Scroll to top of page

GDPR and ePrivacy: spot the difference

There’s been a lot of talk about the terms of the GDPR (General Data Protection Regulation) and ePrivacy Regulation, but – contrary to what many seem to believe – the two may not be referenced interchangeably. To avoid any confusion, fifty-five explains the difference between these two regulations and their scopes of application.


You might have noticed that the protection of European citizens’ data is having a moment.

The past 20 years have seen big developments in regulation, and several directives have already established a solid framework for personal data protection across the European Union. This series of European legislation includes the 1995 Data Protection Directive, the 2002 Privacy and Electronic Communications Directive, the 2009 Telecoms Package, or even the 2016 Privacy Shield Framework. Together, these texts have defined clear guidelines for member States, who must then integrate the principles into their local laws. Next, an independent regulatory office from each country (commonly called the Article 29 Working Party) must ensure these laws are being followed. As a result, there are many adaptations to be made and fragmentation is common among countries (for example, cookiecookieA cookie is a text file that is stored in the memory of the web browser by the server when a user visits a website (it can also be stored by a third-party server that is allowed to do so - ad network, web analytics service...). Cookies make it possible to gather and store data about users’ browsing behaviour, which can later be reused during these users’ subsequent visits (user log ins, for instance).Learn mores policies differ between countries).

Now, two new regulations (GDPRGDPRThe GDPR (General Data Protection Regulation) is the latest European regulation on personal data protection, which was enacted in 2016.Learn more and ePrivacy) hope to harmonize the framework regarding users’ personal data and privacy in the European Union. Though current directives stopped at imposing a results obligation to member States, leaving them free to choose how to obtain these results, the new regulations apply directly to all States, without specifying how regulations should be transposed.

Protecting personal data of all European residents with the GDPR

The General Data Protection Regulation will be enforced from May 25th and will replace the 1995 Directive. It will be the reference when it comes to protecting personal data in the European Union.

The GDPR’s two principles are to:

  • Make organisations (companies, associations, governments, etc.) more accountable when it comes to processing personal data, and,
  • Give European residents more rights in the processing of their data.

The regulation is extraterritorial, meaning that it applies to any company that processes the data of EU residents – regardless of where the company is based. Any company that is present on the European market – even giants like Google, Apple, Facebook, or Amazon– will be affected by the regulation.

To know more, read our article about the 6 commandments of GDPR!

Simplifying cookie policies in the European Union with the ePrivacy Regulation

The EU’s ePrivacy Regulation seeks to regulate electronic communications, and particularly to protect privacy in these communications. It is still being considered by the Parliament and the European Council.

Initially planned for this year, but likely pushed back to 2019, the vote on this regulation will replace the current Telecoms Package from 2009 and its Directives 58-2002, which aim to protect private life on the internet (prohibiting spam, obtaining consent to gather cookies, etc.).

The ePrivacy Regulation will impact the following services:

  • Internet providers (browsers, telecom operators)
  • IoT (Internet of Things) players
  • OTT media services, messagingmessagingMessaging is the use of instant messaging services, such as Facebook’s Messenger or WeChat, for marketing purposes Interactions with customers are handled by a human, a chatbot, or a combination of both.Learn more services (WhatsApp, Skype, Facebook Messenger, etc.)
  • Ancillary Internet services (Wi-Fi routers)

Like the GDPR, ePrivacy will be extraterritorial and could impact all service providers used by individuals residing in the European Union.

Main challenges for the Regulation are the following:

  • Whereas until now, an opt-outopt-outOpt-inOpt-inOpt-in and opt-out refer to the way in which a user's consent is collected regarding the use of his own data (for instance when signing up for a game or a newsletter).Learn more and opt-out refer to the way a user's consent is collected, regarding the use of his data (for instance when signing up for a game or a newsletter).
    Learn more
    system was allowed in certain countries (meaning that website editors could install cookies in browsers by default), the ePrivacy Regulation will impose an opt-in principle. This means that users will have to explicitly agree to the use of cookies as they browse the Web.
  • Consent will have to be obtained at the browser level (and no longer at the website level, as is the case today) when it is installed or updated.

This second point has led to multiple debates, because some see it as furthering the imbalance between American titans (GAFAGAFAThe acronym GAFA refers to the four most powerful tech companies, namely Google, Apple, Facebook and Amazon, to which Microsoft is generally added.Learn more, etc.) and European tech companies, particularly in the ad tech sector (Criteo, etc.). Google or Facebook can take advantage of their logged-in ecosystems (Chrome, Gmail, Facebook, YouTube, WhatsApp...) and thus get around using cookies for their ad services, unlike most of their competitors.

The main difference between the two regulations lies in their scopes of application. Though both texts have wide implications, the GDPR regulates the processing of personal data (collected on- or offline), while ePrivacy regulates information exchange (or metadata) sent via electronic service providers: browsers, SMS, e-mails, but other OTTs such as Skype, WhatsApp, and Facebook Messenger.

To sum up: when you hear GDPR think personal data, and when you hear ePrivacy think cookies (and other electronic trackers). :)

Translated from French by Niamh Cloughley.

Want to learn more? Get in touch!


close legal

À propos

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec a venenatis dolor, non ornare ligula. Nam ultricies elementum tellus, sed pulvinar libero egestas nec. Fusce facilisis nulla vestibulum, commodo neque eget, dapibus lacus. Aliquam neque felis, sagittis nec consequat sed, commodo ac ipsum. Sed neque tortor, semper quis viverra et, malesuada et eros. Donec at dui ut ligula pharetra aliquet. Etiam dapibus semper orci. Integer efficitur dolor tortor, nec mattis elit placerat vel. Ut nulla enim, lacinia in pharetra id, convallis vitae massa. Donec neque est, tincidunt non ullamcorper commodo, tincidunt non turpis. Pellentesque viverra enim a sapien placerat, ut volutpat mauris condimentum. Proin tincidunt sollicitudin dui, sit amet condimentum ante commodo a. Aenean posuere aliquam purus, sed aliquam magna sagittis finibus. Morbi molestie feugiat feugiat. Phasellus tempus in dolor vel maximus. Cras efficitur sagittis lorem porta iaculis. Maecenas sed hendrerit urna. In mattis posuere purus, sit amet placerat arcu posuere quis. Etiam nec arcu nec magna interdum maximus. Integer sit amet lacus neque. Curabitur interdum molestie magna, in scelerisque tellus iaculis sed. Sed nec metus ut purus efficitur laoreet a quis eros. Proin dui dui, dignissim eget risus sit amet, bibendum condimentum velit. Maecenas in justo eu elit eleifend consectetur. Aenean scelerisque fringilla sollicitudin. Nam sem nibh, pharetra nec lacus non, mollis interdum odio. Aliquam sollicitudin posuere nibh sed eleifend.


55 SAS, 5 — 7 rue d'Athènes

75009 Paris

+33 1 76 21 91 37



2, rue Kellermann

59100 Roubaix

+33 8 20 69 87 65


Lan Anh Vu Hong

Crédits photo

Mats Carduner, Adobe Stock & Unsplash

Vous avez aimé nos nouvelles fraîches sur l'état du marché brandtech ? Inscrivez vous à notre newsletter