Difference between GDPR and ePrivacy regulation


The EU has always undertaken to create wide legal coverage for member country citizens and also to amalgamate the laws in which they operate under whenever commonage is found. In the online world, there have been many aspects that have expanded over time and with that the need to expand the laws which encompass them have been created. Broadly speaking, data privacy in the EU is covered under the General Data Protection Regulation and the ePrivacy Regulation. Understanding the differences between the GDPR and the ePrivacy regulation is important to businesses and consumers alike. The following is an explanation of what each regulation covers and an identification of the main differences between them. The aim of the regulation is to align the online standard of privacy with the level that is covered under the GDPR. The same authority is responsible for the GDPR as is responsible for the ePrivacy regulations.


ePrivacy Regulations

The European Union ePrivacy regulation has been published to broaden the scope of the current ePrivacy Directive and align the various online privacy rules that exist across EU member states. The regulation takes on board all definitions of privacy and data that were introduced within the General Data Protection Regulations, and acts to clarify and enhance it. In particular, the areas of unsolicited marketing, Cookies and Confidentiality are covered in a more specific context.


Unsolicited Marketing

The regulations now include any type of communications, including emails and text messages, to be consented to before being used. Marketers will not be able to send emails or text without prior permission from each email or mobile account holder.


Cookies will now be tracked within software and the user’s browser within settings that each user can change to their needs. This will do away with the litany of banner pop ups that request consent for use of cookies on individual websites. This changes previous regulations which made each website request the ability to use cookies from each user.


Since the ePrivacy regulations are an add on to the existing ePrivacy directive, one aim was to broaden the scope to include online communications providers under the same requirements as traditional telecommunications providers. In this regard, companies including Gmail, Skype, Facebook Messenger and WhatsApp are now required to provide the same level of customer data safety as bricks and mortar providers. Providers of any electronic communication service are required to secure all communications through the best available techniques. This creates a need for websites to stay technologically in sync with the best safety features available on the market.

The new provisions create the necessity for metadata to be treated the same as the actual content of the communication that it is facilitating being sent. It prohibits the interception of any such communication except where authorized by an EU member state specifically under law (such as within a criminal investigation).



The General Data Protection Regulation (GDPR) was created to align the data privacy laws across all EU countries. The GDPR came into effect in replaces the Data Protection Directive 95/46/EC. A major update within the GDPR is that the processing of any EU citizens’ information is now protected, regardless of whether the information processing is done within the EU or not, and regardless of where the retailer originates from. Any retailer around the globe that sells to an EU citizen is bound by law to protect their private data.

The idea of traffic data has been expanded in the GDPR to include all metadata that derives as a result of the communications. The GDPR also strengthens the area of consent to how a user’s personal information can be used or whether it can be shared. It also makes it easy for users to access their personal data and a requirement for all businesses and websites that take any information from any user to maintain the information and make it available to the user if requested.

An important ‘right to be forgotten’ is regulated for under the GDPR and a right to data portability.


Main Differences

Each regulation was drawn up to reflect a different segment of EU law. The GDPR was created to enshrine Article 8 of the European Charter of Human Rights in terms of protecting personal data, while the ePrivacy regulation was created to enshrine Article 7 of the charter in respect to a person’s private life. The private sphere of the end user is covered under the ePrivacy regulations, making it a requirement for a user’s privacy to be protected at every stage of every online interaction.

It is important to remember that the ePrivacy regulation was created to complement and particularize the GDPR, so the rules of the GDPR are always relevant and an overall part of the legislative aspects of the ePrivacy.

The ePrivacy directive takes the broad online retail sector into account in terms of how personal information might be used and in this sense is what it adds to the overall regulations that make up the GDRP.



The ePrivacy regulations are on track to replace the GDPR in terms of applicability. While each regulation revolves around data and privacy, the main aim of both was integration of all laws, which makes the GDPR nearly redundant in light of the all-encompassing coverage that the ePrivacy regulations now bring. There is scope for the EU to amalgamate both regulations in one set which covers both Article 7 and 8 of the charter.

By defining each particular situation that a user could enter into, both laws work together to ensure that internet users have control over their data and that there is an onus on all websites to maintain all user data in a way that guarantees safety of the information. The definition of information is extended within the acts to include the metadata that derives from it and creates an ownership over an IP address and all other online identifiers that help to strengthen rights of internet users across the EU.

Privacy and Trust News


The Rise of Smart Gadgets in the UK

Securing the Internet of Things: The UK's Pioneering Legislation In an era where the proliferation of smart devices continuously reshapes our daily lives, the UK government has taken a significant step to bolster cybersecurity with a groundbreaking new law. As the...

Read More

Helping your business exceed the compliance standard.

Our team of experienced privacy attorneys & certified privacy professionals have a proven track record of delivering privacy frameworks and data privacy solutions, tailored to your business needs.