ePrivacy Regulation 2025: What Changed and What You Need to Know
The EU's ePrivacy Regulation has been evolving. Here's what's changed, how it interacts with GDPR, and what it means for your website's cookie practices.
What Is the ePrivacy Regulation?
The ePrivacy Regulation (ePR) is the EU legislation specifically governing electronic communications — including cookies, email marketing, and online tracking. It works alongside GDPR and is sometimes called the "Cookie Law."
The current legal basis is the ePrivacy Directive (also known as the Cookie Directive), which was adopted in 2002 and significantly updated in 2009. The EU has been working on a new ePrivacy Regulation to replace it, but the process has been unusually prolonged.
The Current Legal Framework
Despite the delays in passing the new Regulation, cookie compliance today is governed by:
- ePrivacy Directive (2002/58/EC) — requires informed consent before storing or accessing cookies
- GDPR (2016/679) — defines what constitutes valid consent and data subject rights
- EDPB Guidelines — the European Data Protection Board's interpretations and guidance, which are increasingly strict
The two work together: the ePrivacy Directive creates the obligation to get consent for cookies; GDPR defines the quality of that consent.
Key Developments in 2024–2025
EDPB Guidelines on Cookie Banners (2024)
The EDPB published updated guidance on cookie consent practices, with particular focus on:
1. Reject Button Prominence
The "Reject All" button must be as easy to access as "Accept All." This is now enforced strictly — authorities have fined companies for making the reject path longer or visually less prominent.
2. Cookie Walls
The EDPB reaffirmed that blocking access to content unless users accept cookies is generally not valid consent. An alternative like a paid subscription that doesn't require tracking cookies can be offered, but the free, ad-supported version cannot be the only option.
3. Consent Renewal
Consent does not last forever. Best practice is to re-request consent after 12 months. If the purposes for which consent was given change materially, consent must be re-requested immediately.
4. Fingerprinting and Tracking Without Cookies
The ePrivacy Directive covers any access to or storage on a user's device — not just cookies. Browser fingerprinting, local storage identifiers, and supercookies all require consent under the same rules.
National Enforcement Updates
Germany (TTDSG): Germany implemented its own national law (TTDSG) that incorporates ePrivacy requirements with additional clarity on browser-based consent signals. If your site uses browser consent signals (like Chrome's Privacy Sandbox or browser-level opt-outs), document how you honor them.
France (CNIL): The French DPA has been particularly active, issuing fines for cookie violations and publishing detailed guidelines on valid consent mechanisms. CNIL's guidelines are among the most specific in Europe.
Netherlands (AP): The Dutch DPA has focused on cookie walls and dark patterns, publishing enforcement decisions that set precedent across the EU.
What This Means for Your Website
Check These Immediately
- Banner design: Is your "Reject" option as prominent as "Accept"? Same size, same visual weight, same number of clicks?
- Pre-consent loading: Open your site in incognito. Before clicking anything, check what cookies are set.
- Consent records: Are you storing who consented, when, and to what? You may need to demonstrate this to regulators.
- Consent renewal: When did your users last see the consent banner? Consider refreshing consent annually.
Looking Ahead
The ePrivacy Regulation, when it eventually passes, is expected to:
- Create a harmonized EU-wide rule (replacing 27 different national implementations)
- Address browser-level consent signals
- Potentially create stricter rules for B2B communications
Until it passes, the current framework continues to apply. The practical advice remains the same: implement genuine consent, make rejection as easy as acceptance, and regularly audit what your site actually does.
Use GDPR Fix to scan your site and verify your cookie consent implementation matches what your banner promises.
Check your website now
Find out if your site has the issues described in this article. Free scan, results in minutes.
Scan Your Site — Free