to the processing of their electronic communications content for a purpose that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority.
  • Consent for the use of both communication content and metadata for the provision of services can be withdrawn at any time, but in addition, service providers must remind end-users every six months that they have the right to opt-out.

What else does the new Regulation cover?

The new Regulation would also update the rules on calling line identification and call blocking, to combat nuisance calls, and the rules on public directories.

Comment and next steps

Given how far communications media and advertising techniques have evolved since 2002, or even 2009 when the PECD was last updated, the overhaul of the rules is overdue.

The current cookies rules in particular have been widely (and rightly) ridiculed, so reconsideration is welcome. However, it is not clear in practice that the proposals will actually mean an end to, or substantial decrease in, pop-up consent and banners unfortunately, and the high consent threshold (to align with GDPR) is likely to be unpopular in many circles. Whether or not the rules will achieve a truly "future-proof" state also remains to be seen.

The Commission's aim is for the new rules to come into force at the same time as the GDPR. Whether this is realistic or not depends on how much lobbying it attracts from the wider domain of digital businesses now in scope and the scrutiny of the other European institutions. We will be tracking the progress of the proposal through its next legislative stages – consideration by the European Parliament, initially through a Rapporteur and lead committee – and by the Member States in the form of the Council. Depending on the degree of consensus on the draft proposal, this process could take between months and years.

For more analysis, please join our webinar at 15:00 UK time on 19 January. You can register here.

We will provide regular progress updates on our Datonomy blog at

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.