{"id":445,"date":"2024-02-15T00:00:00","date_gmt":"2024-02-14T23:00:00","guid":{"rendered":"https:\/\/stage.usercentrics.com\/knowledge-hub\/eprivacy-everything-you-need-to-know-about-it\/"},"modified":"2025-04-04T10:57:14","modified_gmt":"2025-04-04T08:57:14","slug":"eprivacy-everything-you-need-to-know-about-it","status":"publish","type":"knowledge","link":"https:\/\/usercentrics-pipeline.psapp.dev\/us\/knowledge-hub\/eprivacy-everything-you-need-to-know-about-it\/","title":{"rendered":"The ePrivacy Directive, ePrivacy Regulation and GDPR: what do they mean for your business?"},"content":{"rendered":"

The European Union (EU) has some of the world\u2019s most stringent data privacy laws, the General Data Protection Regulation (GDPR)<\/a> and ePrivacy Directive, which are already in effect. But the proposed ePrivacy Regulation is set to bring some changes to data protection and cookie consent, and it will broaden the scope of organizations that will be impacted.<\/p>\n

Let\u2019s take a look at ePrivacy requirements and what the changes mean for data protection.<\/p>\n\n\n

1. What is ePrivacy?<\/h2>\n\n\n

ePrivacy encompasses both the ePrivacy Directive<\/a> (Directive 2002\/58\/EC) and the proposed ePrivacy Regulation<\/a>, which aim to ensure privacy and protection in electronic communications within the EU. It is designed to complement the GDPR.<\/p>\n\n\n

2. What is the ePrivacy Directive?<\/h2>\n\n\n

The EU ePrivacy Directive (known as the “cookie law”) was enacted in 2002 and updated in 2009. It specifically addresses privacy issues in electronic communication. It mandates the confidentiality of communication over public networks, requires user consent for cookies, sets guidelines for the security of electronic communication services, and regulates direct marketing practices. Cookie consent banners became more prominent after the ePrivacy Directive\u2019s enactment, as they are a practical way to collect explicit consent from users.<\/p>\n

This directive requires incorporation into national laws of EU member states, leading to variations in enforcement across the Union.<\/p>\n

In November 2023, the European Data Protection Board (EDPB) issued new guidelines that widened the scope of technologies covered under the directive.<\/p>\n\n\n

3. What are the proposed changes to the ePrivacy Directive?<\/h2>\n\n\n\n

Article 5(3) of the ePrivacy Directive provides that before a company or website can store information on or get information from a user\u2019s device (like a computer or smartphone), they must obtain prior consent from the user.<\/p>\n\n\n\n

Under the Guidelines 2\/2023<\/a> on the Technical Scope of Article 5(3) of ePrivacy Directive, the EDPB expands the directive’s application for storing or accessing information on a user’s device. The EDPB adopts a wide reading of what constitutes terminal equipment and the nature of information, suggesting that many digital tracking methods will require prior opt-in consent unless they are necessary for delivering a requested service.<\/p>\n\n\n\n

The guidelines specifically address the use of several modern tracking technologies, which have become prevalent in digital marketing and online tracking.<\/p>\n\n\n\n

URL and pixel tracking<\/h4>\n\n\n\n

Tracking pixels are tiny images embedded in websites or emails, linking to a server. When an email containing a tracking pixel is opened or a webpage with a tracking pixel is visited, it allows the server to record the action and capture details such as the time the email was opened, the IP address of the recipient, and the type of device used. URL tracking links to websites help identify where visitors come from.<\/p>\n\n\n

\n
\n \n\n<\/svg>\n <\/div>\n
\n

Read about email marketing privacy policy<\/a> now.<\/p>\n <\/div>\n<\/div>\n\n\n\n\n\n

Local processing<\/h4>\n\n\n\n

Sometimes, websites use APIs to access information stored on a user\u2019s device, such as location data. If processed information is made available over the network, it is considered gaining access to stored information under these guidelines.<\/p>\n\n\n\n

Tracking based on IP only<\/h4>\n\n\n\n

Some technologies rely only on the collection of the IP address for the tracking of users. If the IP Address originates from the terminal equipment of the user, Article 5(3) of the ePrivacy Directive would apply.<\/p>\n\n\n\n

Internet of Things (IoT) reporting<\/h4>\n\n\n\n

Under the guidelines, you will require user consent for data collection and processing by devices connected directly or indirectly to the internet. This applies to smart devices like fridges or fitness trackers, whether they send data directly or through another device like a smartphone.<\/p>\n\n\n\n

Unique Identifier<\/h4>\n\n\n\n

Unique Identifiers are special codes that are attached to a user\u2019s online data to signify that it belongs to the user. It often comes from persistent personal data, or personal information that doesn’t change much over time, such as email addresses, usernames or account IDs, or date of birth. They’re used to recognize users across different websites or apps. When a website tells a user\u2019s browser to send this data, it’s accessing information on the device and invokes Article 5(3).<\/p>\n\n\n\n