Briefing: Are you ready for ePrivacy changes?

Image Credit: 
20 March, 2019


By now you’ve hopefully got to grips with GDPR and your newly compliant organisation is reaping the benefits of having more focused and reliable customer data. However this is no time to rest on our laurels; GDPR’s sister legislation, the ePrivacy directive is set to introduce a number of similarly wide-ranging requirements. These are expected to further impact the way organisations interact with people and use their personal data.

Updates to the European ePrivacy directive are expected to be adopted in May 2019 and will apply 24 months after. However, it has been delayed multiple times and uncertainty over Brexit means that it is not clear when or if it will apply in the UK.

Nevertheless, these changes will impact a number of different electronic communications and so it is important that VCSE organisations are prepared, should it be implemented.

Better known as the ‘cookie law’, the ePrivacy directive was implemented in the UK as the Privacy and Electronic Communications Regulations (PECR). For many people, its most noticeable impact was that company websites were required to have pop ups that make users aware that it uses cookies.

The EU is updating the rules to ensure that they harmonise across its member states in order to ensure that it has a ‘digital single market’.

Below is our summary of the sections most relevant to the voluntary sector. If you have any further questions then get in touch; our policy team will look into it.


Changes to cookies will have an instantly noticeable impact. Internet browsers will now feature software that will track cookies, allowing the user to give consent through their browser options. This will render cookie banners obsolete. The most important change is that it allows users to give consent to individual types of cookie, rather than simply giving blanket consent. Consent will not be required for cookies that cover analytics or user experience.

Soft opt-in

Currently, organisations can contact customers by email and SMS to market products similar to those which they have already purchased. This is known as ‘soft opt-in’ and customers have the right to opt out at any time. The new ePrivacy regulation will put a 12-month limit on such communications from the time of purchase.

Business-to-business (B2B) marketing

Regulations for B2B marketing are set to be brought into line with those for B2C and prior consent will now be required. The Direct Marketing Association has raised concerns that this would put SMEs at a disadvantage, as many do not have large amounts of customer data and rely on prospective communications in order to get business.


Consent will be required for all electronic communications, including marketing phone calls. However, member nations could be given the option to opt-out at a national level.

Callers will also be expected to use a special prefix in their number to indicate that it is a sales call and people must be given the option to block such prefixes.

Legal consent

The last and probably most notable point is that the only legal ground for processing personal data under the new regulation will be ‘consent’. This term is broad and vague and could prove to be restrictive, making it difficult for organisations to directly contact their customers in any way. In comparison, GDPR stipulated six different legal grounds for processing personal data.

Rate this content: 
No votes yet