If you thought GDPR was a big deal, the ePrivacy Regulation is set to change the rules again — and in some ways more dramatically. It has been in draft for years, caught in political negotiations in Brussels, but momentum is building and most privacy experts expect it to pass and take effect within the next couple of years.
When it does, every business with a website, email marketing programme, or customer messaging strategy will need to act. Here is what you need to know.
What Is the ePrivacy Regulation?
The ePrivacy Regulation (ePR) is a proposed EU law that would replace the current ePrivacy Directive — the 2002 law (updated in 2009) that gave us the cookie consent requirement most websites already live with.
The existing law is commonly called the Cookie Directive, though its official name is the Directive on Privacy and Electronic Communications. It requires websites to get consent before placing non-essential cookies, and it covers electronic communications more broadly: email, SMS, and direct marketing.
The new Regulation takes this much further. As a Regulation (rather than a Directive), it would apply directly in all EU member states without needing to be transposed into national law — removing the patchwork of inconsistent national implementations that currently exists.
ePrivacy Directive vs. ePrivacy Regulation: Key Differences
The current Directive is a floor, not a ceiling. Member states have implemented it differently, which is why cookie banner requirements vary subtly between the UK, Germany, France, and elsewhere. The new Regulation would harmonise all of this.
More importantly, the Regulation significantly expands scope, tightens consent requirements, and introduces rules that the Directive never contemplated — including browser-level consent signals, stricter B2B marketing rules, and coverage of messaging platforms like WhatsApp and iMessage.
What GDPR Doesn't Cover That ePrivacy Will
This is one of the most common sources of confusion. Many businesses assume GDPR already covers everything related to cookies and electronic communications. It doesn't.
GDPR is a general data protection law. It governs how you process personal data across your entire operation. The ePrivacy Regulation is a lex specialis — a specific law that governs electronic communications, and it takes precedence over GDPR in those specific areas.
Here is what GDPR does not clearly address that ePrivacy will:
Metadata from electronic communications. Call logs, email headers, IP addresses used in communications — GDPR protects content but the ePrivacy framework specifically targets communications metadata.
Confidentiality of electronic communications. The requirement that the content and metadata of communications not be accessed or processed without consent comes from ePrivacy, not GDPR.
Browser-level cookie signals. GDPR does not specify how consent for tracking must be technically implemented. ePrivacy will.
B2B direct marketing. GDPR applies to individuals. The ePrivacy Directive (and the forthcoming Regulation) covers marketing sent to professional email addresses, which falls into a grey area under GDPR alone.
Device storage access. Reading or writing anything to a user's device — including cookies, local storage, and fingerprinting techniques — is regulated by ePrivacy, not GDPR.
Key Changes the ePrivacy Regulation Introduces
1. Consent Required for All Non-Essential Cookies by Default
This sounds familiar because the Cookie Directive already requires it. But in practice, enforcement has been inconsistent and many websites have used dark patterns — making it easier to accept all cookies than to reject them — to nudge users toward consent.
The ePrivacy Regulation is expected to establish clearer, more precise requirements for how consent must be collected and recorded, closing the loopholes that dark-pattern cookie banners currently exploit.
2. Browser-Level Consent Signals
This is one of the most significant and technically interesting provisions in the draft Regulation. Rather than requiring every website to display a cookie banner, the ePrivacy Regulation would allow users to set their tracking preferences once in their browser — and websites would be required to honour those browser-level signals.
Think of it as a technical privacy preference that travels with the user. Browsers could be configured to signal "no tracking," and websites would have to respect it without displaying a separate consent banner for users who have already expressed a preference.
This mirrors, to some extent, what the US Global Privacy Control (GPC) tries to achieve under CCPA. The ePrivacy Regulation would make a similar system mandatory for EU users.
The practical implication: if a user has set their browser to refuse tracking cookies, your consent management platform would need to detect and honour that signal — not show a banner attempting to override it.
3. Stricter Rules for Email and Direct Marketing
The current rules on email marketing under the ePrivacy Directive require prior consent for marketing sent to consumers. B2B email operates under a lighter-touch regime in most member states — the "legitimate interest" basis can apply for business contacts.
The ePrivacy Regulation is expected to tighten these rules. Key anticipated changes:
- Clearer requirements on what constitutes valid consent for email marketing
- More explicit rules on the "soft opt-in" exception (marketing to existing customers about similar products/services)
- Stricter rules on unsubscribe mechanisms and proof-of-consent record keeping
- Expanded coverage of new channel types including messaging apps, push notifications, and in-app communications
4. Messaging Apps and OTT Communications
The 2009 Directive was written for SMS and traditional email. It did not adequately address over-the-top (OTT) communications: WhatsApp, iMessage, Signal, Facebook Messenger, Telegram.
The ePrivacy Regulation explicitly brings these platforms within scope. If your business communicates with customers via WhatsApp Business or uses messaging APIs, the Regulation will impose confidentiality, consent, and marketing restrictions on those communications in the same way it does for email.
5. Tracking-Based Advertising
The ePrivacy Regulation addresses the advertising tracking ecosystem more directly than GDPR does. Tracking users across websites for advertising purposes would require clear, specific consent — not "legitimate interest," which some platforms have attempted to use under GDPR.
The draft text is expected to close the door on the "legitimate interest" basis for tracking-based advertising. This aligns with where EU data protection authorities have already moved in enforcement actions against platforms like Meta.
Current Status and Timeline
The ePrivacy Regulation has had one of the longest legislative gestation periods in EU history. The Commission published its proposal in January 2017, the same time as GDPR. While GDPR entered into force in May 2018, the ePrivacy Regulation is still being finalised.
Here is where things stand:
- European Commission proposal: January 2017
- European Parliament position: October 2017 (adopted)
- Council of the EU general approach: February 2021 (after years of negotiations)
- Trilogue negotiations: Ongoing between Parliament, Council, and Commission
- Expected adoption: 2025–2026 (estimates vary)
- Transition period: Likely 24 months after adoption before enforcement begins
The most realistic scenario for businesses to plan around: the Regulation passes in 2025–2026, with enforcement beginning no earlier than 2027–2028. However, given that some provisions align with where regulators are already pushing under existing law, businesses that wait for a hard deadline risk being caught off guard.
How ePrivacy Affects Analytics and Advertising
Analytics
Under the current Cookie Directive, analytics cookies (like Google Analytics) are non-essential and require consent in most EU member states. Some regulators — including France's CNIL and Germany's DSK — have gone further, ruling that standard GA4 implementations are non-compliant with GDPR due to data transfers to the US.
The ePrivacy Regulation is unlikely to make analytics simpler. The consent-first requirement for tracking technologies will remain, with more precise standards for what valid consent looks like. Server-side analytics and privacy-first analytics tools (like Plausible or Fathom) that don't use cookies or cross-site tracking will be better positioned.
Advertising
The ePrivacy Regulation will most significantly disrupt tracking-based advertising. The closure of the "legitimate interest" loophole for cross-site tracking, combined with browser-level consent signals, means the targeting data flows that underpin programmatic advertising will face a much stricter consent requirement.
For most small businesses, this primarily affects retargeting ads (Facebook Pixel, Google Ads remarketing). These already require consent under the Cookie Directive. The Regulation will tighten what counts as valid consent and how it must be recorded.
What Businesses Should Do Now to Prepare
1. Get Cookie Consent Right Under Current Law
The most important immediate step is ensuring your existing cookie consent implementation is actually compliant — under the Cookie Directive and GDPR today. Many businesses have cookie banners that technically exist but are not collecting valid consent: no clear reject option, pre-ticked boxes, or consent assumed from continued browsing.
Fixing this now means you are already building toward ePrivacy Regulation compliance, not starting from scratch when it takes effect.
2. Audit Your Tracking Stack
Use a scanning tool to understand exactly what cookies and trackers your website sets, and when. Many businesses are surprised to discover that analytics scripts, embedded widgets, and social share buttons set third-party tracking cookies before any consent is collected.
Scan your website now to see what trackers are running before consent is collected →
3. Review Your Email Marketing Consent Records
Whether or not you are already collecting consent for email marketing, you need to ensure you can demonstrate it. Under the ePrivacy Regulation, the burden of proof will fall on the sender. Now is the time to audit your mailing list, identify contacts whose consent basis is unclear, and implement proper consent recording going forward.
4. Prepare for Browser-Level Signals
The Global Privacy Control (GPC) is already live and legally significant in California. Many privacy advocates expect it to become the model for the ePrivacy Regulation's browser-level consent signal requirement.
Your consent management platform should already detect and honour GPC signals for US users. Ensure it does — and check whether it can be extended to honour similar signals as the ePrivacy Regulation takes shape.
5. Watch Your Messaging Channels
If your business uses WhatsApp Business API, in-app messaging, or other OTT channels to communicate with customers, start documenting the basis for those communications. The ePrivacy Regulation's extension to messaging apps will mean you need clear consent records for marketing communications on those platforms.
6. Prepare Your Privacy Documentation
The ePrivacy Regulation will require businesses to be more specific in their privacy notices about how tracking technologies are used, what they do, and the basis for using them. Your privacy policy and cookie policy should already detail this — if they were generated from a template and haven't been updated since, they probably don't.
How Custodia Is Built for ePrivacy Readiness
Custodia's approach to consent management is designed to be regulation-ready — not just compliant with today's rules, but built on the architecture the ePrivacy Regulation is moving toward.
Scan-first consent management. Custodia starts by scanning your website to discover exactly what cookies and trackers are present. Consent banners that don't reflect your actual tracking stack can't collect valid consent for what you're actually doing. Custodia generates a consent configuration based on what your site actually loads.
Consent signals. Custodia's consent management integrates with Google Consent Mode v2 and is built to support technical consent signals. As browser-level consent signal standards emerge and are codified in the ePrivacy Regulation, Custodia is positioned to support them.
Proof of consent. The ePrivacy Regulation will require businesses to demonstrate that consent was properly collected. Custodia records consent with timestamps, versions of the consent notice shown, and the specific choices made — building the audit trail regulators will expect.
Living documentation. Your privacy policy and cookie policy generated by Custodia are based on what your site actually does, not a static template. As regulations evolve, keeping that documentation accurate becomes more important — not less.
Run a free website scan to see your current compliance posture →
The Bottom Line
The ePrivacy Regulation has been delayed so many times that it is tempting to treat it as a permanent "coming soon." That would be a mistake.
The trajectory is clear: EU privacy law is moving toward stricter consent requirements, technical consent signals, and genuine accountability for how websites track users and use electronic channels for marketing. The regulatory enforcement of existing law is already moving in that direction — the ePrivacy Regulation will simply make it explicit and binding across all member states.
Businesses that use this preparation window to build proper consent management, clean up their tracking stacks, and document their marketing consent will face the Regulation's arrival as a minor operational update rather than a compliance emergency.
Start with understanding what your website actually does. The rest follows from there.
This post provides general information about the proposed ePrivacy Regulation. It does not constitute legal advice. The Regulation's final text may differ from draft provisions discussed here. Consult a qualified privacy law professional for advice specific to your situation.
Top comments (0)