More data protection rules are coming

While organisations are still grappling with GDPR, another new law is on its way with additional data protection obligations. Sarah Thompson reports

EA first draft of the new ePrivacy Regulation (ePR) was published in January 2017 with the ambitious intention for it to be implemented alongside the GDPR but, at present, it is still working its way through the European parliamentary process. 

The purpose of the ePR is to update existing EU legislation governing electronic communications and privacy (the ePrivacy Directive also known as the ‘Cookies Law’) which dates back to 2002 (as amended in 2009) and was implemented into English law through the Privacy and Electronic Communications Regulations. It will update the current rules to reflect technological innovations while aligning and supplementing the GDPR. While the GDPR governs the processing of personal data, the ePR more broadly covers the processing of electronic communications data, which may contain non-personal data and data related to a legal entity. Key points to note include:


The ePR will apply not only to traditional providers of electronic communications services (such as telephone calls, email and text messages) but also ‘over the top’ communication service providers (such as WhatsApp) and ‘voice over internet protocol’ providers (such as Skype). It will also apply to any entity processing electronic communications data (which includes sending marketing communications by phone, email or text, using cookies or similar technologies on websites and mobile apps and communications though the Internet of Things). Like the GDPR, it will apply regardless of whether the processing takes place in the EU. 

Direct marketing 

The rules on direct marketing remain essentially the same. Direct marketing is any form of advertising sent to one or more individuals including telephone calls, email and SMS messages. The ePR requires marketers to: 

  • obtain the recipients’ consent prior to sending the communication
  • notify the recipients of the marketing nature of the communication and the identity of the marketer
  • provide information about how the recipients can withdraw their consent at any time.

The current law enables companies to market their existing customers on the basis of a ‘soft’ opt-in consent, so long as they are given the right to object. It is proposed that the soft opt-in consent will remain but will be more limited because it will only apply in the context of the sale of a product or services (currently the soft opt-in can be used in the context of ‘negotiations for sale’).


The current consent rule for cookies will remain the same: prior consent is required unless there is a strict necessity for electronic communication with the user. The ePR aims to simplify the current rules on cookies and make obtaining consent for the use of cookies more user-friendly. The current draft requires users to be provided with cookie consent choices as part of their browser software set-up. If this position is adopted in the final text it will move the requirement for consent away from websites and could see the end of the cookie banner. Like the current law, the draft ePR includes exemptions where consent will not be required – for cookies that do not invade privacy, e.g. for the purposes of analytics, for improving internet experience or for counting website visitor numbers. 

Fines for non-compliance

Like the GDPR, the ePR gives individuals broader rights, allows representative bodies to bring claims on behalf of individuals and there will be a two-tier regime of fines set at a maximum of €20m or 4 per cent of annual global turnover – whichever is greater.

Next steps 

The ePR will enter the trilogue negotiation stage between the European Council, European Parliament and European Commission. A final text is anticipated later this year or in 2019. In the UK, the Information Commissioner’s Office will be responsible for enforcing the ePR and will publish further guidance following agreement on the final text. 

Sarah Thompson is an employment lawyer at McGuireWoods