The current ePrivacy Directive also known as the EU Cookie Law is officially called “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC” (Regulation on Privacy and Electronic Communications).
The ePrivacy Regulation (ePR) was a proposed EU law designed to update and replace the existing ePrivacy Directive. The proposal was designed for greater regulation of electronic communications within the EU, in order to increase privacy for individuals and entities.
On February 11, 2025, the European Commission disclosed in the “2025 Work Programme” that it will withdraw the proposal for a new ePrivacy Regulation (ePR). This means the current ePrivacy Directive remains in force.
☰ Table of Contents
ePrivacy Directive versus ePrivacy Regulation (ePR)
The ePrivacy Directive is the directive regarding protection of personal data in electronic communications also known as the EU Cookie Law.
The ePrivacy Regulation (ePR) was a proposed EU law designed to update and replace the existing ePrivacy Directive.
On February 11, 2025, the European Commission disclosed that it will withdraw the proposal for a new ePrivacy Regulation. The proposal was designed for greater regulation of electronic communications within the European Union, in order to increase privacy for individuals and entities.
Proposed ePrivacy Regulation (ePR)
The proposed ePrivacy Regulation (ePR) was set to reshape the current ePrivacy Directive how businesses handle electronic communications, online marketing, and user data. Building on the GDPR it will introduce stricter rules around consent, cookies, metadata, and direct marketing.
Companies that rely on digital channels must prepare for significant changes in how they collect, process, and use customer data or risk steep penalties.
The regulation contains stronger rules to make sure people and businesses in the EU will have the same level of protection of their electronic communications.
The communications content and metadata need to be better protected such as the time and the location of a call. Metadata must be anonymised or deleted if users did not give their consent, unless the data is needed for billing.
Proposed ePrivacy Regulation on Cookies and Spam
The proposed (ePR) would be more user-friendly when visiting websites, as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. No consent is needed for non-privacy-intrusive cookies improving internet experience or cookies used by a website to count the number of visitors.
In regard to spam, the proposed ePR bans unsolicited electronic communications by emails, SMS, and automated calling machines. Depending on Dutch law, people will either be protected by default or be able to use a do-not-call list to avoid receiving marketing phone calls. Marketing callers will need to display their phone number or use a special prefix that indicates a marketing call.
Proposed ePrivacy Regulation and the Impact for Your Business
The scope of the proposed ePrivacy Regulation (ePR) applies to any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing. It impacts all countries under EU or European law.
In terms of direct messages through social media services, users (e.g. clients or employees) will need to give full consent to receive any promotional material from your organisation (as they would via email) and there must be an option to unsubscribe or unfollow your page or group at any time.
Due to the regulation, some companies in 2021 have turned away from the use of WhatsApp business, Snapchat, and other social messaging services which many deem “inappropriate” for business use since they do not comply with data protection laws. Instead, they have opted for internal messaging apps or email to ensure that they are data compliant.
Difference between GDPR and ePrivacy Directive
The General Data Protection Regulation (GDPR), and ePrivacy Directive are designed to protect the privacy of individuals, part of the member states in Europe. The ePrivacy Directive focuses on the processing of personal data specifically through online and electronic devices and services, whereas the GDPR focuses on the protection of personal data.
Reference made to online and electronic devices and services are for example: WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and other providers of this type of communication services.
The GDPR and ePrivacy Directive require notification of data breaches to users and regulatory authorities.
Requirements ePrivacy Directive: Cookies and Spam
Cookies under the ePrivacy Directive
Cookies are small text files placed on a computer or mobile device by websites the user is visiting. They store information that is widely used to make websites work more efficiently and provide information to the site owners.
Under the ePrivacy Directive, websites must obtain user consent before storing cookies in their browser, except for those that are strictly necessary. Additionally, users of websites must be informed about the general purpose of the cookies before giving their consent.
Marketing and Spam Rules Under the ePrivacy Directive
Opt-In and Opt-Out Requirements: Businesses must get permission from users before sending marketing emails or messages. If an individual is already a customer, businesses may send marketing messages without prior consent, but they must offer an easy way to opt out.
Consent under the ePrivacy Directive
Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
This will result in the fact that users must clearly agree before a website can store or access cookies on their device, unless the cookies are essential for the site to work. Users must also be told what the cookies are for before they decide.
On February 11, 2025, the European Commission disclosed that it will withdraw the proposal for a new ePrivacy Regulation (ePR). This means the current ePrivacy Directive remains in force.
More Information
- EU Data Act 2025: Netherlands Compliance & Employer Actions.
- EU-US Privacy Shield.
- The Member Countries of EU.
- Articles on European Union Law.
