The GDPR and ePrivacy Directive (also known as Cookie Law) are the most critical EU laws in the field of personal data privacy and protection. And, even though these are EU laws, they could impact companies across the globe.
Effective since 2002, the ePrivacy Directive has put guidelines and expectations in place for electronic privacy, including email marketing and cookie usage. It complements the GDPR, and it still applies today.
On the other side, the GDPR (General Data Protection Regulation) came into force in 2018, and it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general).
First, let’s see what’s the difference between directives and regulations:
With that said, the ePrivacy Directive is going to be repealed by the ePrivacy Regulation. The ePrivacy Regulation is expected to be finalized in the near future and will work alongside the GDPR to regulate the requirements for the use of cookies, electronic communications, and related data/privacy protection.
The Regulation is expected to maintain values similar to the Directive with much of the same guidelines applying.
Both the ePrivacy and the GDPR apply to the protection of personal data of individuals within the EU: if you do business in the EU (regardless of whether or not you are based in the EU), then these laws affect you.
While GDPR only applies to the processing of personal data, ePrivacy regulates electronic communication even if it concerns non-personal data. Also, in the case of cookies, the ePrivacy generally takes precedence.
The ePrivacy Directive/Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.
This means that if your site/app (or any third-party service used by your site/app) uses cookies, you’ll need to show a cookie banner at the user’s first visit, implement a cookie policy and allow the user to provide consent. Prior to consent, no cookies — except for exempt cookies — can be installed.