Effective 1 June, we have a new address: 34 Imperial Square, Cheltenham, Gloucestershire GL50 1QZ
Get in Touch Menu

What businesses need to know about the proposed E-Privacy Regulation

04 August 2017

There has been a lot of talk recently about the General Data Protection Regulation (GDPR), but not so much about the new proposed E-Privacy Regulation (EPR), the breach of which will carry the same significant fines as that of the GDPR.

The EPR is intended to replace the existing E-Privacy Directive, which deals with the protection of personal data in electronic communications, for example when using cookies, sending unsolicited marketing emails, and online monitoring. It is intended to bring this area of law up-to-date with the e-privacy laws contained in the GDPR.

The European Commission is planning for the EPR to be implemented on 25 May 2018 (alongside the GDPR). As we will still be a part of Europe then, it will apply directly to the UK. The regulation is in draft form, so it may change before being implemented. It may also be delayed, however if the implementation date is after Brexit, the UK will no doubt adopt very similar laws.

The new EPR will carry the same maximum fines as under the GDPR, which can be up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is greater). Businesses that use such electronic communications should therefore be aware of the new proposed regulations and start preparing for them now.

So what are the key changes in the draft E-Privacy Regulation?

  • The regulation will have a wider scope than the existing directive and includes all types of electronic communications service providers such as Skype and WhatsApp.
  • All electronic communications must be confidential, and user consent is required for the listening, intercepting, scanning and storing of electronic communications.
  • Content and metadata will need to be anonymised or deleted if users have not given consent, unless they are required for certain purposes such as billing.
  • Users must give their consent before any unsolicited commercial communications can be sent to them. However, the current ‘soft opt-in’ rule for electronic mail is maintained.
  • The regulation requires providers of browsers and similar software to offer built-in settings which mean that the use of cookie banners may no longer be needed. Cookies that enhance the website user’s experience and ensure that it functions properly will not require consent.

Our corporate & commercial department has wide experience of mergers & acquisitions, business start-ups, reconstructions, joint ventures, corporate finance and corporate governance. They are praised for reacting “admirably quickly” and “give very relevant advice” by leading national legal guides. To speak to any of them please contact anyone in the team.

We're here to help
Related services
Share this article
Resources to help

Related articles

Top tips for improving wellbeing in the workplace


A recent CIPD Health and Wellbeing at work survey has reported that most organisations are taking additional measures to support employee health and wellbeing, in response to COVID-19. Three quarters…

Jenny Hawrot LLB (Hons)

SCCs: New rules governing cross-border data transfers and data exchanges from the EU and EEA

GDPR & data protection

This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…

Kym Fletcher LLB (Hons) Euro
Consultant, solicitor

Catch up on our free legal webinars


Our legal experts have been busy sharing valuable expertise in their first series of free webinars for employers, and businesses across the county who missed the live events can now…

Contact us