How can we help?


ePrivacy Regulation – The latest!

Amidst the hype of the GDPR in 2018, one other area of data protection reform progressed relatively under the radar – the ePrivacy Regulation.  Surprising given the potential impact this could have on an organisations’ marketing practices.

Currently, in the UK, the Privacy and Electronic Communications Regulations 2003 (“PECR”) is in force, which sets out further data protection obligations, specifically aimed at electronic communications.  It regulates areas such as electronic marketing and the use of internet cookies.

This is set to be replaced with the ePrivacy Regulation, a piece of EU legislation designed to run alongside the GDPR and harmonise practices across member states.

The ePrivacy Regulation was due to come into force at the same time as the GDPR.  However, it is a complex area of law prompting much debate and, as such, the wording for the Regulation has still not been approved.  A revised draft has been put forward recently, but it seems highly unlikely that anything will be agreed until 2020 now.

Why should I care? 

The exact impact of the ePrivacy Regulation cannot be predicted at this stage as the legislation has undergone many changes and wording has still not been agreed.  However, we know that it could well have significant implications for organisations around areas like B2B marketing and internet cookies and so it’s important for organisations to be alert to potential changes.

The end of B2B Marketing as we know it?

The PECR places restrictions on an organisations ability to send marketing communications electronically without the recipient’s consent.  However, there are two generally recognised exemptions to this:

  • Where the recipient is an existing customer and the email relates to similar services (known as the ‘soft opt in’) and
  • Where communications are being sent to a business, other than a business operated by sole traders and/or partnerships, even if a personal work email is used such as and not a generic one like

In both cases, an opt out must be clearly in place from the very first communication.

Changes being proposed in the ePrivacy Regulation include placing a time-limit on soft opt ins and potentially removing the B2B exemption altogether.

Many organisations in 2018 decided to continue with their marketing practices for B2B contacts in light of the exemption (and relying on ‘legitimate interests’ to avoid falling foul of the GDPR) but, such organisations may need to revisit their approach if this latter change makes it through to the final text for the ePrivacy Regulation!

One thing’s for sure, if these changes come in, our work inboxes will start to see the raft of consent emails that our personal ones saw in 2018 – collective sigh!


The introduction of the ePrivacy regulation could see stricter confidentiality requirements around monitoring of electronical communications.

The e-privacy directive prohibits monitoring of electronic communications and metadata. However, the prohibition currently in place does not sufficiently cover electronic communications services that are made over the internet and/or devices that use the internet to communicate.

Changes may include the requirement that any monitoring of electronic communication of any kind will be prohibited. This includes sms, WhatsApp, email and instant messaging applications. There are proposed exemptions to this, for example where monitoring is needed to prevent security risk and attacks “in the transmission of electronic communications”.

Tighter controls on public directories

Currently you need to inform individuals that you are going to include them in the directory, you also need to give them the chance to opt out before including them and you need to gain their explicit consent if you were to include them for reverse searches.  The consent to include an individual in a public directory is quite soft.

Changes include ensuring that communication services (such as BT (which includes EE), Talk Talk, Vodafone, Virgin Media and Telefonica) are under a duty to implement measures to limit unwanted, malicious or nuisance calls. Public directories (such as Yellow Pages, Thomson Local, Yelp and Yalwa) must obtain explicit consent from the end user before they publish any personal data in the directory.

The ePrivacy Regulation was due to come into force at the same time as the GDPR.

Doesn’t Brexit mean the ePrivacy Regulation won’t apply to the UK?

To some extent, this depends on whether the UK leave with, or without, a deal.

If the UK leaves without a deal then the UK will not be bound by the new Regulation.  If the EU leaves with a deal then it’s likely that EU law will continue to apply for any transition period and could become law in the UK.

However, regardless, the UK may well want to adopt the new requirements in any event to assist with it being given an adequacy decision by the EU (making data transfer from and to the UK easier).  Also, businesses that deal with EU based counties will likely need to comply as EU countries may well request this and have more complex sharing arrangements as a result.

When will this come into force?

It is unlikely that the draft legislation will be agreed until 2020 and, then, it seems likely that it would have a transition period, like there was with the GDPR, before it comes into force.

As the draft text may change substantially there seems little point in businesses adapting their processes yet but it is good to be aware of the legislation and to start considering how this may impact any current or future projects.

Click here to contact Clarkslegal’s Data Protection team.


About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 16 May 2024
  • Immigration

What Employers need to know about Biometric Residence Permits

Biometric Residence Permits (BRPs) are biometric immigration documents that are issued to non-EEA nationals and EEA nationals, who have been granted permission to stay in the UK.

  • 14 May 2024

Clarkslegal’s London team moves to new Chancery Lane office

The London office of Clarkslegal has relocated to Chancery House, on Chancery Lane. The staff is enthusiastic about the relocation because Chancery Lane has a longstanding association with the legal profession in London.

  • 10 May 2024
  • Employment

New duty on employers to prevent sexual harassment – coming October 2024

The Worker Protection (Amendment of Equality Act 2010) Act 2023 is due to come into force in October 2024.

  • 09 May 2024
  • Employment

Labour Party Employment Law Proposals – Promises of further consultations and a softer approach

The Prime Minister recently announced a raft of changes, to be implemented in the next parliament, aimed at reducing the number of people who are economically inactive due to illness.

  • 09 May 2024
  • Corporate and M&A

Navigating corporate transparency: ECCTA reforms series – part 1

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) received Royal Assent in October 2023 and marked a pivotal moment in corporate governance and transparency.

  • 07 May 2024
  • Employment

Changes to TUPE rules from 1 July 2024

The Transfer of Undertakings (Protection of Employment) Regulations 2006 (‘TUPE’) aim to safeguard employees’ rights on the transfer of a business or on the change of a service.